We support a risk-based approach and the strengthening of the principle of proportionality as an appropriate means to adequately accommodate the assessment of cloud outsourcing services and to allow for appropriate risk control. Further maintenance of technology-neutrality would support the continued flexibility needed for a risk-based approach that can adapt to evolving risks from potential cloud outsourcing developments.
4.2 Duty to adequately inform supervisors
EBA Recommendation 2
We recommend the EBA consider industry best practices for the process and manner of reporting material outsourced activities to competent authorities. With the proliferation of reporting obligations for financial institutions, the EBA should leverage existing reporting practices which effectively communicate the relevant outsourcing information wherever possible.
For example, under the German Banking Act, the outsourcing institution includes information on outsourcing activities in its audit reports. This arrangement has worked well to date in Germany for both the financial institution and regulator in carrying out appropriate risk management and supervisory tasks; a separate or standalone notification, which was previously utilised, has not been deemed necessary or efficient for the accomplishment of these tasks.
We encourage the EBA, in formulating its final Recommendation, to consider best practices which efficiently achieve the intent of this Recommendation and obviates the need for duplicative reporting.
Generally, we believe pre-authorisation or “nihil-obstat” from the competent authority should not be required. Such case-by-case notification basis would not only increase time to market, but does not add additional value to local regulators looking at the overall strategy of an institute, including generally implemented risk control functions.
A more efficient approach to ensuring appropriate due diligence and assessments are completed prior to proceeding with a CSP outsourcing arrangement, would be for regulators to focus on the robustness of an institution’s internal governance and control frameworks. Assessing an institution’s processes would address the execution of appropriate risk management practices for outsourced activities, which are necessary for adapting to the development of new and more complex levels of service in the cloud environment.
4.3 Access and audit rights
Applying the ‘traditional’ access and audit rights concept to cloud outsourcing services is a major obstacle in practice, as cloud providers strongly push back on the inclusion of the full range of access and audit provisions. This reflects the fact that CSPs are providing highly standardised services to a large volume of customers. This business model is not comparable to traditional outsourcing relationships, which are much more bespoke. At its core, public cloud provides is a commodity service – it is consistent no matter the client and thus designed accordingly.
The right to on-site audits is not an accepted industry standard for CSPs and its introduction leads to prolonged contract negotiations. It is typically a red-line for most CSPs due to issues of confidentiality and privacy of other customer’s data, and interference of the standard processes on which cloud services are provided. Further, physical access is also less beneficial given the increasing dispersion of data across facilities and even countries.
In order to more effectively meet the EBA’s objectives for this section, we encourage the EBA to consider alternate approaches which reduce potential burdens without diluting risk control. For example, moving towards regulator-driven shared assessments of CSPs on behalf of a consortium of banks would be greatly beneficial from both control and cloud adoption perspectives.
Direct engagement by regulators with CSPs to develop standardised terms that fulfil regulatory requirements has also been undertaken in recent years. This approach was used by the Dutch Central Bank with Microsoft in 2013 to make audit rights available within the Netherlands.
In Singapore, the industry is moving towards a standardised certification called the Outsourced Service Provider’s Audit Report (OSPAR) which is based on the Association of Banks in Singapore (ABS) Outsourced Service Provider Guidelines. This system allows CSPs to be certified once against a common template / set of requirements and reduces need for duplicate certifications by outsourcing institutions. OSPAR also requires that outsourcing institutions receive ongoing assurance of the operational effectiveness of controls which are discrete between the institution and the CSP.
We encourage the EBA to consider a similar arrangement for pooled audits, as it is typically challenging for outsourcing firms to arrange such audits. Rather, CSPs should be responsible for providing pooled audits and not the outsourcing institutions.
4.5 Security of data and systems
Securing legally-binding service descriptions and performance standards (e.g., Service Level Agreements) from CSPs is challenging, as service providers fear the inclusion of detailed
descriptions could restrict their ability to innovate and reduce flexibility. Rather, CSPs argue that cloud service is purchased and that the specifics of its provision may reflect innovations and improvements over time (i.e. service descriptions tend to be in a state of flux).
While a CSP may provide certain language, the issue is that the flexibility of the cloud service can only be reflected in a limited basis in written contracts. This requirement is more representative of historic outsourcing arrangements where a “frozen service” is detailed in the written contract.
Cloud services on the other hand require flexibility in the service level and process descriptions. These descriptions are also typically highly standardised across a CSP’s client base and it is difficult to negotiate individual changes at all.
We recommend that the focus should move from securing these descriptions in written agreement to detailing roles and responsibilities for the ongoing monitoring of the provided service, with a more generic and basic description of services and performance standards in line with descriptions provided by CSPs per current industry standard.
In this arrangement, the institute would focus on monitoring and supervising the services on an ongoing basis and will require sufficient termination rights, and appropriate exit capabilities, to terminate the outsourcing arrangement in situations where the CSP develops the services in an unacceptable direction. However, with regards to the ongoing management of controls, due to the nature of cloud outsourcing we have seen an emergence of the concept of “shared responsibility” which needs to be clearly laid out in contractual terms. For example, it may not always be the case that the CSP is responsible for the management of all the controls that effect confidentiality of data (e.g., the provision of Infrastructure as a Service or IaaS).
This means that roles and responsibilities for all aspects of the outsourcing arrangement and application / infrastructure system management should be agreed up front. While CSPs offer a standardised range of services as part of their portfolio, institutions may have to select and utilise the individual services they would like to use and remain responsible to manage that suite themselves compared to a traditional “full outsourcing” shifting such responsibility to a provider.
4.6 Location of data and data processing
The requirements set out in this section are the subject of data protections laws, and already covered to a large extent by respective data privacy regulations (e.g., Directive 95/46/EC,
Regulation (EU) 2016-679 General Data Protection Regulation, and national data protection laws). To avoid potential overlap or duplication, we recommend to limit these Recommendations to a general statement on the adherence of application data protection laws in connection with outsourcing.
4.7 Chain outsourcing
The concept of “chain outsourcing”, or subcontracting, in the cloud service model is one where the service provider-customer relationship differs from historical outsourcing arrangements.
In particular, it is extremely difficult for a financial institution to have control of a CSP’s whole outsourcing chain, due to the more dynamic nature of the cloud environment and larger volume of customers than what is found in traditional outsourcing environments. CSPs are, understandably, reluctant to allow for control by customers over subcontractors directly. CSPs at best provide to customers a standard list of subcontractors; while these are updated on a regular basis, they cannot be influenced at the individual client level, i.e. outsourcing institution dictating which subcontractors are acceptable. In light of this chain outsourcing environment, a number of Recommendations as written in this section may prove inoperable in practice.
Nonetheless, we fully agree that the relevant risks from subcontracting should be addressed and that subcontractors adhere to the agreed regulatory standards. In order to more effectively mitigate the risks associated with subcontracting of cloud services, we believe a proportionate approach is merited to allow for practical solutions.
EBA Recommendation 21
While certain existing outsourcing requirements, such as AT9 MaRisk, provide an outsourcing institution with a minimum amount of leverage, it is unworkable in practice for the institution to be responsible for ensuring that the subcontractor fully complies with contractual obligations agreed to by the CSP.
Rather, given the nature and control dynamics around a cloud service’s supply chain, the CSP is better placed to effectively review and monitor a subcontractor’s compliance with the CSP’s contractual obligations.
To ensure a proper level of oversight and due diligence by the CSP over its subcontractors, the outsourcing institution could also leverage industry certifications. For example, if a CSP is certified against ISO 27001, and the scope is adequately defined and provided to the institution, then the standards on supply chain elements are covered as well. The certification should also include an external audit (e.g., three year cycle across different stacks).
Further, the EBA text indicates that a subcontractor must “fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider”. We recommend this provision be revised to clarify the obligation is limited to the actual scope of subcontracting connected to CSP’s provision of service to the outsourcing institution. This approach would result in a more workable solution which addresses the risks and objectives of this section and avoids another potential source of friction between CSPs and outsourcing institutions.
However, regardless of which entity is responsible for subcontractor oversight, the outsourcing institute should be provided with sufficient transparency on the utilised subcontractors and their locations, in case a subcontractor is not acceptable to an institute and potentially triggers termination rights.
EBA Recommendation 24
We recommend the EBA text be updated to reflect this requirement is relevant for ‘material’ adverse effects on service.
In the context of chain outsourcing, we believe there is a need to clearly define auxiliary services that do constitute subcontracting. This definition would help clarify discussions with CSPs and ensure consistent interpretation across competent authorities.
Generally, we also see benefit in direct engagement between regulators and CSPs. While guidelines may provide additional clarity on supervisory expectations, there remains the risk that outsourcing institutions and CSPs develop differing interpretations on requirements. This is especially relevant for requirements governing access and audit, certification of chain outsourcing activities and the content of service level agreements. These areas may become further complicated as CSPs develop new and more complex levels of service.
We therefore encourage regulators to engage directly with CSPs on financial services outsourcing requirements. Further education and collaboration between regulators, CSPs and financial institutions will benefit a common understanding of industry standards and ease compliance efforts.