Division Bank and Insurance Austrian Federal Economic Chamber
Consultation on Recommendations on outsourcing to cloud service providers
The Division Bank and Insurance of the Austrian Federal Economic Chamber, the legal representative of the entire Austrian banking industry, appreciates the possibility to comment on the cited consultation document and submits the following position:
ad Q1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
At this stage, the legislation and supervision applicable to the use of cloud services are currently the purview of national authorities, which leads to different legal frameworks across the European Union. This has multiple implications: banks may be constrained in contracting a cloud service provider located in another Member State (this is also an issue for banks active in several Member States), banks may be at a competitive disadvantage vis-à-vis both other incumbents located in Member States with less stringent regulation, and vis-à-vis newcomers. There is hence urgency for legal certainty and harmonization in using cloud service providers cross-border and clarity and harmonization of the supervisory requirements applicable to banks in this respect.
Presently there are following obstacles that prevent financial services firms from using cloud computing services providers (CSP). These issues can be summarised as follows:
• Cybersecurity is by far the first and most important priority as regards to the use of cloud computing services, and the aspect raising the largest and most critical risks. Cyber-attacks are a constant threat nowadays, and the security measures provided by CSPs must stand up to the necessary level of security standards. However, experience has showed that CSPs’ security measures are still not as developed as financial sector companies expect and need them to be. This issue has slowed down the adoption of cloud solutions by financial entities.
• The existence of still very few credible CSPs leads to a considerable concentration risk, as regards to cybersecurity risks especially. These risks will be further enhanced in the following years as an increasing amount of financial entities are expected to transfer their data towards cloud infrastructures, where the most valuable data behind their business models may reside (e.g. AI algorithms), generating large incentives for cyber criminals to act against CSPs’ infrastructures.
• Another reason slowing down the adoption of cloud solutions is the reputational risk financial entities face due to the difficulty for CSPs of ensuring a compliant and secure protection of the information they store (with effect on personal data protection and privacy rules). As CSPs are not required to comply with the same regulatory and supervisory requirements of banks, in practice it is truly complicated that CSPs ensure banks cybersecurity objectives in cloud networks.
• The lack of harmonization in regulatory approaches across different jurisdictions and the lack of clarity in supervisory expectations hinder the compliance with rules regarding the use, management and storage of customer information, and increase uncertainty in relation to the criteria for the approval of cloud projects.
• The cloud computing leaders are mainly major US companies such as Microsoft, Salesforce or Oracle. Banks, even major banks, are currently fragile in the negotiation with those companies. The principle for the providers is that cloud services are standard ones subject to standard terms and conditions imposed on the parties. Customers, in particular banks, need to be confident that they have met their needs (technical and legal) when adopting cloud services. Therefore, a reference framework is required.
With these Recommendations, which represent a first step towards meeting the wishes that guidelines should be adopted to ensure a common approach by regulators/supervisors regarding procedures and methodologies and that should provide the banking sector the necessary clarity for the adoption of cloud solutions, a step that would provide significant benefits for the industry.
Nevertheless, we would like to formulate the following remarks:
Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
Moreover, despite the clarification of these guidelines it is essential for the European Commission to take initiatives to constrain CSP’s to implement a main part of EBA Recommendations.
We would suggest the following actions designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
• Ideally customers should be able to compare the different cloud solutions with an easy evaluation grid (the CSP offering standardized offers which would allow the comparison);
• The European Commission should spell out guiding principles for contracting between institutions (banking or other) and CSPs, whatever the sector.
In order to allow banks to be confident that they have met their needs when adopting cloud services, the CSPs shall provide cloud solutions certified as conforming to technical, legal and security standards defined by the banking authority or the European Commission. In our view, CSPs should have the same execution framework with all their clients (including banking institutions) and be certified by a regulator.
Contract terms and conditions should also be standardised. The European Commission has already begun to work on a code of conduct on data protection for cloud services and on a Service Level Agreement. Those initiatives could be extended to define:
o Standardized terms and conditions integrating all the provisions proposed by the EBA regarding access and audit rights, security of data and systems, location of data and data processing, chain outsourcing, contingency plans and exit strategies;
o On CSPs specific obligations must be imposed regarding migration process and standardization. In our view, the continuity plan should be the responsibility of the CSP and be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator.
o Standardized level of security depending on the business concerned.
However, the compliance with this framework should not exclusively be placed on banks, which do not have the ability to impose their conditions to CSPs.
• Last, but not least, there should be a facilitation of the development of European cloud services.
We ask you to give our remarks due consideration.
Dr. Franz Rudorfer
Division Bank and Insurance
Austrian Federal Economic Chamber