We welcome the effort to harmonize cloud outsourcing criteria and interpretations. In addition, the principle- and risk-based approach and the proportionality considerations seem adequate.
We also thank EBA’s efforts to adapt outsourcing recommendations to the specificities of cloud computing technology.
Moreover, the proposed flexibility seems convenient to accommodate the new challenges and ensure that these recommendations are future-proof.
However, the instrument used by the EBA, which is recommendations, that by nature are not directly applicable nor mandatory in a first instance, could introduce an element of divergence and lack of harmonization. If one of the purposes of these recommendations is to bring harmonization and avoid national regulatory and supervisory differences, technical standards or any other directly applicable instrument would have been a better option. However, in practice, the majority of competent authorities will comply with these recommendations and divergences would come from the differences in interpretation.
Also, the recommendations include a non-exhaustive list of general criteria, therefore allowing National Competent Authorities to include their own additional criteria or to have different interpretations on how to fulfill the proposed requirements. Consequently, national divergences could still be a reality. To avoid a potential lack of harmonization, we understand that the list of criteria should be exhaustive and not leave room for interpretation, while it should set explicit qualitative or quantitative values for each criteria.
It is also relevant to mention that it should be perfectly clear that neither these EBA recommendations on cloud, nor the whole SSM supervisory mechanism, applies to cloud outsourcing by financial institutions that are not under the SSM mechanism, even though the parent company is under the SSM. Instead, outsourcing by financial entities that are not under the SSM must be ruled by local outsourcing and local data protection rules.
On the other hand, it is essential to highlight that there should not be overlapping between data protection authorities (DPAs) and the financial supervisory authorities. DPAs criteria on data protection issues must prevail.
Apart from the above general comments, please find below our detailed opinion on some of the observations.
R. 4.1 (Materiality Assessment)
Despite a definition of materiality being provided, draft recommendations do not give any qualitative or quantitative criteria to objectively establish if a service is considered material or not. For the sake of harmonization and legal certainty, the recommendations should set relative and absolute terms to evaluate the materiality of a service (e.g. quantity/quality, typology of the service).
Additionally, of the four criteria indicated, only the one related to the criticality and inherent risk profile of activities to be outsourced is specific to cloud outsourcing. On the contrary, the rest of criteria to be taken into account have to be assessed in any service, even on those directly offered without any outsourcing agreement.
R. 4.2 (Duty to adequately inform supervisors)
This recommendation does not establish precisely what has to be communicated, neither the Authority/Authorities (national and/or ECB level) to be informed, nor the procedure and deadline for Authorities to accept/not oppose the outsourcing of the service. Further clarity on all of the above is needed to avoid diverging interpretations.
It should not be necessary to notify the provision of any other service within a contract already assessed by the National Competent Authority. This contract with a CSP should have been previously notified by the Financial Institution along with the underlying security conditions.
For financial institutions, it is very difficult to comply with timing conditions required by some EU member states legislation, as it is the case with Spanish Circular 2/2016 that requires Financial Institutions to notify the outsourcing one month before the initiative is in production. Moreover, timing requirements are not harmonized at EU level. In this respect, we consider the process should allow the communication to take place once the cloud initiative is in the production phase.
In relation to information to be made available to Competent Authorities, in bullet (c) it is required to inform the “country where the service is performed (including location of data)”. However, physical access to data is not coherent with the distributed nature of cloud services. Thus, these recommendations should focus on ensuring access to data from the geography of the outsourcing Financial entity and not on location of data, that is already regulated by applicable data privacy regulations.
With regard to the obligation of keeping a record of non-material outsourced activities, we consider that complying with this requirement would be burdensome and costly without providing a clear added value.
R. 4.3. (Access and Audit rights) and R.4.4 (In particular for the right of access)
These recommendations should include the possibility of replacing the access and audit right in case the CSPs hold Third Party certifications recognized by Competent Authorities. For the sake of transparency, there should be a public register of the recognized certifications and the conditions under which they would be accepted. The scope of certifications is also an important element to determine.
Certification processes would mitigate a side effect that will become relevant as CSPs have a higher number of Financial Institutions as customers. Indeed, it would be very difficult to assist auditors appointed by each of their customers, as this continuous affluence of auditors could disrupt their activities.
Moreover, given the nature of cloud services, having access to the data center where data are located is an unattainable requirement, since data are usually distributed and replicated among different data centers. Therefore, it would be more effective to require CSPs to offer mechanisms for outsourcing companies and Competent Authorities to access remotely to data, monitoring the processing of information and checking the compliance with obligations without having to get access to premises.
With regard to provision in paragraph 7 of recommendation 4.3 (“the effective exercise of the rights of access and audit should not be impeded or limited by contractual arrangements”), it should be clarified if current practices such as setting limits to the number of visits, charging costs for the exercise of this right or requiring a prior notification before giving access to the premises are seen as impediments by EBA.
R. 4.5 (Security of data and systems) and R.4.6 (Location of data and data processing)
We consider that confidentiality of information, security, continuity and data location and processing are issues already covered by specific regulations (i.e. the General Data Protection Regulation, NIS Directive) that both Financial Institutions and also CSPs shall comply with.
Therefore, this recommendation should refer to the regulations Financial Institutions must already comply with and avoid setting any additional requirement to those already established by the regulations on these fields.
It is paramount that Competent Authorities ensure a level playing field among Financial Institutions located in different Members States and also with respect to other players and industries processing data of similar or higher level of sensitivity.
R. 4.7 (Chain outsourcing)
Paragraph 21 sets that “SP should be obliged to inform the outsourcing institution on any proposed significant changes which may affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. From our point of view, the term “significant” is vague and open to interpretation.
Therefore, in order to ensure a harmonized approach, EBA should issue some guidance on the criteria to be taken into account when assessing the impact of a change. In this regard, a list of criteria to be taken into account when assessing the impact of a change is desired.
In paragraph 23 it is stated that “the notification period for those changes should be contractually pre-agreed to allow the outsourcing institution to carry out a risk assessment to consider the effects of the proposed changes before the actual change in the subcontractors or the subcontracted services comes into effect”, but it is not clear if this risk assessment is optional for the outsourcing institution or, on the contrary, if there is an obligation for the outsourcing institution to perform this new risk assessment.
As it has been argued in section 3, paragraph 12 , this reassessment would be overly burdensome from a practical perspective and therefore outsourcing institutions should keep the ability to establish their own criteria and provisions to ensure that subcontracting by CSP has no effects on the conditions of the outsourced service. In practice, it is extremely difficult for financial institutions to have control on the whole outsourcing chain.
A preferred stance to govern the relation among the Financial Institution, the CSP and its outsourcing companies would be including a clause in the outsourcing contract in which the CSP commits on passing its obligations to any company in the outsourcing chain. In case the CSP is unable to include any of these obligations in its own outsourcing contracts or the same level of compliance or security cannot be guaranteed, Financial Institution should be informed in advance by CSP, having the possibility of canceling and of requesting a modification of the service at no cost before the chain outsourcing is enforced.
Thus, the ability to assess the risk impact of the chain outsourcing should be an option contractually agreed, which the outsourcing company decides to invoke or not
once the information provided by the CSP is assessed according to outsourcing company’s own risk appetite.
Our experience shows that an effective approach to the prior information of chain outsourcing is that the CSP identifies the companies it has outsourced activities
to when signing the contract and making this information and any updates available in due time in a url agreed in the contract."
Although CSPs are not subject to direct oversight by Financial Authorities, Financial Institutions are required to ensure in their outsourcing contracts that Competent Authorities can access and audit CSPs in relation to Financial Institutions’ activities and can take control of the contract in an event related with the Recovery and Resolution Directive.
Given that introducing these requirements in contracts with CSPs, whose services are not only offered to Financial Institutions, is usually burdensome for Financial Institutions, the creation of a mechanism that guarantees that CSPs are aware of the requirements above and accept them, would ease the negotiation with CSPs and foster cloud adoption.
Moreover, this mechanism could also foresee the possibility of the CSP requiring a prior review by Authorities, whose outcome would be an opinion on their capacities and adequation to financial regulation for different types of services. In case that a Financial institution intends to outsource an activity that falls into a type of service to which Authorities have issued a positive opinion, this outsourcing could benefit from a “fast-track” notification/authorization procedure.
We believe that if this mechanism (e.g. voluntary CSPs certification or pre-approved contractual models/clauses) were offered in an optional basis and CSPs could voluntarily have recourse to it, no changes on the regulatory framework applicable to CSPs and Financial Institutions would be needed and Financial Institutions would have certainty on the services of a CSP that they are allowed to use. Other option would be that Competent Authorities accepted certifications such as the ones mentioned in the NIS Directive.
On the other hand, if Authorities identify CSPs whose capacities do not allow the outsourcing companies to comply with applicable financial regulation, their inclusion on a public blacklist of non-compliant CSPs would be very helpful for outsourcing companies.