Response to consultation on recommendations on outsourcing to cloud service providers
Go back
We would nevertheless formulate the following remarks:
• Recommendation 1: It should be emphasized that these recommendations apply only to activities relating to the provision of regulated financial services. All other functions like HR, supporting functions (e.g. legal services) and other business areas (like mobility, health care) possibly provided by financial institution (or a company belonging to the same group) should be out of scope of these recommendation.
• Recommendation 2:
There is not strict time limit for information obligation, which is a good approach. In the CEPS guidelines it is stated that this should be done “ in a timely manner”. If the communication is made well in advance, it is possible to give only information relating to points a-c on the list in practice. Points d-g are negotiated with vendor and can be informed later. It should be made possible to make the first notification with only a limited information (points a-c) and to supplement it later.
The obligation to include also non-material outsourced activities to the same register goes beyond what is stated at the moment in CEPS guideline. This recommendation considerably increases administrative burden. Only material activities should be included in the register. It should be up to outsourcing institutions how they keep the register for non-material activities.
Point 5.l) We would like to have more clarity regarding the concept of ‘’due diligence’’ in the context of the following sentence: “(l) date of the last due diligence on the outsourcing or subcontracting arrangement.” ?
• Recommendation 3:
Access and auditing rights are usually the most challenging part of the negotiation with cloud service providers. These requirements are not included in standard contract terms and need usually additional contractual provision. Cloud service providers usually prefer third party auditing which they can publish to all clients instead of separate audits made by every single client. The possibility to use third party certifications and pooled audit with other clients are therefore warmly welcomed.
Point 8 b) “v. The outsourcing institution has the contractual right to request the expansion of scope of the certifications or audit reports to some systems and/or controls which are relevant. The number and frequency of such requests for scope modification should be reasonable, and legitimate from a risk management perspective.” It is challenging to fulfill in practice.
• Recommendation 4: Registry of Competent authorities eligible to audit Cloud service providers could be considered, including respective contact persons. Such registry would be helpful to outsourcing institutions in various cases, e.g. outsourcing preparation, standards and policies assurance, service level monitoring and review, etc.
• Recommendation 5 and 6: Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
• Recommendation 7: “25. The outsourcing institution should review and monitor the performance of the overall service on an ongoing basis, regardless of whether it is provided by the cloud service provider or its subcontractors.“ We understand this requirement and the rational behind, but in practice it is demanding to supervise the whole chain of providers, since there is not a contract between the client and subcontractors. This requirement should be writen in a less binding form:
“25. The outsourcing institution should review and monitor control the performance of the overall service on an ongoing basis, regardless of whether it is provided by the cloud service provider or its subcontractors. “
• Recommendation 8: They could be more detailed on the contingency plans and exit strategies. The exit plan depends mainly on the good will of the cloud service provider (CSP) and the use of standards format that allows migration of data. Specific obligations must be imposed on CSPs regarding migration process and standardization. In our view the continuity plan should be the responsibility of the CSP and this should be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator; We suggest that the European Commission enforces services reversibility and exit strategy enablement obligation to CSPs.
• Recommendation 9: We would like to add one other topic related to subcontractors. In material outsourcing it is requested that outsourcing institution is informed and can veto in case of new subcontractors. We doubt that this is a feasible approach in cloud services, where many subcontractors are used. It would rather be helpful if outsourcing institution would be informed and have some time for consideration and then could make a decision (e.g. chose to cancel the service).
Moreover, in our opinion despite the clarification of these guidelines it is essential that the European Commission takes some initiatives to constrain CSP’s to implement a main part of EBA Recommendations in order to ensure a Cloud’s secure framework not subject to the uncertainties and imbalances of the negotiations due to the particularity of the Cloud’s actors described below.
Even if the recommendations of the EBA are essential, they should be set within the context of the cloud industry. The adoption of cloud is slowed down by the lack of clarity on the legal constraints to comply with when using cloud services. The main barrier remains the lack of confidence of customers (e.g. banks). The cloud computing leaders are mainly major US companies such as Microsoft, Amazon, Google, Salesforce or Oracle. Banks, even major banks are currently fragile in the negotiation with those companies. The principle for the providers is that cloud services are standard ones subject to standards terms and conditions imposed on the parties. Customers, in particular banks, need to be confident that they have met their needs (technical and legal) when adopting cloud services. Therefore, a reference framework is required.
We would suggest the following actions to be designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
1) Ideally customers should be able to compare the different cloud solutions with an easy evaluation grid (the CSP offering standardized offers which would allow the comparison);
2) The European Commission should facilitate contracting between institutions (banking or other) and CSPs, whatever the sector.
In order to allow banks to be confident that they have met their needs when adopting cloud services, the CSPs shall provide cloud solutions certified as conforming to technical, legal and security standards defined by the banking authority or the European Commission. In our view, CSPs should have the same execution framework with all their clients (including banking institutions) and should be certified by a regulator.
Contract terms and conditions should also be standardized. The European Commission has already begun to work on a code of conduct on data protection for cloud services and on a Service Level Agreement. These initiatives could be extended to define:
• Standardized terms and conditions integrating all the provisions proposed by the EBA regarding access and audit rights, security of data and systems, location of data and data processing, chain outsourcing, contingency plans and exit strategies;
• Standardized level of security depending on the business concerned.
However, the compliance with this framework should not be placed on banks exclusively as they do not have the ability to impose their conditions to CSPs.
3) EBA should emphasize more the role of the European Commission and the key (regulatory) body to enforce regulations within CSPs.
4) Last but not least the development of European cloud services should be facilitated.
No, the scope of these recommendations is sufficient. As expressed in our previous answer, the main priority should be, in parallel to the guidelines, to help banks:
• to negotiate the contractual terms with CSPs (through standardized contracts) ;
• and to be reassured on the fact that they have met the technical, legal and security standards defined by the European Banking Authority or the European Commission when adopting cloud services (through certification of cloud solutions).
Furthermore, these recommendations should apply not only to licensed credit institutions but also to licensed and ’’non-licensed’’ payment institutions (only notifications to supervisory authority) when those are providing financial services to customers. The principle ‘’same service, same risk, same rule’’ should always apply.
Question 1: Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing?
The EACB welcomes these recommendations which are clear and address the main issues of cloud services. We believe that they also represent a step forward in ensuring a common approach by regulators/supervisors regarding procedures and methodologies.We would nevertheless formulate the following remarks:
• Recommendation 1: It should be emphasized that these recommendations apply only to activities relating to the provision of regulated financial services. All other functions like HR, supporting functions (e.g. legal services) and other business areas (like mobility, health care) possibly provided by financial institution (or a company belonging to the same group) should be out of scope of these recommendation.
• Recommendation 2:
There is not strict time limit for information obligation, which is a good approach. In the CEPS guidelines it is stated that this should be done “ in a timely manner”. If the communication is made well in advance, it is possible to give only information relating to points a-c on the list in practice. Points d-g are negotiated with vendor and can be informed later. It should be made possible to make the first notification with only a limited information (points a-c) and to supplement it later.
The obligation to include also non-material outsourced activities to the same register goes beyond what is stated at the moment in CEPS guideline. This recommendation considerably increases administrative burden. Only material activities should be included in the register. It should be up to outsourcing institutions how they keep the register for non-material activities.
Point 5.l) We would like to have more clarity regarding the concept of ‘’due diligence’’ in the context of the following sentence: “(l) date of the last due diligence on the outsourcing or subcontracting arrangement.” ?
• Recommendation 3:
Access and auditing rights are usually the most challenging part of the negotiation with cloud service providers. These requirements are not included in standard contract terms and need usually additional contractual provision. Cloud service providers usually prefer third party auditing which they can publish to all clients instead of separate audits made by every single client. The possibility to use third party certifications and pooled audit with other clients are therefore warmly welcomed.
Point 8 b) “v. The outsourcing institution has the contractual right to request the expansion of scope of the certifications or audit reports to some systems and/or controls which are relevant. The number and frequency of such requests for scope modification should be reasonable, and legitimate from a risk management perspective.” It is challenging to fulfill in practice.
• Recommendation 4: Registry of Competent authorities eligible to audit Cloud service providers could be considered, including respective contact persons. Such registry would be helpful to outsourcing institutions in various cases, e.g. outsourcing preparation, standards and policies assurance, service level monitoring and review, etc.
• Recommendation 5 and 6: Special attention should be paid to avoid inconsistencies between regulations or accumulation of similar obligations resulting from different regulations (on location of data or security for instance).
• Recommendation 7: “25. The outsourcing institution should review and monitor the performance of the overall service on an ongoing basis, regardless of whether it is provided by the cloud service provider or its subcontractors.“ We understand this requirement and the rational behind, but in practice it is demanding to supervise the whole chain of providers, since there is not a contract between the client and subcontractors. This requirement should be writen in a less binding form:
“25. The outsourcing institution should review and monitor control the performance of the overall service on an ongoing basis, regardless of whether it is provided by the cloud service provider or its subcontractors. “
• Recommendation 8: They could be more detailed on the contingency plans and exit strategies. The exit plan depends mainly on the good will of the cloud service provider (CSP) and the use of standards format that allows migration of data. Specific obligations must be imposed on CSPs regarding migration process and standardization. In our view the continuity plan should be the responsibility of the CSP and this should be reflected in the contracting of the institution with the CSP. It is up to the CSP to provide an exit solution to its customers and justification to the regulator; We suggest that the European Commission enforces services reversibility and exit strategy enablement obligation to CSPs.
• Recommendation 9: We would like to add one other topic related to subcontractors. In material outsourcing it is requested that outsourcing institution is informed and can veto in case of new subcontractors. We doubt that this is a feasible approach in cloud services, where many subcontractors are used. It would rather be helpful if outsourcing institution would be informed and have some time for consideration and then could make a decision (e.g. chose to cancel the service).
Moreover, in our opinion despite the clarification of these guidelines it is essential that the European Commission takes some initiatives to constrain CSP’s to implement a main part of EBA Recommendations in order to ensure a Cloud’s secure framework not subject to the uncertainties and imbalances of the negotiations due to the particularity of the Cloud’s actors described below.
Even if the recommendations of the EBA are essential, they should be set within the context of the cloud industry. The adoption of cloud is slowed down by the lack of clarity on the legal constraints to comply with when using cloud services. The main barrier remains the lack of confidence of customers (e.g. banks). The cloud computing leaders are mainly major US companies such as Microsoft, Amazon, Google, Salesforce or Oracle. Banks, even major banks are currently fragile in the negotiation with those companies. The principle for the providers is that cloud services are standard ones subject to standards terms and conditions imposed on the parties. Customers, in particular banks, need to be confident that they have met their needs (technical and legal) when adopting cloud services. Therefore, a reference framework is required.
We would suggest the following actions to be designed to facilitate access to cloud solutions and the development of cloud in the banking industry:
1) Ideally customers should be able to compare the different cloud solutions with an easy evaluation grid (the CSP offering standardized offers which would allow the comparison);
2) The European Commission should facilitate contracting between institutions (banking or other) and CSPs, whatever the sector.
In order to allow banks to be confident that they have met their needs when adopting cloud services, the CSPs shall provide cloud solutions certified as conforming to technical, legal and security standards defined by the banking authority or the European Commission. In our view, CSPs should have the same execution framework with all their clients (including banking institutions) and should be certified by a regulator.
Contract terms and conditions should also be standardized. The European Commission has already begun to work on a code of conduct on data protection for cloud services and on a Service Level Agreement. These initiatives could be extended to define:
• Standardized terms and conditions integrating all the provisions proposed by the EBA regarding access and audit rights, security of data and systems, location of data and data processing, chain outsourcing, contingency plans and exit strategies;
• Standardized level of security depending on the business concerned.
However, the compliance with this framework should not be placed on banks exclusively as they do not have the ability to impose their conditions to CSPs.
3) EBA should emphasize more the role of the European Commission and the key (regulatory) body to enforce regulations within CSPs.
4) Last but not least the development of European cloud services should be facilitated.
Question 2: Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing?
GDPR regulations will apply from May 2018, which will have a major impact on cloud outsourcing. So far, Consultation paper has not been covering the impact of GDPR to both CSPs and outsourcing institutions. It is our recommendation to include this as an additional chapter in the document.No, the scope of these recommendations is sufficient. As expressed in our previous answer, the main priority should be, in parallel to the guidelines, to help banks:
• to negotiate the contractual terms with CSPs (through standardized contracts) ;
• and to be reassured on the fact that they have met the technical, legal and security standards defined by the European Banking Authority or the European Commission when adopting cloud services (through certification of cloud solutions).
Furthermore, these recommendations should apply not only to licensed credit institutions but also to licensed and ’’non-licensed’’ payment institutions (only notifications to supervisory authority) when those are providing financial services to customers. The principle ‘’same service, same risk, same rule’’ should always apply.