The European Banking Authority (EBA) launched a consultation setting out its guidance for the use of cloud service providers by financial institutions. The EBA Recommendations intend to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed. The consultation runs until 18 August 2017.
The growing importance of cloud services as a driver of innovation and the increasing interest for the use of cloud outsourcing solutions within the banking industry have prompted the EBA to develop these Recommendations on its own initiative. This guidance, which builds on the existing Guidelines on outsourcing developed by the Committee of European Banking Supervisors (CEBS), provides additional clarity on cloud computing.
In particular, the Recommendations address five key areas: the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing, and contingency plans and exit strategies.
“Due to the specificities of cloud outsourcing, the recommendations include guidance on the security of the data and systems used. They also address the treatment of data and data processing locations in the context of cloud outsourcing. Institutions should adopt a risk-based approach in this respect and implement adequate controls and measures such as the use of encryption technologies for data in transit, data in memory, and data at rest.”, the Consultation Papes say.
“The recommendations include specific requirements for institutions to mitigate the risks associated with “chain” outsourcing where the cloud service provider subcontracts elements of the service to other providers. The use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement, and appropriate arrangements should be in place for the orderly transfer of the activity, data or services from the subcontractor to another service provider if needed.”
“Contingency plans and exit strategies form an important part of any cloud outsourcing arrangement. The recommendations provide guidance for institutions on the contractual and organisational arrangements for contingency plans and exit strategies in the context of cloud outsourcing.”
The Recommendations are addressed to credit institutions, investment firms and competent authorities. The EBA, in its follow-up work, will explore the possible applicability of the provisions laid down in these Recommendations to other types of regulated entities.
For more details download the Consultation Paper: Draft recommendations on outsourcing to cloud service providers