Search for:

Jump straight to:

An unexpected error has occurred

Please enter a search term

Please select

What sectors are you interested in?

We can use your selection to show you more of the content that you’re interested in.

Want to speak to an advisor from your closest office?

Find other offices

Search for:

An unexpected error has occurred

Please enter a search term

Out-Law / Your Daily Need-To-Know

Out-Law Analysis 2 min. read

EBA muddies waters on IT security in outsourcing contracts

13 Feb 2019, 2:58 pm

ANALYSIS: The IT security measures that banks and other financial institutions in Europe need to provide for in their contracts when outsourcing should be set out clearly in a single document, not spread across separate guidelines that do not correlate.

The European Banking Authority (EBA) risks confusing industry by outlining different security-related contractual requirements in its draft guidance on ICT and security risk management from those that are stipulated in its draft guidance on outsourcing.

The ICT and security risk management guidance

In mid-December 2018 the EBA opened a consultation on draft guidelines on ICT and security risk management. Their purpose is to create a harmonised approach towards technology risk management.

The EBA is mandated to create the guidelines for payment service providers under the EU's second Payment Services Directive (PSD2). It has, though, elected to apply the new guidelines to credit institutions and investment firms too, using its powers under the under the EBA Regulation to drive consistency across the financial services sector.

The draft guidelines contain specific requirements in relation to addressing ICT and security risk in contracts with third parties. According to the draft, outsourcing contracts should set out: 

  • information security objectives and measures, including minimum cybersecurity requirements;
  • specifications of the financial institutions’ data life cycle;
  • requirements regarding location of data centres;
  • data encryption requirements network security and security monitoring processes;
  • operational and security incident handling procedures including escalation and reporting; and
  • service level agreements which "ensure continuity of ICT services and ICT systems and performance targets under normal circumstances as well as those provided by contingency plans in the event of service interruption".

These guidelines are provided "without prejudice to the EBA guidelines on outsourcing arrangements".

The EBA's draft guidelines on outsourcing

The EBA developed proposed new guidelines on outsourcing in June 2018. Its consultation on that draft closed last September, and finalised guidance is due to be published before the end of March this year.

The EBA's finalised guidance on outsourcing will be a significant document. It will outsourcing guidelines that have been in place since 2006 and supersede separate cloud outsourcing recommendations the EBA developed more recently, which only came into effect in July last year.

The EBA's draft new guidelines on outsourcing address a broad range of issues. Specific requirements on the security of third party data and systems are set out and include obligations on institutions to amongst other matters: 

  • define data and system security requirements within the outsourcing agreement;
  • provide for a right to terminate outsourcing contracts where there are weaknesses regarding the management and security of confidential data, personal data or otherwise sensitive data and information; and
  • ensure that outsourced functions meet internationally accepted information security standards.

The EBA's flawed approach

The guidance on addressing third party security risks that the EBA has provided in its draft guidance on ICT and security risk management is general in nature, in contrast to some of the more specific requirements stipulated in the draft outsourcing guidelines. It is not clear why that is.

This approach, if included in the final documents, will create unnecessary administrative work for financial institutions in correlating these different obligations. It will also create unnecessary cost for technology providers in operationalising the requirements in order to best meet the needs of customers in the financial services sector. 

Scattering general requirements across two different sets of guidelines also creates the likelihood of greater uncertainty and may lead to financial institutions taking a more conservative approach to adopting new technologies from smaller technology providers that do not have the resources to correlate the requirements provided across these documents. It could also lead to differences in interpretation between authorities in different EU countries as each document is translated.

For consistency, the EBA really should look to set out a single list of security requirements within one document which can be referenced in the other. It has an opportunity to address this when it comes to finalise both sets of draft guidelines in the coming weeks and months.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.  

Written by

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

+44 (0) 20 7490 6597
View Profile

Latest News

Capital gains tax for individuals on the disposal of UK shares

FAQ/redundancy – how do procedures in GB and NI differ?

Spotlight on fraud investigations as insider fraud risk rises

JCT updates design and build standard form construction contract

The substantial shareholding exemption

You might also like

Out-Law Guide

VAT treatment of UK termination and compensation payments

Broadly, subject to a few limited exceptions, since April 2022, where VAT is payable on a supply, other payments that are required to be made to that supplier under the same contract, such as early termination fees, are subject to VAT.

Tax disputes & investigations

Out-Law Guide

Lease arrears: options for landlords in Scotland

Commercial landlords in Scotland have a number of options available to them to deal with increasing levels of arrears.

Property Dispute Resolution

Out-Law News

HSE statistics reveal surge in UK work-related illness

New statistics on occupational health and safety in the UK will be “disappointing” for the Health and Safety Executive (HSE), according to one legal expert.

Health & safety

Out-Law News

UK government plans to revamp holiday pay calculation for part-year workers

Show me more

Out-Law Analysis

Pensions disputes: managing member expectations paramount

Show me more

Out-Law Analysis

UK subsidy control post-Brexit: access to effective judicial remedies

Show me more

Out-Law News

'Steps of court' settlement was not negligent, court rules

Show me more

Out-Law News

'Vast majority' of companies not seeking to avoid tax

Show me more

Out-Law News

'World first' industrial decarbonisation strategy developed in the UK

Show me more

Out-Law Analysis

3D printing: UK product safety issues

Show me more

Out-Law News

5G potential for business highlighted in UK funding programme

Show me more
We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.