The EBA outsourcing guidelines and data – what you need to know

The guidelines reflect the EBA's awareness of the increased digitalisation of financial services, which is aimed at reducing costs and improving flexibility and efficiency in business and service delivery, as well as an increase in the outsourcing of core functions performed by institutions. In this respect, the outsourcing of IT functions has become common place, with the processing of data linked to that. In an outsourcing context, this can pose challenges to financial institutions' data and security governance frameworks as they seek to maintain control and oversight of their outsourced data, while still getting the benefits they wish to derive from having chosen to outsource.

For these reasons, the EBA guidelines on outsourcing include a number of data-related requirements for financial institutions to address in their outsourcing contracts. They include:

• setting out requisite IT security standards, including data and system security requirements; and 
• contractual rights for institutions to monitor their outsourcing arrangements to ensure that service providers are meeting their data and security obligations.

  In addition, where an outsourcing is of a critical or important function, the contractual requirements include:

• specifying the location where relevant data will be stored and processed, including a requirement to notify the institution if the service provider proposes to change the location;
• ensuring the accessibility, availability, integrity, privacy and safety of relevant data in line with requirements in the guidelines;
• ensuring that the institution can access its data in the case of the insolvency, resolution or discontinuation of business operations of the service provider; and
• a right to terminate where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information.

Monitoring outsource service providers

Paragraph 100 of the guidelines requires institutions to routinely monitor the performance of their outsource service providers, with a particular focus on data and its availability, security and integrity.

Interestingly, the guidelines also mention regular reporting as part of the monitoring requirement, and expressly reference reporting on business continuity measures and testing. This reference, as well as the emphasis on data in the context of service performance, ties-in with one of the main themes running through various aspects of the guidelines, from a policy as well as a contracting perspective, being to ensure continuity of services to institutions' customers, notwithstanding the outsourcing of functions underlying those services.

Given this background, the guidelines make clear that institutions need to be aware of performance issues that may affect their data as they arise, not merely to rely on formal assessments such as annual audits alone. This can likely be achieved through a layered approach, such as regular reporting, review and governance frameworks within their outsourcing agreements.

Data processing and storage locations

The requirements in respect of data storage and processing locations form part of the wider oversight expected of institutions in respect of their outsourced data.

The ambit of these requirements goes beyond personal data, and indeed the guidelines call out that they are without prejudice to the application of the GDPR where personal data is concerned. The requirements should therefore be viewed as distinct from those under the GDPR, and as applying to 'data' in a wider sense, including an institution's confidential, personal and otherwise sensitive information.

However, compliance with these requirements – in particular the requirement for service providers to keep institutions notified of any changes to the storage or processing locations – can be challenging for suppliers. This is especially the case where suppliers are providing cloud services, or are reliant on cloud services within their supply chain.

Ensuring the accessibility of data

Paragraph 75(g) of the guidelines requires agreements for critical or important outsourced functions, where relevant, to include provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data.

These requirements cast a wide net and are expressed in large part at a principles level. This in turn means they are open to interpretation and translating them into compliant contractual obligations can be challenging for institutions as well as suppliers. It seems that the guidelines go further than requiring the supplier to adhere to data security obligations.

The need to ensure 'accessibility' of data, for example, suggests that institutions may need to secure contractual rights to facilitate access to their data held by suppliers. This interpretation would seem to be supported by the need under paragraph 75(m) for institutions to ensure they 'can access' their data in distressed scenarios. Further support for this may lie in the theme of ensuring continuity of supply of services to an institution's customers mentioned above.

From the supplier perspective, there is, perhaps understandably, a reluctance to grant broad access rights to institutions to their data, at least in circumstances where it is 'business as usual'. This is often a common point of negotiation with suppliers.

With this in mind, it would be helpful if the EBA could provide guidance on the point so as to provide greater clarity for all parties and achieve the consistency of approach that the EBA is seeking as one of its objectives underlying the guidelines.

Termination right

Paragraph 98(d) of the guidelines requires critical or important outsourcing arrangements to allow institutions to terminate the arrangement where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information.

A 'weakness' in the management and security of relevant data does not, on a strict reading at least, equate to a 'breach'. That said, in practical terms, if an institution's contractual provisions relating to the management and security of data are robust, it may well be that a weakness might indeed point to breach.

Nonetheless, due to the 'terminal' effect this requirement can have on a contract, it often leads to a degree of negotiation with suppliers. It therefore makes sense for institutions to examine how the requirement can be satisfied, for example, through carefully defining the key relevant data monitoring and security obligations needed in the context of the services being provided, and to provide for a termination right for a breach of those specific obligations, perhaps after a process allowing for remediation of the breach where that is feasible.

Operational resilience

Operational resilience of financial institutions is a topic that regulators are increasingly turning their attention to, not least because it has been drawn into sharp focus by the impact of Covid-19. Compliance with the control mechanisms for outsourced activities involving data as mandated by the guidelines should have the effect of bolstering relevant aspects of the operational resilience of institutions that are reliant on them.