EBA cloud paper: when financial institutions must notify regulators

Out-Law Analysis | 06 Mar 2018 | 3:45 pm | 7 min. read

ANALYSIS: Banks cannot make assumptions about the precise steps they need to take to notify regulators about their cloud arrangements. There are high regulatory and commercial costs for banks that do so and get it wrong.

The high level of clarity that banks need from law makers and regulators is illustrated in recommendations published by the European Banking Authority (EBA) in December 2017.

The recommendations contain direction for banks and investment firms on meeting regulatory requirements when outsourcing to the cloud, and highlight the issues a number of financial institutions asked the EBA for clarity on in response to the draft version of the recommendations the regulator consulted on last year.

Among the issues that industry asked for greater clarity on were the extent of their duties to adequately inform regulators about 'material' cloud outsourcing arrangements, and the information that they must document about cloud outsourcings in a register.

The duty to inform

In its recommendations, the EBA has set out a minimum list of details that firms must inform regulators about in relation to material cloud outsourcing arrangements. Those details range from the name of the service provider, a description of the activities and data being outsourced, the countries where data will be located, as well as the dates that services commenced and contracts were renewed and are due to expire.

However, the EBA faced calls from some within industry to limit what needs to be notified.

Some financial institutions, it said, had argued that the notification requirement should extend only to "communication of contractual agreements with cloud service providers once signed, and the security policy and criteria agreed by the outsourcing institution and the cloud service provider".

However, the EBA rejected those calls. It acknowledged that its ability to be flexible on these matters is restricted by the fact that its cloud guidelines must be set out within the context of broader guidelines on outsourcing that have been in place since 2006 – the Committee of European Banking Supervisors (CEBS) guidelines.

The EBA said that there is a "need for completeness in the information process". To this end, it further rejected calls from financial institutions that said that they should not be obliged to update regulators on every minor change that might take place to cloud services where the regulator has already "reviewed and validated the underlying conditions and obligations" of the cloud contract.

Financial institutions have cause to be frustrated that the requirements in this area are quite prescriptive and perhaps not proportionate to the risks.

However, there was a positive clarification from the EBA that, within their notifications, financial institutions do not need to provide exact locations of servers on which data will be stored and processed in the cloud. Perhaps recognising the associated security risk of such a disclosure, the EBA said financial institutions only have to inform regulators of the names of the countries in which data may be held.

Disclosures about business continuity plans and skills

In addition to having to proactively inform regulators about material outsourcing arrangements, financial institutions must also disclose "additional information on its risk analysis for the material activities to be outsourced" when requested to do so.

Regulators may, for example, ask financial institutions "whether the cloud service provider has a business continuity plan that is suitable for the services provided", according to the EBA's guidance.

In response to queries from industry on what that requirement entails, the EBA said that financial institutions do not need to provide regulators with a copy of their cloud provider's business continuity plan or gain approval for it - they only need to refer to its existence.

This will be a relief for financial institutions who might otherwise find it challenging to obtain a copy of the full details of a cloud provider's business continuity plans to hand over to regulators.

Other information that financial institutions could be requested to disclose to regulators includes information regarding whether they maintain "the skills and resources necessary to adequately monitor the outsourced activities". However, some financial institutions said they were unsure what constitutes 'necessary skills and resources' for such oversight.

On this point, there has been a lot of conjecture. Some within industry have been unsure whether they need to have employees internally who understand all the processes the service provider has in place for carrying out the outsourced activities, and/or whether they also need to have a grasp of the underlying technology used.

The EBA said each business has "sufficient flexibility" to determine the skills it needs to monitor their cloud outsourced activities. There is perhaps an opportunity here for cloud service providers to assist banks and investment firms in understanding more about the nature of their services so that those businesses can meet this regulatory requirement.

The register of cloud outsourcing arrangements

Financial institutions need to maintain a register containing certain information about their cloud outsourcing arrangements. They must share information documented in their register with regulators when requested to do so.

A non-exhaustive list of the type of information firms should document in their registers is set out in the guidance. Financial institutions should note, for example, what type of outsourcing they have entered into, the EBA said.

Despite the list, there has been an element of uncertainty within industry about exactly what information needs to be documented.

Firstly, the EBA clarified that the information that needs to be included in firms' registers should relate to all cloud outsourcing arrangements at "institution and group level", whether 'material' or not. This marks a difference between the requirements that apply in relation to a financial institutions' duty to inform, where only material outsourcings need to be notified to regulators.

The requirement to maintain a register is, the EBA said, related to the wide remit that financial regulators have to monitor for 'concentration risk' – that is, the broader risk to the whole financial system should a large number of firms be reliant on just one or two major service providers.

The EBA also said that requirements to document cloud outsourcing arrangements in a register do not apply retrospectively – they apply from now on from the date that new cloud agreements are put in place, or when revisions are made to existing arrangements.

Further, it said that if financial institutions already maintain a general register, they can include information about their cloud outsourcings on that. They do not, in those circumstances, need to maintain a separate register for cloud outsourcings.

The EBA clarified that firms do not need to disclose the detail of outsourcing contracts in their register, but should document their existence.

In its draft guidance, the EBA had proposed that firms list the name of the "main subcontractor" relied upon by cloud providers to deliver the outsourced services. In its finalised guidance, however, the EBA said that firms should list the names of "any subcontractors" involved.

This will mean, for example, that banks that use smaller 'software-as-a-service' (SaaS) cloud providers that rely on bigger infrastructure-as-a-service (IaaS) providers to deliver their services, will need to know the names of those subcontractors. This could prove challenging for users of SaaS providers given the often complex nature of their supply chains.

Industry also asked the EBA for some clarity over their requirement to register whether the cloud service provider or subcontractors supports business operations that are "time critical". Some financial institutions were unsure what operations would be said to be 'time-critical'. In its paper, the EBA said the term refers to "those business operations that have been defined in the outsourcing institution’s own risk assessment as time critical (in terms of RTO, RPO, etc.)".

A further item that needs to be included in the register by firms is "evidence of the approval" for outsourcing given by their "management body or its delegated committees, if applicable". The EBA clarified, however, that if sign off for cloud outsourcings does not come from such a body or committee then there is no need for those firms to change their approach to governance just to satisfy the regulatory requirement to document approval in the register.

In their register, firms must also include the date that they last carried out a "materiality assessment" of the activities being outsourced.

Some within industry were unsure how often they were required to carry out this assessment. The EBA said that there is not set requirement in this respect, and that it is open to each firm to determine when it is appropriate to conduct such assessments "taking into account the nature of the activities outsourced and the specificities of the arrangements and the cloud services context".

There was also uncertainty within industry about the requirement to include "an assessment of the cloud service provider’s substitutability (as easy, difficult or impossible)" in the register.

Some argued that the ease with which they could substitute one service for another should be determined with reference to how long it takes to make the switch. However, the EBA said a broader assessment is needed.

"The time component is not the only element that determines substitutability, and ultimately the assessment remains at the discretion of the outsourcing institution," the EBA said. "The term ‘substitutability’ refers to the ease and speed with which the outsourcing institution can change from one cloud service provider to another for a particular service or activity."

The EBA also said that there is no minimum frequency on when reviews of subcontracting due diligence assessments need to be carried out. It is up to firms to make that call themselves, but they need to include the date of their last risk assessment in the register.

Firms should speak to their national regulator to get more clarity on how often these assessments and reviews should take place. The frequency will differ depending on risk and therefore change on a firm-by-firm basis.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.