Out-Law Analysis | 26 May 2017 | 3:20 pm | 4 min. read
The draft guidance on outsourcing to the cloud (25-page / 266KB PDF) should help to reduce the administrative burdens on banks when outsourcing regulated activities to the cloud.
Those burdens stem from rules that require banks to have effective supervision and oversight of their cloud service provider, and its supply chain, when they outsource functions that are linked to regulated activities. However, there has been uncertainty within banking over the precise steps institutions must take to meet that requirement.
Some banks in the UK have considered that they have no option other than to undertake a complete review of cloud providers' sub-contracting arrangements to ensure that they comply with cloud outsourcing guidance produced by the Financial Conduct Authority (FCA).
However, the draft guidance produced by the EBA makes it clearer that such an approach is not be necessary.
Banks' rights and responsibilities when cloud subcontractors change
The EBA's draft guidance, published last week, addresses a number of compliance challenges banks face when outsourcing. Those issues reflect the seven main hurdles that banks must overcome when seeking to adopt cloud-based services flagged earlier this year in a report by Pinsent Masons, the law firm behind Out-Law.com, together with the British Bankers' Association, and include issues relating to banks' obligations regarding the location of data, data and systems security, contingency planning and exit strategies.
The EBA's paper also sets out useful guidance on audit and access rights that banks must provide for in their cloud contracts. It also contains more detailed guidance on the level of oversight banks must have of cloud providers' sub-contracting arrangements than that which the FCA has previously produced.
What the EBA guidance says on oversight of cloud sub-contracting
In its cloud outsourcing guidance, the FCA said banks that enter into outsourcing agreements, where "related to the regulated activity being provided", should "identify all the service providers in the supply chain and ensure that the requirements on the bank can be complied with throughout the supply chain".
The EBA has clarified, however, that banks do not need to pre-approve the appointment of subcontractors by their cloud providers. It deemed that this would have been "overly burdensome from a practical perspective in the context of cloud outsourcing".
Those burdens stem from the fact that "subcontracting is used extensively [in the cloud context], the cloud environment is more dynamic than traditional outsourcing environments, and due to the fact that cloud services are provided to a larger number of clients than traditional outsourcing and on a larger scale", the EBA said.
Instead, the EBA said banks should ensure that their cloud contracts specify a timeframe in which their cloud provider would provide notice of "any proposed significant changes to the subcontractors or the subcontracted services named in the initial agreement, which may affect the ability of the service provider to meet its responsibilities under the outsourcing agreement".
The notification would allow banks to "carry out a risk assessment to consider the effects of the proposed changes before the actual change in the subcontractors or the subcontracted services comes into effect", the EBA said.
The EBA said that banks do not need to secure a right to approve a change to their cloud providers' subcontracting arrangements, but should ensure they can terminate their cloud contract if they conclude that the changes "will have an adverse effect on the risk assessment of the agreed services".
Banks' duties to document cloud subcontracting arrangements
According to the EBA's draft guidance, banks must keep an up-to-date register of all their outsourcing arrangements, both "material and non-material". The register must be made available to regulators upon request, together with any "related information recorded in that register", regardless of whether the outsourced activity has been deemed by the bank as 'material'.
The EBA has set out the type of information that banks should include in their register. It said banks should include the name of the "main subcontractor" used by their cloud provider in the register, as well as the name of the country where the main subcontractor is registered, among other information.
By omission the EBA has indicated that banks do not need to maintain a record of every subcontractor used by their cloud provider.
This, together with the EBA's confirmation that banks do not need to ensure they have the right to pre-approve changes to subcontracting arrangements by cloud providers, should help reduce the administrative burden on banks as well as their cloud providers.
Expect the FCA's cloud outsourcing guidance to be updated
The EBA's proposed new guidance is open to consultation until 18 August. Finalised guidance is likely to be issued either later this year or in early 2018.
It is incumbent on banks to engage in the consultation process. The criteria that the EBA has set out regarding the level of oversight that banks need to have over their cloud providers' subcontracting is a welcome development of the provisions in the FCA's cloud outsourcing guidance.
Banks should identify the sections of the EBA's guidance that they find helpful and flag the areas where further clarity would be welcome. The EBA's final guidance has the potential to spur increased adoption of cloud-based services in the banking market.
The FCA's own cloud outsourcing guidance could be updated in light of the EBA's proposals. The FCA's guidance demonstrated that it is a global leader in helping financial firms to navigate regulatory issues stemming from innovative new uses of financial technology. The FCA guidance has been broadly seen by industry as an enabler of cloud outsourcing by banks, although there have been calls for further clarification on some areas of the guidance. Meanwhile, the EBA, and others, have been playing catch up.
However, the EBA has highlighted that firms and regulators "must make every effort to comply" with its recommendations. The additional detail the EBA has set out in respect of cloud supply chain oversight could therefore be reflected in updated FCA guidance in the future.
Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.