Out-Law Analysis | 29 Jun 2020 | 5:59 am | 5 min. read
This due diligence can help firms comply with European Banking Authority (EBA) guidance that requires them to specify the location of the services and their data in contracts for critical or important outsourcings.
The EBA's guidelines on outsourcing have applied to all new outsourcing from 30 September 2019. Firms have until December 2021 to update all existing documentation to meet the standards, which address a wide range of issues – including sub-outsourcing.
With business continuity at the heart of the EBA's guidelines, it is important to consider whether a country's response to the pandemic has increased the risk of outsourcing services or data to that country
Among the various new requirements brought in under the EBA's guidelines, firms must ensure the location from which that service "will be performed and/or where the relevant data will be kept and processed, including the possible storage location" is specified in all "critical or important" contracts. The service provider must also notify the firm if it proposes to change the location. This requirement is one of a number of contractual terms that the EBA views as essential for these business critical outsourcing arrangements.
Location is a core concern for the EBA from the point of view of its ability to supervise the outsourced activity. From a data security perspective in particular, the regulatory standards imposed on suppliers in third countries may not meet the robust standards expected of European banks and financial institutions.
It is worth remembering that, while the contractual requirements on location are limited to the "critical or important" outsourcing arrangements, the guidelines' record keeping requirements apply across the board to all outsourcing arrangements firms put in place. Firms must keep a record of the country from which the service is performed, including the location of the data. For that reason, firms should consider including a contractual obligation on a service provider to notify the firm of any change to the location of the services or data in all outsourcing contracts so that the firm's records are kept accurate throughout the outsourcing.
Firms will already be familiar with requirements to ensure that the location of personal data is clearly defined in a contract under the General Data Protection Regulation (GDPR). However, the EBA guidelines are broader and require the contract to include the location details of all data processed by a supplier on behalf of the regulated institution where there is an outsourcing of a critical or important function.
If the service provider processes data across different regions, for example in a primary data centre in the UK and a back-up centre in Ireland, then both locations should be listed. In addition, firms should consider whether the service provider uses a sub-contractor to process data on its behalf, and if it does, the location of the sub-contractor and its processing activities should be included as well.
The prospect of disclosing the location of a data centre will naturally raise concerns from a security perspective. After some feedback on this point during the EBA's initial consultation, the guidelines were clarified so that only the country or region must be recorded, not the precise location of the data. Therefore, the location of the data can be set out in broad terms to a country or region, for example, 'the EU'.
Before any outsourcing commences, the guidelines require firms to undertake a pre-outsourcing analysis. This requires, amongst other things, a risk assessment of the potential additional risks associated with the location of the service or data. The EBA expects firms to factor into their risk assessments additional safeguards where the service provider is located in a country based outside of the EU. For example, the firm should consider the potential difficulty in accessing the data for the purpose of oversight and audit – by both the firm and its regulators – and enforcing a court judgment in that service provider's location.
The location of data and the assessment of the risk in a particular location is not a one-off compliance measure. The location should be documented in the firms' outsourcing register and regularly reviewed and assessed to ensure ongoing compliance in light of any change in legal or political circumstance.
Countries that are located outside of the EU are considered to be 'third countries'. The EBA has said: "With regard to outsourcing to service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority is able to effectively supervise financial institutions". Firms will have to require outsourced service providers to comply with confidentiality and GDPR obligations that are equivalent to EU standards and ensure that regulators can exercise their rights of access and audit at the premises from which the services are provided.
In addition, the EBA requires institutions to "take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct". In particular, where the service provider and their sub-contractors are based in a third country , firms should be satisfied that the service provider is acting in an ethical and socially responsible manner and adheres to international standards on human rights, environmental protection and appropriate working conditions, including the prohibition of child labour.
This obligation applies to all outsourcings and will require the firm to ensure that the service provider is compliant with these international and EU legal requirements and with any internal policies or codes of conduct that the firm has in place. With existing arrangements, it may be very difficult for a service provider to renegotiate terms with their subcontractors to meet this requirement.
The additional contractual requirements that firms now have to put in place may cause a compliance issue where firms are outsourcing to small cloud providers located outside of the EU.
The low cost cloud model does not easily accommodate individual customers' specific requirements, even where these flow from a sector wide regulatory regime. Indeed, the many benefits that cloud services can offer are often taken on the understanding that there will be very little room for the negotiation of contractual terms or take on of additional risk. Many cloud providers in third countries will simply not be able to change their processes or internal policies to meet the EBA guidelines.
With this in mind, a number of the larger cloud services providers are now well versed in the contractual requirements of the EBA guidelines and are now looking to get ahead of their customer's contractual remediation projects. As we saw with the application of GDPR in 2018, some cloud providers have updated their existing standard terms and conditions to incorporate their interpretation of the guidelines' requirements.
It goes without saying that Covid-19 will have a lasting impact on the approach taken to business continuity planning. With business continuity at the heart of the EBA's guidelines, it is important to consider whether a country's response to the pandemic has increased the risk of outsourcing services or data to that country. Firms should look at how certain countries have dealt with the pandemic, and what measures they are putting in place to prevent a resurge, as part of their risk based approach for existing and new outsourcing arrangements.
Additional reporting by Carolyn Lang of Pinsent Masons.
22 Jun 2020