EBA backs 'pooled audits' for banks in new cloud outsourcing guidance
In new draft guidance on outsourcing to the cloud (25-page / 266KB PDF), the EBA said it is open to banks to participate in "pooled audits" with other customers of the cloud providers they use, or to rely on third party certifications or audit reports made available by their cloud provider in certain circumstances.
However, the EBA said that banks must ensure their cloud contracts provide national regulators with "full access" rights to the providers' business premises, such as their "head offices and operations", including to "the full range of devices, systems, networks and data used for providing the services to the outsourcing institution".
Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said: "Many will be disappointed that the recommendations do not provide more detail about the extent to which regulators are to be granted access to cloud premises in a cloud outsourcing scenario."
"For example, while the FCA’s recent guidance acknowledges that regulators can be required to commit to minimising disruption to a cloud providers’ operations, the EBA’s document does not consider the disruption or security implications of a regulatory visit at all," he said. "This is certainly one issue that will need to be given more attention once responses have been made and before the recommendations are finalised."
When engaged in 'material' cloud outsourcing, banks must ensure they, or its auditors, as well as regulators, have rights to physically access the premises of cloud providers. The rules are designed to ensure that the same level of supervision, access to data, access to relevant personnel and to service provider premises can be exercised in an outsourcing environment as if the regulated activity was not outsourced.
The EBA's draft guidance sets out a distinction between the access and audit rights banks have to provide for themselves or their auditors, and the access and audit rights they have to guarantee for regulators, when engaged in material cloud outsourcing.
Banks must ensure that their cloud contracts provide "unrestricted rights of inspection and auditing of the outsourcing institution’s data" to the regulator, the EBA said, but have greater freedoms over how to provide for their own audit and access rights.
According to the guidance, banks that do not have their "own audit resources" should consider "pooled audits performed jointly with other clients of the same cloud service provider". This would help them "use audit resources more efficiently and … decrease the organisational burden both to clients and to the cloud service provider", it said.
Alternatively, "third-party certifications and third party or internal audit reports made available by the cloud service provider" could satisfy the audit requirements, providing the certifications or audit reports meet certain standards regarding its scope, currency and relevance, are in line with "recognised standards", and the banks can satisfy themselves as to the aptitude of the "certifying or auditing party", the EBA said. In addition, banks must have a "contractual right to request the expansion of scope of the certifications or audit reports to some systems and/or controls which are relevant", it said.
The EBA said banks can also agree "alternative ways to provide a similar level of assurance" than performing audits if audits, or certain "audit techniques" could "create a risk for another client's environment".
The EBA also said that cloud providers should be notified in advance when banks, their auditors or regulators wish to exercise their rights to access their premises "unless an early prior notification has not been possible due to an emergency or crisis situation". Prior notification should otherwise be given "in a reasonable time period", it said.
Ensuring effective regulatory oversight of the outsourced business function is an issue that was identified as one of seven main barriers to banks' adoption of cloud-based services in a report published earlier this year by the British Bankers' Association, which was produced in partnership with Pinsent Masons, the law firm behind Out-Law.com.
The EBA's draft guidance also, among other things, sets out how banks should determine whether their planned cloud outsourcing is 'material', and therefore whether they need to inform regulators about that outsourcing, as well as what information the banks should share with the regulators concerning the arrangement.
Further issues relating to banks' obligations regarding the location of data, data and systems security, sub-contracting, contingency planning and exit strategies are also dealt with in the draft guidance.
The EBA said: "Whereas cloud services can offer a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness, it also raises challenges in terms of data protection and location, security issues, and concentration risk, not only from the point of view of individual institutions, but also at industry level where large suppliers of cloud services can become a single point of failure when many institutions rely on them."
"The aim of these recommendations is to: provide the needed clarity for institutions should they wish to adopt cloud computing and reap the benefits of cloud computing, while ensuring that risks are appropriately identified and managed; foster supervisory convergence regarding the applicable expectations and processes for the cloud," it said.