The EBA’s guidance on cloud outsourcing will soon be finalised. It is likely to require a significant compliance effort from many banks – and their outsourcing providers. Banks should act now to prepare for implementation. They should also consider the impact of the new guidance on any technology investments they may be planning in response to PSD 2 and Instant Payments.
May 2017 saw the EBA launch a consultation on its guidance for cloud outsourcing. The consultation period closed on 18 August, and we expect the final guidance to be published during the first quarter of 2018.
The EBA’s aim is to clarify supervisory expectations for institutions using, or planning to use, cloud computing. The underlying goal is to allow firms to realise the benefits of cloud services, while ensuring that any related risks are identified and managed in a harmonised way.
The new guidance builds on existing supervisory requirements, which have been in place in 2006. These apply to all outsourcing arrangements and were originally developed by CEBS, the EBA’s predecessor. The new rules will apply proportionately to the same institutions as the existing requirements (credit institutions and investment firms) according to the size and nature of their cloud outsourcing arrangements.
Our analysis of the draft guidelines suggests that implementation will require most banks to complete five key stages. These are:
KPMG member firms can support banks – and service providers - at each of these stages. That includes supporting materiality assessments, helping to create contingency plans and providing assurance over the security of data and systems outsourced to the cloud.
In addition to the main guidance, banks will need to ensure they are compliant with the EBA’s requirements on access rights and audit rights. The guidance expects outsourcing banks and their supervisors to retain the right to audit cloud outsourcing operations, and to obtain physical access to cloud providers’ premises.
It remains to be seen exactly what form the final guidance will take, and how it will be applied by joint supervisory teams. Even so, it seems clear that implementing the new guidance will present significant challenges for many banks. Most institutions that use cloud computing will already have controls in place, but this is the first time that they will need to comply with a formal framework. Furthermore, the requirements reach beyond regulated institutions to include outsourcing providers themselves. The guidance also stipulates that chain outsourcing (subcontracting by a cloud service provider) should never affect service levels.
In our view, banks should urgently conduct a gap analysis of their current outsourcing controls, if they have not done so already. They should then prepare themselves to be able to move forward rapidly to implementation once the final guidance appears. Some may want to consider making changes to their plans for cloud computing.
Finally, there is a strategic aspect for banks to consider. As they prepare for SEPA Instant Payments and the revised Payment Services Directive, many banks are contemplating the improvement or replacement of core systems. Cloud outsourcing - which can make such changes faster and easier to achieve - is likely to play an important role. Banks should therefore consider the impact of the new guidance on their new arrangements, and the value of taking a joined-up approach.