While industries worldwide have been scrambling to realise the many benefits offered by cloud technology, the financial sector has held back. Uncertainty over the regulatory status of outsourcing business activities to a cloud environment has led to reticence among financial institutions, where risk management is central to compliance and essential to protecting reputations.
New guidance issued by the European Banking Authority (EBA) seeks to provide greater clarity on the supervisory expectations for financial organisations adopting cloud computing. Competent authorities (the Financial Conduct Authority (FCA) in the UK), credit institutions and investment firms must comply with the recommendations when they come into force on 1 July 2018. By incorporating these recommendations into practices, frameworks and supervisory processes, the financial sector will be able to take advantage of the benefits of the cloud.
Cloud service providers
Financial institutions are as alert as any organisation to the opportunities afforded by the cloud. It enables advanced data analytics, machine learning, and the use of distributed ledgers or blockchain, all highly valuable to the pursuit of digital transformation initiatives. However, the stringent regulatory environment of the financial sector imposes restrictions on outsourcing business activities to third parties such as cloud service providers (CSPs). These regulations were enacted in 2006 and now lack relevance to the evolving world of utility computing. Added to this, concerns over cybersecurity, data protection and the geographic location of cloud processing have all stemmed the tide of digital progress for the financial sector.
On the flip side of this cautious adoption is the growing influence of “cloud-first” fintech disruptors, start-ups that were “born in the cloud” and that are shaking up the sector, acting as both threat and opportunity for legacy financial institutions. It is vital that those institutions can engage with innovative companies that are leveraging the cloud to compete or acquire and integrate as appropriate.
Clarity or continued confusion?
The new guidance attempts to avoid institutions being hamstrung in their bid to innovate, while ensuring that regulatory standards are upheld. Fostering innovation and regulation in tandem is never an easy task; the two often appear to be pulling in different directions. In a bid to overcome this challenge, the EBA has provided recommendations that are principles-based, technology-neutral and futureproofed so organisations can incorporate them into frameworks without the risk of obsolescence. However, this high-level approach has led to criticism from some quarters, with law firm Pinsent Masons just one commentator of several to note that the EBA guidelines: “would have been more effective had they included greater detail in a number of areas where uncertainty remains as to how cloud outsourcing activities can be arranged to meet the regulatory requirements.”
The guidance takes a risk-based and proportionate stance that is appropriate to the industry, but that tries to avoid placing additional burden on organisations and CSPs in their compliance efforts.
That said, in its review of the draft guidelines issued last year, KPMG felt that banks needed to “urgently conduct a gap analysis” in preparation to meet the new recommendations and felt that “it seems clear that implementing the new guidance will present significant challenges for many banks.”
As the deadline for compliance approaches and given the potential challenges raised over the interpretation and application of the recommendations, it is advisable for boards to query their organisation’s current status on cloud outsourcing and to establish what structures are in place to meet the requirements of the new recommendations in the key areas below:
Identification of “materiality” of activities:
Prior to outsourcing to a CSP, institutions must assess the materiality of the activities they plan to locate in the cloud. If activities are critical to business continuity and their disruption could impact data protection, the organisation’s revenues and reputation or legal position, then they are deemed material and institutions have a duty to inform the Financial Conduct Authority, providing full details of the provider, the activities to be outsourced and the full risk analysis for the activities they plan to outsource.
Additionally, organisations should maintain a live and detailed register of all activities – material and non-material – that are outsourced to CSPs and should be able to make this register available to the FCA, alongside copies of the relevant outsourcing agreements. Live-tracking compliance in this way is critical to secure audit and governance.
Looking for technology to help improve your entity management practices? Check out a demo of Diligent’s entity management software.
Security of data and systems:
Institutions must ensure that the CSP they use has appropriately robust security in place to protect data in transit, memory and at rest and to ensure continuity of service. This must be written into contracts and SLAs, and outsourcing institutions must be able to demonstrate evidence of competent monitoring.
Location of data and data processing:
The nature of the cloud raises the issue of cross-border data transfers. Institutions are required to adopt a risk-based assessment to establish the potential legal and compliance risks and the possible limitations around oversight related to data being stored and processed in other countries. The risk level must remain in acceptable limits throughout.
Right of access and audit:
Financial institutions must agree in writing that they, or their designated auditor, have the right of full access to the relevant CSP premises – including data centres and devices – for the purposes of audit and inspection. To reduce the organisational burden of audit to financial institutions and service providers, the recommendations make provision for the pooling of audit resources between multiple clients of a CSP. Another acceptable alternative is third-party certified audits, but the outsourcing institution must ensure that the audit is adequate in scope and in detail.
Institutions must agree with their CSP that they will be notified if, as often happens in the flexible cloud environment, the CSP subcontracts an element of its service to another provider. The CSP must ensure that the subcontracted company is capable of meeting the same obligations set out in the original agreement between the CSP and the outsourcing institution. The institution’s consent is not required, however, as it is considered that this would be impractical. The notification of a change to subcontracting gives institutions the opportunity to assess whether the new arrangements constitute an unacceptable risk and should result in the contract being terminated. Any changes must be tracked in the register of outsourced activities.
Contingency plans and exit strategies:
What will happen if the CSP fails? Outsourcing institutions must have plans in place should the outsourcing provision fail, or risk levels become unacceptable. These must include strategies for business continuity and the transition of activities to an alternative solution, or reincorporation on-premise. The institution should detail the indicators that could trigger the exit plan in its ongoing service monitoring and oversight of the outsourcing project.
Across all aspects of the new regulations, there is a focus on ongoing monitoring of the service provided and associated risk levels, to enable timely action in case of failure or a breach of terms. Boards should consider recommending a reporting structure that regularly evaluates the status of cloud outsourcing and that ensures ongoing compliance. This will be especially valuable given the principles-based nature of the guidance; organisations must be ready to respond should any queries arise from their interpretation and application.
Greater clarity over the supervisory environment for financial institutions outsourcing to the cloud should provide impetus for those that have previously resisted adopting cloud-based technology. It should also strengthen the position of those who have made the leap into the cloud, but found themselves in uncertain territory.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…