Out-Law / Your Daily Need-To-Know

Out-Law News 4 min. read

EBA urged to follow Singapore's approach to the regulation of cloud outsourcing by banks


Banks should not be required to notify regulators before they engage in material cloud outsourcing arrangements, international law firm Pinsent Masons has said.

Pinsent Masons, the law firm behind Out-Law.com, has called on the European Banking Authority (EBA) to follow the example set by the Monetary Authority of Singapore (MAS) in rules MAS has prepared for firms on outsourcing to the cloud. The recommendation was contained in a response the firm submitted to an EBA consultation on draft guidelines on outsourcing to the cloud which closed last week.

Under the Singapore regime, financial firms that wish to enter into "material outsourcing arrangements" are not obliged to pre-notify MAS of those plans. Instead, the firms must be able to demonstrate their compliance to the regulator, including through submissions of the register they need to keep of material outsourcing arrangements at least annually or upon request.

In contrast, the EBA's proposed in its draft guidance that banks should notify 'material' cloud outsourcing arrangements to regulators and disclose certain information concerning those arrangements with them too prior to entering into those contracts.

Pinsent Masons said the "reasoned approach" taken by MAS should be favoured, and said that it did not see anything in EU regulations to prevent financial regulators in Europe "taking a similar approach".

"MAS places the onus on regulated institutions to exercise appropriate due diligence before engaging an outsourcing provider and to be ready to demonstrate compliance whenever called upon by the regulator," Pinsent Masons' response to the consultation said. "Accordingly, MAS imposes specific requirements around the extent to which financial institutions must notify when an event has taken place which has an adverse impact on the service provided but does not require notification before the arrangement is entered into."

"The approach taken by MAS is more consistent with the role the regulator has in intervening when appropriate in accordance with the regulatory framework, as regulators do not have, in contrast, a general role of continuously monitoring technology outsourcing arrangements on an ongoing basis," it said.

Pinsent Masons also said that the EBA should reconsider plans to require banks to notify regulators each time they buy new services from a cloud provider.

"We recommend that the EBA introduce a proportionality test which focuses on the identity of cloud service providers and not only the connection between the type of technology arrangement that is outsourced and the regulated activity it supports," Pinsent Masons said. "Where a bank has engaged a cloud service provider and gone through a full risk assessment, adding on new services from that same provider need not be subject to the same notification requirements where changes to the risk profile are minimal. Requiring notification in these circumstances creates an unnecessary administrative and cost burden."

In its consultation response, Pinsent Masons also addressed the access rights and auditing arrangements that firms are obliged to have in place in the EU.

When engaged in 'material' cloud outsourcing, banks must ensure they, or its auditors, as well as regulators, have rights to physically access the premises of cloud providers. The rules are designed to ensure that the same level of supervision, access to data, access to relevant personnel and to service provider premises can be exercised in an outsourcing environment as if the regulated activity was not outsourced.

Pinsent Masons urged the EBA to adopt a more proportionate framework around audit and access rights that firms should need to provide for. Specifically, it called for the EBA to endorse remote access and auditing in place of physical inspections at cloud providers' premises, such as data centres.

"The EBA should focus on the principle of proportionality in making recommendations regarding the extent to which auditors and regulators require access to information and premises in order to conduct audits of cloud services and acknowledge that rules which are necessary in other auditing contexts are not appropriate and need not be followed in a technology service provision context," Pinsent Masons said.

"As a key example, the value of physically inspecting data centres in terms of assessing the risk of the services being provided is widely acknowledged as being extremely low. We recommend that the EBA highlight this more forcefully and indicate that regulators can conclude that effective access to premises can take place without physically entering those premises so long as auditors have access to the systems and data processed at those premises and by virtual means can determine whether sufficient organisational, operational and technical measures have been put in place and followed in a manner that will enable the bank to meet is regulatory requirements and provide services to its customers at the level expected of a regulated entity," it said.

In its draft guidance, the EBA said it would allow banks to participate in "pooled audits" with other cloud customers, or rely on third party certifications or audit reports made available by their cloud provider. However, it said that banks must ensure their cloud contracts provide national regulators with "full access" rights to the providers' business premises, such as their "head offices and operations", including to "the full range of devices, systems, networks and data used for providing the services to the outsourcing institution".

Pinsent Masons said it welcomed the move to enable pooled audits to be completed, but urged the EBA to "set out the key elements of an effective arrangement for a pooled audit and the extent to which the cloud service provider can take on a coordinating role in this respect".

It also said that the EBA should adopt guidance already developed by the UK's Financial Conduct Authority (FCA) in relation to "the extent to which a cloud service provider can limit access to certain premises and at certain times for security reasons".

Financial services and technology law expert Luke Scanlon of Pinsent Masons said: "As legal advisers to both banks and leading cloud service providers we see many opportunities for banks to benefit in terms of cost efficiencies to be gained and ability to innovate through further clarification of the regulatory framework. We call on the EBA to take a leadership position in promoting an approach to the use of cloud technology by banks in a manner that favours effective risk management rather than an overly literalist approach towards interpretation of regulation."

"Our view is that unduly restrictive interpretations have been taken by regulators in a number of EEA jurisdictions as a result of a lack of understanding of how cloud arrangements differ from traditional outsourcing arrangements," he said.

Earlier this year, seven main barriers to banks' adoption of cloud-based services were identified in a new report by the British Bankers' Association, which was produced in partnership with Pinsent Masons.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.