Australia takes risk-based approach to cloud outsourcing regulation

In a new guidance paper, the APRA said that 'non-material' cloud outsourcings do not need to be notified or consulted on. It said, though, that banks must carry out a "materiality assessment" on all planned cloud outsourcings to determine whether their arrangements are subject to regulation. All material outsourcing arrangements need to be notified to the APRA post contract signing, it said.

"Under the outsourcing prudential standards, APRA-regulated entities are required to notify APRA after entering into a material outsourcing agreement," the APRA's new guidance on outsourcing involving cloud computing services (26-page / 856KB PDF) said. "The intent is to ensure APRA remains apprised of changes to the regulated entity’s risk profile through an understanding of the solution selected and the associated impact on the entity."

"The outsourcing prudential standards define a material business activity as one which ‘has the potential, if disrupted, to have a significant impact on the regulated institution’s business operations or its ability to manage risks effectively’. In order to meet the objective of the prudential standard, it is important that the materiality of shared computing service arrangements is properly assessed," it said.

According to the APRA, banks should "normally consider both criticality and sensitivity of the IT assets involved and the associated business processes impacted, as well as the proposed usage of the service" in their materiality assessments, including the "projected and/or aggregated materiality of the arrangement".

Once a materiality assessment has been conducted, and if cloud outsourcing arrangements are deemed to be 'material', banks must consider the level of inherent risk in the arrangements, the regulator said.

The regulator has said banks should classify risks associated with cloud outsourcings as low, heightened or extreme inherent risks. It has defined what it means by low, heightened and extreme inherent risk in its guidance, and provided examples of types of risk that would fall into each category. The level of risk identified will largely dictate whether banks need to consult with the APRA before concluding cloud contracts, it said.

"For arrangements with low inherent risk not involving off-shoring, APRA would not expect an APRA-regulated entity to consult with APRA prior to entering into the arrangement," the APRA said. "For arrangements with heightened risk, APRA would expect to be consulted after the APRA-regulated entity’s internal governance process is completed. For arrangements involving extreme inherent risk, APRA encourages earlier engagement as these arrangements will be subjected to a higher level of scrutiny."

"APRA expects all risks to be managed appropriately commensurate with their inherent risk. However, for extreme inherent risk, APRA expects an entity will be able to demonstrate to APRA’s satisfaction, prior to entering into the arrangement, that the entity understands the risks associated with the arrangement, and that its risk management and risk mitigation techniques are sufficiently strong," it said.

The guidance also highlights the APRA's expectations on banks' governance of cloud outsourcing arrangements, their process for selecting cloud-based solutions and what the institutions should have in place when transitioning to a cloud computing service.

The APRA also set out rules in relation to risk assessment and security, disaster recovery and contingency planning and on audit and access rights, among other things.

In Europe, the European Banking Authority (EBA) is currently in the process of establishing new guidance on outsourcing for financial institutions.

The EBA's consultation on draft new guidelines on outsourcing, opened in June, closed on 24 September. The new guidance will be an important document as, when finalised, it will update the existing Committee of European Supervisors (CEBS) outsourcing guidelines that have been in place since 2006 as well as separate cloud outsourcing recommendations the EBA has developed more recently, which only came into effect in July.

Pinsent Masons, the law firm behind Out-Law.com, submitted a response to the EBA's consultation on the proposed new guidance. In the response, it queried the legal basis for some of the EBA's proposals, which include plans to force banks to document non-material as well as material outsourcings.

"The EBA's legal basis for providing guidelines in respect of third party arrangements that do not concern critical or important functions is not clear," Pinsent Masons said. "We appreciate the EBA's intention to create a harmonised framework for regulatory compliance across the financial services sector. However, the EBA should avoid creating expectations for competent authorities in an area that may not be within scope of existing EU legislation."

"As the MiFID II framework limits its focus to requirements for outsourcing arrangements that relate to critical and important functions, to introduce guidelines relating to outsourcing arrangements that do not relate to critical and important functions goes beyond the role of a European supervisory authority in respect of powers to make guidelines in relation to MiFID II – the EBA is, in effect, creating additional requirements rather than providing guidelines, an activity which should be done at the legislative level in accordance with the requirements for establishing EU laws," it said.

The EBA is expected to finalise its outsourcing guidance in the coming months.