The EBA had been asked by industry to provide more specific guidance during a consultation it held on draft guidance it produced earlier this year. However, the EBA decided against making such changes and has instead produced high-level guidance for banks on cloud outsourcing (78-page / 633KB PDF).
Yvonne Dunn of Pinsent Masons, the law firm behind Out-Law.com, said that it is now important that banks engage with the EBA in a follow-up process the supervisory body said it will open to seek the clarity they need.
"One of the key issues that we identified in our ‘Banking on Cloud’ report was the desire for specific guidance from regulators, to help banks get comfortable about moving to the cloud," Dunn said. "Although the EBA has acknowledged that respondents to the draft guidance felt that it was too high level and open to multiple interpretations, it is determined to retain the guidance on at a 'principles-based basis'. While this point is understood, it remains challenging for banks to assess whether they can migrate to the cloud safe in the knowledge that they are within the regulatory parameters."
"The EBA has alluded to further engagement with the sector in the form of a formal Q&A process and it is important that banks engage in that process to ask the questions they need to get clarity," she said.
The new cloud guidance addresses a number of issues that have been identified as barriers to the adoption of cloud-based services by banks. They include requirements firms face in respect of data security, confidentiality and storage requirements, oversight of supply chains, contingency and exit planning, as well as providing for data auditing and access rights of regulators.
"In our comments on the draft guidance we suggested that the guidance should provide more detail around access to cloud premises, including consideration of the disruption or security implications of a regulatory visit," Dunn of Pinsent Masons said. "However, the EBA has resisted this and has reiterated that access and audit rights can be exercised in a 'risk-based manner'. While the importance of access and audit rights is understood, it would have been preferable for banks to receive more specific guidance around this issue."
In its guidance, the EBA said that banks should be able to produce business continuity plans, exit strategies and evidence that they have the skills and resources needed to adequately monitor activities that they outsource to third party cloud providers
The EBA said banks should be able to provide national regulators with such information where the banks have engaged cloud providers in 'material' outsourcing arrangements. The banks should hold the information as part of its "risk analysis for the material activities to be outsourced" in case the regulators ask for it, it said.
The EBA's guidelines explain when banks' use of third party cloud-based solutions would amount to a 'material' outsourcing that the banks would need to notify regulators of.
In assessing 'materiality', banks should take account of four factors, the EBA said. This includes "the criticality and inherent risk profile of the activities to be outsourced", it said. That assessment would involve looking at whether the activities "are critical to the business continuity/viability of the institution and its obligations to customers", it said.
In addition, a 'materiality' assessment should also involve consideration of "the direct operational impact of outages, and related legal and reputational risks; the impact that any disruption of the activity might have on the institution’s revenue prospects; [and] the potential impact that a confidentiality breach or failure of data integrity could have on the institution and its customers", the EBA said.
Banks are required to keep a record of all material and non-material cloud outsourced activities and provide a copy to regulators upon their request, it said.
"It appears that there is a high level of uncertainty regarding the supervisory expectations that apply to outsourcing to cloud service providers and that this uncertainty forms a barrier to institutions using cloud services," the EBA said.
"The aims of these recommendations are to: provide the necessary clarity for institutions should they wish to adopt and reap the benefits of cloud computing while ensuring that risks are appropriately identified and managed; foster supervisory convergence regarding the expectations and processes applicable in relation to the cloud," it said.
The new guidelines, which build on the existing Committee of European Banking Supervisors (CEBS) guidelines on outsourcing, will apply from 1 July 2018. The EBA said last month that it plans to update the CEBS guidance, which has been in place since 2006, too.
The UK's Financial Conduct Authority (FCA) has already set out guidance on outsourcing to the cloud for banks.