The EBA's cloud recommendations leave banks expecting more

The regulator's recently finalised recommendations for financial institutions on cloud computing  would have been more effective had they included greater detail in a number of areas where uncertainty remains as to how cloud outsourcing activities can be arranged to meet the regulatory requirements.

A strained message from the EBA

The EBA cites technological neutrality and future-proofing concerns as the reason for not providing more detailed direction. At the same time, however, the EBA makes clear that in its view the recommendations must be read as subordinate to a pre-existing broader set of financial guidelines on outsourcing that have been in place since 2006 – the Committee of European Banking Supervisors (CEBS) outsourcing guidelines.

This comes across as a strained approach to addressing market concerns about a regulatory regime that lacks clarity. How useful can it be to attempt to future-proof recommendations while at the same time refuse to move away from the language constraints imposed by a set of 12 year old guidelines?

A better approach may have been to address the underlying regulatory requirements themselves rather than focus too much on how those requirements were interpreted in guidelines in 2006. 

Not all cloud arrangements are the same

The EBA's commitment towards 'future-proofing' its cloud guidance has meant that it has removed references to 'SaaS', 'IaaS' and 'PaaS' models of cloud computing which it had individually defined in its draft guidance. Now, the EBA refers to each of those models using the generic term of 'cloud service models'.

The problem with this approach is not that it has recognised the evolving nature of cloud computing. SaaS, IaaS and PaaS models are no longer the only cloud computing models on the market. The issue is that, the EBA, by using a generic term for all the models, fails to help firms take a risk based and proportionate approach towards compliance.

Engaging one of the world's largest technology providers in a public cloud-based infrastructure scenario is very different, and requires a very different discussion and set of controls to be put in place, than that required when engaging an innovative cloud-based software provider that knows little about regulation. Failing to help firms to understand how they can be flexible in meeting the requirements of risk assurance frameworks they have in place hampers their ability to adopt new and innovative solutions. 

Towards a harmonised framework

On the positive side, the EBA has confirmed that it is committed to "the creation of a harmonised global technology risk framework" for cloud outsourcing. A global framework would be a great advancement for banks and investment firms that operate across different jurisdictions.

The EBA has confirmed that it is "involved in the work of international bodies" on the issue of regulatory convergence. It would be a great benefit to firms and their advisers if the EBA was more transparent about its involvement and provided details of who it is working with, and which industry bodies are involved, so that stakeholders can focus their resources on feeding into key projects which may help in developing global standards.

Building on previous materiality assessments

A further positive aspect of the EBA's paper is its confirmation that firms do not need to carry out full new materiality assessments each time there is a change made to outsourcing arrangements. Firms are able to build on previous assessments they have carried out "in the case of very similar new cloud outsourcing activities" they enter into. This will help reduce burdens for businesses.

The EBA also clarified that its guidance does not apply retrospectively. This means that firms do not need to re-evaluate existing cloud outsourcing arrangements.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.