The European regulator highlighted risks associated with "chain outsourcing" for banks adopting cloud-based solutions in a new report on the prudential risks and opportunities arising for institutions from fintech (56-page / 825KB PDF).
The EBA said: "In an outsourcing environment, such as the provision of public cloud services by a global CSP (cloud service provider), the issue of transparency on chain outsourcing is another area to be taken into consideration. For example, the use of subcontractors from a high-risk area/country could negatively affect the wider operational risk and reputation risk of the institution."
"Moreover, the institution’s competence in sufficiently controlling the technological infrastructure used by a CSP could affect the ICT outsourcing risk of the institution. Therefore, the necessary skills and resources to adequately monitor these outsourced activities would become even more important," it said.
The EBA also highlighted the potential for "macroprudential implications" should "a significant number of institutions use the same CSP’s infrastructure", and further called on institutions to manage the risk of "vendor lock-in".
"Another possible risk that could arise through the use of core banking/payment systems in the public cloud is vendor lock-in, whereby institutions, be they incumbents or new entrants, may find it difficult to exit and migrate to a new CSP or re-initialise a service," it said. "In addition, potential concerns about moving to alternative CSPs (e.g. possible substandard performance or interruption of supplier service) may deter institutions from adequately addressing this risk."
"In line with the EBA recommendations on outsourcing to CSPs, appropriate contingency plans and exit strategies are important to increasing trust and resilience, and therefore to the adoption of cloud outsourcing," the EBA said.
It said outsourcing to the cloud is likely to increase IT outsourcing risks for institutions in areas such as governance, compliance, adequacy of resources, business continuity plan, information security, access management, data management and contract management.
"When an institution starts to offer services processed in the public cloud, the implementation of information security management (including access management), encryption key control, encryption, authentication (including multi-factor), cyber-security and configuration of technical infrastructure are of vital importance," the EBA said. "The institution will always remain responsible for its operations, regardless of the use of outsourcing. Operational risk could be high if the institution trusts and relies solely on the CSP to implement all the right security controls."
The challenges involved in migrating core banking and payment services to the cloud from legacy IT systems were also highlighted.
The EBA said: "In the case of an existing institution, a potential move to the cloud will involve a technical migration of its offered services into the cloud. This involves the translation of databases into the core banking/payment provider’s format and copying them into the cloud as well as significant modifications to a variety of business applications that remain in the institution’s data centres."
In its report, however, the EBA did point to the opportunities that outsourcing to the cloud offers financial institutions, such as "the flexibility provided by cloud infrastructure along with the lower-cost environment, scalability and agility". The EBA acknowledged the cost versus security dilemma that financial institutions face when considering using cloud-based solutions.
"For applications for which security is of prime concern, a private cloud could be considered preferable, as it allows the most flexibility in data processing and security," the EBA said. "On the other hand, private clouds are typically less scalable and more expensive than public clouds. As a result, some institutions may prefer a hybrid model, where some activities could be performed in the public cloud while more sensitive activities (including hosting of sensitive data) could be performed in a private cloud."
The EBA is currently in the process of updating its guidance on outsourcing for financial institutions. It recently opened a consultation on proposed new Committee of European Banking Supervisors (CEBS) guidelines on outsourcing. The new guidelines, when finalised, will replace the existing CEBS guidelines of 2006 as well as the separate cloud outsourcing recommendations the EBA finalised in December 2017 - those recommendations only began to apply on 1 July this year.
Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said: "The EBA's report should help raise awareness of its thinking regarding the prudential risks applicable to fintech and of existing regulatory guidelines that apply. However, on the particular subject of cloud outsourcing, financial institutions must understand that it is the wording of the EBA's cloud recommendations that should be given primary consideration and not general statements the EBA makes in reports such as this one, and further that those cloud recommendations will be superseded by the new CEBS guidelines when they are finalised."
"The EBA's draft CEBS guidelines need to be clarified in a number of respects, and both institutions and cloud providers should engage with the consultation to get as much detail as they can on the new requirements they will face," he said.