While some uncertainty remains, it now seems that 'full' access and audit rights are not required for every outsourcing agreement. Some outsourcing arrangements which do not relate to critical or important functions may not always need to include these rights in full.
Negotiating access and audit rights has over the years been a barrier to agreeing cloud agreements. Cloud providers argue that where they provide multi-tenanted services, it is unreasonable to require them to be overrun with auditors from each and every customer on various dates throughout the year. To accommodate large numbers of audits, significant costs and coordination efforts are required, and the audit process may create security risks.
No one realistically expected the EBA in the final guidelines to lessen the obligation relating to critical or important functions. This requires outsourcing providers to give their financial institution customers 'unrestricted access and audit rights', including the right to conduct physical on-premises inspections for outsourcing arrangements for those functions. 'Effective access to data and business premises' for critical and important functions is hardwired into EU law. In line with these expectations, the EBA has not moved away from this general position.
However, the final guidelines have lessened the burden for agreements on services that are not critical or important functions. Whether a function is critical or important needs to be assessed in line with detailed criteria set out in the guidelines.
Access and audit rights in the 'non-critical and important' context
The EBA's draft version of the guidelines from last June set out two lists of rights and obligations which financial institutions would specifically have had to include within written outsourcing agreements. The first list set out matters to be included in all outsourcing agreements, while the second set out additional matters to be included in agreements for the outsourcing of critical or important functions.
In the draft guidelines the first list included the requirement that "the unrestricted right of institutions and competent authorities to get the information needed with regard to the outsourcing and to access and audit the service provider." Had the draft guidelines not been revised, financial institutions would have had to include these rights in every written outsourcing agreement.
In the final guidelines the EBA has combined the two lists into one and made clear that the new list relates only to the outsourcing agreements for critical or important functions. This new combined list includes the "the unrestricted right of financial institution and competent authorities to inspect and audit the service provider " as a matter to be included in outsourcing agreements for critical and important functions and not all outsourcing agreements generally.
Does this mean that access and audit rights do not need to be included in any written outsourcing agreements for services that a financial institution deems are not part of a critical or important function? This does not seem to be the EBA's intent.
The EBA has said that for the outsourcing of functions that are not critical or important, institutions "should ensure the access and audit rights … on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period."
Unfortunately this approach creates some uncertainty as to what happens when the risk analysis of a potential outsourcing arrangement reveals that operational and reputation risks, scalability implications and potential impacts on the financial institution's continued performance of its activities are significant, or when the contractual period is lengthy. The EBA is not specifically saying that in those circumstances the outsourcing arrangement should automatically be deemed to relate to a critical or important function. It seems more likely that the EBA is implying that those arrangements remain ones that relate to non-critical or important functions but for which access and audit rights should be ensured proportionate to the risk.
This is also consistent with various comments the EBA has made in the broader report on its final guidelines. "Audit rights are a basis for effective oversight and supervision and need to be ensured contractually, in particular for the outsourcing of critical or important functions" and "Even if service providers do have an internal audit function, institutions cannot exclusively rely on it on an ongoing basis, at least for critical or important functions." It therefore is leaving the door open for broad access and audit rights to be included in some agreements for non-critical and important functions.
The question then arises as to whether the full scope of access and audit rights that are required to be obtained for outsourcings which relate to critical and important functions must also be obtained for this category of outsourcings which relate to non-critical or important functions.
Scope of audit and access rights in the 'non-critical or important' context
In its comments the EBA has said that "many respondents considered that full audit rights are necessary only in the case of critical or important outsourcing, as negotiating those rights in all contracts (especially with third country suppliers) would be burdensome". It also highlighted that some respondents asked for clarification on "how audit rights may effectively be enforced if the contractual rights are denied by predominant providers" and that where contractual rights are denied whether "standardised reports (e.g. ISAE 34.02)" could be "accepted for meeting the requirements." In response, the EBA said that it has amended the guidelines to "accommodate the comments" and that "[t]he guidelines have been revised to allow for a more principle-based and proportionate approach."
It therefore appears, although it is not certain, that the EBA is saying that when assessing the risk of outsourcing arrangements which relate to non-critical or important functions, the financial institution may determine that some access and audit rights are required, but that the agreement does not need to set out the 'full rights' which need to be obtained in relation to critical or important functions.
What does all this mean practically?
When determining whether full access and audit rights need to be included within an outsourcing agreement, unfortunately is not as simple as checking whether internally the arrangement has been assessed as relating to a critical or important function. Even where the arrangement has been assessed as relating to functions which are not critically important, an analysis must be conducted of the risks the arrangement may create and the extent to which access and audit rights should be ensured to mitigate those risks.
Financial institutions and cloud providers should begin thinking in terms of three categories of outsourcing arrangements when determining the extent of access and audit rights that a financial institution must obtain from outsourcing providers.
The categories are those that relate to
- critical and important functions;
- non-critical and important function but for which access and audit rights still need to be ensured to an extent that the regulator considers commensurate to operational, reputational, scalability, continuous performance and contractual lock-in risks; and
- non-critical and important functions for which on a risk-based approach the financial institution deems that only limited access and audit rights are necessary.
Luke Scanlon is a financial services expert at Pinsent Masons, the law firm behind Out-Law.com