United Kingdom (and EU regulation)

EBA consults on its guidance for the use of cloud computing

The European Banking Authority (EBA) has launched a consultation on draft recommendations on outsourcing to cloud service providers by financial institutions.

In December 2006 the Committee of European Banking Supervisors published general outsourcing guidelines that remain applicable. The draft recommendations provide additional guidance for the specific context of institutions that outsource to cloud service providers.

The draft recommendations include specific requirements for institutions to mitigate the risks associated with “chain” outsourcing where the cloud service provider subcontracts elements of the service to other providers. The use of subcontractors by the cloud service provider should not affect the services provided under the outsourcing agreement, and appropriate arrangements should be in place for the orderly transfer of the activity, data or services from the subcontractor to another service provider if needed.

The draft recommendations also:

provide guidance for institutions on the contractual and organisational arrangements for contingency plans and exit strategies in the context of cloud outsourcing; and
address the treatment of data and data processing locations in the context of cloud outsourcing. Institutions should adopt a risk-based approach in this respect and implement adequate controls and measures such as the use of encryption technologies for data in transit, data in memory, and data at rest.

The EBA states that the principle of proportionality should apply throughout the draft recommendations. The draft recommendations should be employed in a manner proportionate to the size, structure and operational environment of the institution as well as the nature, scale and complexity of its activities.

The deadline for comments on the consultation is 18 August 2017.

A public hearing will take place at the EBA’s premises on 20 June 2017.

In the UK, the FCA has previously issued finalised guidance for firms outsourcing to the cloud and other third-party IT services. Our previous blog entry is here.

View EBA consults on its guidance for the use of cloud computing, 18 May 2017