This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



Payments & FinTech Lawyer

EBA finalises guidance for firms outsourcing to cloud

The European Banking Authority (‘EBA’) issued on 20 December 2017 its final report on ‘Recommendations on outsourcing to cloud service providers’ (‘Recommendations’), guidance which looks to provide financial institutions (‘FIs’) with further clarity on supervisory expectations across Europe for firms adopting cloud computing. The Recommendations follow a consultation on the subject published in May 2017, and also build on the 2006 outsourcing guidance from the Committee of European Banking Supervisors, which will in time be updated and should be read in concert with the Recommendations. UK firms will be aware that guidance on outsourcing to the cloud was issued by the Financial Conduct Authority (‘FCA’) in July 2016.

“The Recommendations are, for the most part, principles-based and as such are written at a high level,” explains Tim Wright, Partner at Pillsbury LLP. “This is consistent with the approach taken in the UK and in a number of other EU Member States. Whilst at the consultation stage, some of the respondents argued for a more detailed, prescriptive approach, the EBA’s stance enables each firm to take into account its own policies and procedures, IT infrastructure and organisational design, as well as industry best practices, when selecting and contracting for cloud computing and other cloud services. Where the guidelines are specific and detailed, the requirements generally follow industry practice such as the requirement for a right to terminate where planned changes to subcontracted services would have an adverse effect on the risk assessment of the outsourced services.”

The Recommendations cover five major areas, including data and systems security, supply chain oversight (‘chain outsourcing’) and access and audit rights. The Recommendations seek to identify and manage risks for firms in relation to the cloud while also clarifying applicable regulatory requirements for firms who may wish to adopt cloud services; the EBA also seeks to foster supervisory convergence in terms of the expectations and processes applicable to the cloud.  

Section 4.1 of the Recommendations contains a discussion of how FIs looking to outsource to the cloud should perform an assessment on which of their activities should be considered as ‘material’ before commencing outsourcing. Firms should consider, inter alia, the criticality and risk profile of the activities to potentially be outsourced, and what the impact of disruption to such activities could be for revenue. “Only material cloud outsourcings will need to be notified,” said Wright. “Previously some EU supervisors required notification of non-material cloud outsourcings and some didn’t. This may help to speed up the sales and contracting processes where a cloud outsourcing is non-material.”

“The materiality risk assessment, and hence notification to the competent authority where an outsourcing is determined to be material, should be undertaken prior to the outsourcing taking place,” continues Wright. “The firm also needs to maintain a register of all cloud outsourcings, material and non-material. Information from the register, together with a copy of the cloud outsourcing agreement, should be made available to the regulatory authority on request.”

The Recommendations will become applicable on 1 July 2018.

Search Publication Archives



Our publication archives contain all of our articles, dating back to 2006.
Can’t find what you are looking for?
Try an Advanced Search

Log in to payments & fintech lawyer
Subscribe to payments & fintech lawyer
Register for a Free Trial to payments & fintech lawyer
payments & fintech lawyer Pricing

Social Media

Follow payments & fintech lawyer on TwitterView our LinkedIn Profilepayments & fintech lawyer RSS Feed