Historically, EU regulators have been technology neutral, and Cloud outsourcing by FS firms was considered in the same way as outsourcing functions to more traditional third-party providers1.
However, the increasing concentration in the CSP market outside the FS regulatory perimeter, as well as the growing interest from systemically-important firms to migrate more critical functions to the Cloud (and the risks associated with such major IT projects), have pushed some regulators and supervisors to depart from their technology neutral stance.
The European Banking Authority’s (EBA) final Guidelines on outsourcing, which integrate the EBA Recommendations on Cloud outsourcing and come into force on 30 September 2019, aim to clarify regulatory expectations, including in relation to documentation, risk assessments, and governance and controls around Cloud outsourcing arrangements. In the insurance sector, the European Insurance and Occupation Pensions Authority (EIOPA) recently issued a Consultation on Guidelines, expected to come into force in July 2020.
Some national regulators in the EU have also clarified their position on CSP outsourcing – the UK’s Finalised Guidance2, Luxembourg’s Circular, Germany’s Leaflet3 and France’s Recommendations on good practices are cases in point. In the UK, the Prudential Regulation Authority (PRA) has also committed to publishing a Supervisory Statement on outsourcing arrangements in the last quarter of 2019, with a specific focus on moving critical functions to the Cloud4.
Cloud is described by the EBA as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”5.
It is important to recognise that the use of CSPs can take many forms, and the regulatory risks (some of which are also business risks) vary considerably, depending on how firms use the Cloud and the particular service model, as presented in Table 1 and Figure 1. The variety and complexity of outsourcing arrangements entered into by FS firms have made it challenging, if not irrelevant, to apply a “one-size-fits-all” regulatory framework.
Table 1: Use of Cloud services6
Regulatory scrutiny is proportional to the risks that the regulated firm is exposed to and the level of oversight and control that the firm has over them. While the IaaS model only involves the use of low-level resources by the outsourcing firm, the SaaS model allows the outsourcing firm to leverage the CSPs’ end-to-end application and service, therefore requiring a more complex and deeper degree of integration and shared responsibility with the CSP. This latter model, as we will discuss further, presents higher operational and resilience risks, gives rise to a potential lack of clarity around shared responsibilities over risk management and controls and enhances the need for close governance and oversight of the outsourcing arrangements.
To date, most regulatory focus has been on the migration of critical functions7 to the Cloud. These are functions which, if defective or failing, would “materially impair” a firm’s compliance with the “conditions and obligations” of its authorisation and its regulatory requirements more broadly. Such critical functions include, but are not limited to, payments, custody, lending and deposit-taking activities, but also settlement and clearing, as well as core banking processes. While new entrants and FinTech start-ups have been building such functions directly onto the Cloud, the migration of critical functions by systemically-important incumbents has resulted in greater regulatory scrutiny and challenge reflecting the greater scale of execution risk and volume of services at stake.
Regulators have been concerned about the risks resulting from the complexity of these Cloud outsourcing arrangements, especially the potential for disruption to critical functions. Their concerns increase when systemically-important firms are involved, given the consequences for customers and the financial system more generally8. This blog does not cover all the applicable regulatory requirements, but instead focuses on some of the key risks and issues which FS firms need to address in order to demonstrate that they are meeting regulatory expectations.
One major area of regulatory focus is operational resilience. In the UK, this has been a priority for both the BoE, PRA and the FCA9. While new entrants and most new banks build their banking infrastructure on the Cloud, incumbents face the additional challenge of migrating to the Cloud, which comes with significant execution risk if not prepared, governed and controlled adequately. According to a FCA survey, failed IT changes caused 20% of the operational incidents reported to it between October 2017 and September 201810. On a similar note, the Central Bank of Ireland (CBI) also reported that a significant share of credit unions engaged in Cloud outsourcing did not conduct appropriate risk assessments, particularly around data classification and storage11.
A key point of concern around operational resilience is the “shared responsibility” model inherent in the relationship between a Cloud customer and the CSP (see Figure 2). This contractual model means that, while the CSPs retain responsibility over the lower level layers of infrastructure, the outsourcing FS firm is accountable for the data stored and processed, as well as the overall security of the solutions developed on the Cloud. And while such a model poses operational resilience challenges if it is not clearly defined and understood by the outsourcing firm, it is also in contradiction with regulatory expectations.
Source: EIOPA, “Outsourcing to the Cloud: EIOPA’s contribution to the EU Commission FinTech Action Plan”, March 2019.
Regulators have made clear that, under all circumstances, firms’ management bodies remain fully responsible for all the activities they outsource12. This requires firms to define clear accountable persons and to develop robust capabilities and knowledge across all lines of defence, including within the compliance and risk functions, to manage activities on the Cloud.
In the UK specifically, the Senior Managers and Certification Regime (SM&CR) requires firms to attribute the responsibility for firms’ outsourcing arrangements to a Senior Manager, including in case of an IT failure or adverse event13. However, the CSP’s ownership of the security of the infrastructure (as well as other responsibilities in a SaaS or PaaS contract) can make it more difficult for the outsourcing firm, particularly the accountable persons, to achieve full and transparent oversight over the controls and governance in place at the CSP level. It follows that, in a Cloud outsourcing environment, it can be more challenging than in a more traditional outsourcing setting to obtain the granular degree of assurance required for business and regulatory purposes. Without appropriate governance and risk control frameworks, an adverse event may prevent the firm from being able to deliver critical functions, and from complying with regulatory expectations, especially those around accountability.
The second key area of regulatory focus is concentration risk. The high degree of concentration in the CSP market means that CSPs operate as critical market infrastructures outside the regulatory perimeter. If a CSP were to be subject to a disabling cyber attack or IT outage, it would constitute a single point of failure, with damaging effects on the rest of the financial system and customers. The domino effect could also be extended if outsourcing FS firms relied on third parties themselves affected by the failure of the same CSP (e.g. “fourth party risk”).
This concentration risk is exacerbated by the difficulty of switching or rapidly exiting contracts with CSPs. Exiting CSP contracts can be time-consuming and costly given the lack of readily available in-house capability or infrastructure at FS firms, or limited portability of data held at CSPs. The risk is that firms are effectively “locked” into their Cloud outsourcing arrangements, which reinforces the potential role of CSPs as single points of failure. In this context, as we explore in our third blog, the implementation of robust contingency and exit plans is key if firms and their senior managers are to meet their regulatory responsibilities and mitigate some of these concentration risks.
In the EU, regulators too have tried to address this concentration risk by encouraging the development of multi-cloud services14, and the establishment of European CSPs, in order to strengthen competition and innovation in the market. The European Supervisory Authorities (ESAs) proposed that the European Commission “consider a legislative solution for an appropriate oversight framework for monitoring the activities of third party providers when they are criftical service providers to relevant entities”, which would be directly relevant for CSPs15 .
The various pieces of Guidance issued by EU and national regulators aim to mitigate risks posed by outsourcing critical functions to CSPs, particularly in relation to operational resilience and concentration. However, a significant number of FS firms often refer to regulation and supervisory attitudes as key barriers to further Cloud adoption.
In our next blog, we explore these barriers and assess whether, in practice, these are real or perceived.
1 Refer to Andrea Enria’s speech at the Copenhagen Business School (link here).
2 The Financial Conduct Authority (FCA) first published its Guidance for firms outsourcing to the Cloud in 2016, and then updated it in 2018 to reflect the publication of the EBA’s Recommendations. The Finalised Guidance only covers the limited class of FS firms not covered by the EBA Recommendations, which focus on credit institutions and investment firms.
3 Refer to Deloitte article on BaFIN’s Guidance (link here) and BaFIN’s presentation at the EBA’s event on Cloud outsourcing (October 2018 – link here).
4 Refer to the Bank of England’s (BoE) response to the Future of Finance report (link here).
5 The EBA uses the definition of Cloud computing provided by the National Institute of Standards and Technology (NIST), Mell, P. & Grance, T (2011). “The NIST Definition of Cloud Computing” (link here).
6 Based on the EBA’s report on the “Prudential risks and opportunities arising for institutions from FinTech” (link here) and the Deloitte report: “Getting Cloud right: How can banks stay ahead of the curve?” (link here).
7 The wording adopted in the EBA Guidelines on outsourcing arrangements applies to investment firms, credit institutions, payment institutions and electronic money institutions. It is in line with the definition of “critical or important functions” under the Revised Markets in Financial Instruments Directive (MiFID II), according to which “an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under [MiFID II], or its financial performance, or the soundness or the continuity of its investment services and activities”.
8 See Lyndon Nelson’s speech, and the EBA’s report on prudential risks and opportunities arising for institutions from FinTech.
9 See Discussion Paper on “Building the UK financial sector’s operational resilience” (link here).
10 See the FCA’s “Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018” (link here).
11 Refer to the CBI’s findings from its IT Risk in Credit Unions thematic review (link).
12 The EBA Guidelines on outsourcing, which include the EBA Recommendations specific to Cloud outsourcing, indicated that: “The responsibility of the institutions’ and payment institutions’ management body for the institution or payment institution and all its activities can never be outsourced (link). Similarly, the revised Markets in Financial Instruments Directive (MiFID 2) indicates that: “Outsourcing of important operational functions may not be undertaken in such a way as to impair materially the quality of its internal controls and the ability of the supervisor to monitor the firm’s compliance with all its obligations” (link).
13 Under the SM&CR, the relevant Senior Management Functions (SMF) must be attributed responsibility for all the key activities of a firm, and remain accountable for those activities, including when delegating all or parts of these activities whenever is justified and adequately overseen. This counts for outsourcing activities within the Group, or to external third parties.
14 A multi-cloud strategy refers to the use of multiple CSPs, for example by using a mix of various IaaS environments.
15 Refer to “Joint Advice of the ESAs to the European Commission on the need for legislative improvements relating to ICT risk management requirements in the EU financial sector” (link here).