Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.

Cloud Regulatory Guidance: Clear Skies?

Current guidance on outsourcing for banks and investment firms is from the Committee of European Banking Supervisors (CEBS) and dates from 2006 (the CEBS Outsourcing Guidelines), so is overdue for review. The European Banking Authority (EBA) has recognised this and, amidst concerns that firms simply may not use cloud service providers because they cannot reconcile how to do this in line with the regulatory requirements, published some new draft guidelines on outsourcing to cloud services (Draft Cloud Guidelines) for consultation on 17 May 2017.

The final guidance resulting from the public consultation (the Final Cloud Guidelines) will supplement, rather than replace, the existing CEBS Outsourcing Guidelines, so both will need to be read in parallel. Essentially, as the CEBS Outsourcing Guidelines are short and principles-based, the new guidelines seek to add more detail as to how a firm’s regulatory obligations may be met in the specific context of outsourcing to a cloud service provider, based upon discussions the EBA has had with firms and their regulators.

There are plans to start a full review of the CEBS Outsourcing Guidelines later this year, with a view to updating them to reflect more accurately the current outsourcing environment. The EBA has confirmed that, once the new CEBS Outsourcing Guidelines are published, these will repeal and replace the Final Cloud Guidelines. Therefore, the Draft Cloud Guidelines are somewhat of a “quick fix”, in response to two key factors. First, firms have been calling for more specific guidance, having found there to be a considerable degree of regulatory uncertainty. Second, the EBA has observed a range of different approaches in Member States and wishes to encourage supervisory convergence — particularly important for global solutions like cloud services.

Remaining Difficulties: A Gathering Storm?

Although the Draft Cloud Guidelines show willingness to help firms make use of cloud services, there remain a number of difficulties for firms in adopting these solutions. For instance, the level of reliance a firm would need to place on a cloud service provider (due to the nature of the service provided) does not sit easily with the requirements around contingency planning and exit strategies.

The EBA held a public hearing on the Draft Cloud Guidelines on 20 June 2017, in order to gather initial feedback on the proposals. The hearing featured an extensive Q&A session, with many of the questions focusing on the application of the requirements around access and audit rights. Particular points of interest were as follows:

• The EBA confirmed that, currently, it sees outsourcing to a cloud service provider as having all of the attributes of a regulatory outsourcing. Whether in future, when such services become part of the normal infrastructure, use of cloud services might not automatically be seen as subject to the regulatory outsourcing requirements, was left as an open point.
• There were concerns raised that such a broad approach means that a large number of projects would be caught by the rules on outsourcing, as use of cloud services will almost always cross the materiality threshold, due to the nature of the technology.
• There was a considerable amount of discussion around audit rights, with the EBA emphasising the fact that it has tried to provide some different options so that firms do not necessarily always need to conduct their own audit. The EBA also highlighted that persons with the right skills and knowledge should carry out the audit, and so firms may not have someone with the requisite skills, even if they have in-house audit capabilities. Service providers suggested that if every firm were to try to do its own audit, this would actually pose a risk to the service provider due to the disruption.
• Much of the discussion centred on the potential use of “pooled audits”, particularly by smaller firms with similar interests. However, various comments were made about the need for more guidance as to how this would work in practice. In particular, it was suggested that it would be helpful if regulators could set industry-level audit standards and publicly recognise or certify third party audit providers. The EBA did not seem to think this was necessary (or, perhaps more accurately, did not think this was the role of the financial services supervisor), suggesting instead that if a firm was unsure about its proposed use of a third party auditor it could discuss this with its regulator before entering into the outsourcing arrangement.
• One point of clarification we can expect to see in the Final Cloud Guidance is confirmation of the meaning of the term “operation centres”. The EBA confirmed, in response to a question at the public hearing, that this does not mean data centres. This was a significant issue raised during the public consultation into the FCA’s proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services in 2015. In the Final Guidance (FG16/5), the FCA confirmed “We regard ‘business premises’ as a broad term, encompassing a range of premises. This may include head offices, operations centres, but does not necessarily include data centres.” Hopefully, we can expect to see similar language in the Final Cloud Guidance from the EBA.
• In relation to chain outsourcing, the EBA explained its approach to require only that firms are informed of significant changes to sub-contractors or sub-contracted services by the primary service provider, rather than needing to give their consent for such changes. When asked what it considered a “significant” change, the EBA explained that this would encompass anything that would affect the risk profile of the firm significantly. This leaves the onus on those drafting cloud contracts to build in a materiality level that works for both parties. In practice, many cloud providers limit such notice to changes to subcontractors processing personal data; firms may need to consider whether they require notice of changes to other subcontractors (for example those providing back-up services) in order to meet the EBA’s threshold.
• Also regarding chain outsourcing, the EBA stated that if the primary service provider was not willing or able to replicate the required contractual provisions down the chain, a firm may need to refuse to enter into a contract with that service provider.
• The EBA did not do much to clarify what it expects in terms of contingency plans and exit strategies, and whether it is sufficient for these to be in place internally within the firm, or whether they must be reflected in the contract with the service provider. Its only suggestion was that this depends on the nature of the service being provided.

Conclusion: Opportunity to Comment a Silver Lining

Although the Draft Cloud Guidelines, and the EBA responses at this stage, only go so far in addressing the regulatory difficulties firms face in adopting cloud solutions, the initiative to provide greater assistance to firms is very much to be welcomed. If nothing else, it gives credence to the use of cloud services by banks and investment firms and at least provides certainty that regulators are supportive of firms seeking to use these services.

The EBA requests responses to the consultation by 18 August 2017, and interested parties are encouraged to submit a response, indicating where the guidelines ought to be clarified or expanded to provide greater regulatory certainty. Responses can be submitted via the EBA’s website. The EBA plans to finalise the guidelines by the end of 2017, with a view to them coming into force around the middle of 2018.