Up into the Clouds?

by Latham & Watkins LLP

Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.

Cloud Regulatory Guidance: Clear Skies?

Current guidance on outsourcing for banks and investment firms is from the Committee of European Banking Supervisors (CEBS) and dates from 2006 (the CEBS Outsourcing Guidelines), so is overdue for review. The European Banking Authority (EBA) has recognised this and, amidst concerns that firms simply may not use cloud service providers because they cannot reconcile how to do this in line with the regulatory requirements, published some new draft guidelines on outsourcing to cloud services (Draft Cloud Guidelines) for consultation on 17 May 2017.

The final guidance resulting from the public consultation (the Final Cloud Guidelines) will supplement, rather than replace, the existing CEBS Outsourcing Guidelines, so both will need to be read in parallel. Essentially, as the CEBS Outsourcing Guidelines are short and principles-based, the new guidelines seek to add more detail as to how a firm’s regulatory obligations may be met in the specific context of outsourcing to a cloud service provider, based upon discussions the EBA has had with firms and their regulators.

There are plans to start a full review of the CEBS Outsourcing Guidelines later this year, with a view to updating them to reflect more accurately the current outsourcing environment. The EBA has confirmed that, once the new CEBS Outsourcing Guidelines are published, these will repeal and replace the Final Cloud Guidelines. Therefore, the Draft Cloud Guidelines are somewhat of a “quick fix”, in response to two key factors. First, firms have been calling for more specific guidance, having found there to be a considerable degree of regulatory uncertainty. Second, the EBA has observed a range of different approaches in Member States and wishes to encourage supervisory convergence — particularly important for global solutions like cloud services.

Remaining Difficulties: A Gathering Storm?

Although the Draft Cloud Guidelines show willingness to help firms make use of cloud services, there remain a number of difficulties for firms in adopting these solutions. For instance, the level of reliance a firm would need to place on a cloud service provider (due to the nature of the service provided) does not sit easily with the requirements around contingency planning and exit strategies.

The EBA held a public hearing on the Draft Cloud Guidelines on 20 June 2017, in order to gather initial feedback on the proposals. The hearing featured an extensive Q&A session, with many of the questions focusing on the application of the requirements around access and audit rights. Particular points of interest were as follows:

  • The EBA confirmed that, currently, it sees outsourcing to a cloud service provider as having all of the attributes of a regulatory outsourcing. Whether in future, when such services become part of the normal infrastructure, use of cloud services might not automatically be seen as subject to the regulatory outsourcing requirements, was left as an open point.
  • There were concerns raised that such a broad approach means that a large number of projects would be caught by the rules on outsourcing, as use of cloud services will almost always cross the materiality threshold, due to the nature of the technology.
  • There was a considerable amount of discussion around audit rights, with the EBA emphasising the fact that it has tried to provide some different options so that firms do not necessarily always need to conduct their own audit. The EBA also highlighted that persons with the right skills and knowledge should carry out the audit, and so firms may not have someone with the requisite skills, even if they have in-house audit capabilities. Service providers suggested that if every firm were to try to do its own audit, this would actually pose a risk to the service provider due to the disruption.
  • Much of the discussion centred on the potential use of “pooled audits”, particularly by smaller firms with similar interests. However, various comments were made about the need for more guidance as to how this would work in practice. In particular, it was suggested that it would be helpful if regulators could set industry-level audit standards and publicly recognise or certify third party audit providers. The EBA did not seem to think this was necessary (or, perhaps more accurately, did not think this was the role of the financial services supervisor), suggesting instead that if a firm was unsure about its proposed use of a third party auditor it could discuss this with its regulator before entering into the outsourcing arrangement.
  • One point of clarification we can expect to see in the Final Cloud Guidance is confirmation of the meaning of the term “operation centres”. The EBA confirmed, in response to a question at the public hearing, that this does not mean data centres. This was a significant issue raised during the public consultation into the FCA’s proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services in 2015. In the Final Guidance (FG16/5), the FCA confirmed “We regard ‘business premises’ as a broad term, encompassing a range of premises. This may include head offices, operations centres, but does not necessarily include data centres.” Hopefully, we can expect to see similar language in the Final Cloud Guidance from the EBA.
  • In relation to chain outsourcing, the EBA explained its approach to require only that firms are informed of significant changes to sub-contractors or sub-contracted services by the primary service provider, rather than needing to give their consent for such changes. When asked what it considered a “significant” change, the EBA explained that this would encompass anything that would affect the risk profile of the firm significantly. This leaves the onus on those drafting cloud contracts to build in a materiality level that works for both parties. In practice, many cloud providers limit such notice to changes to subcontractors processing personal data; firms may need to consider whether they require notice of changes to other subcontractors (for example those providing back-up services) in order to meet the EBA’s threshold.
  • Also regarding chain outsourcing, the EBA stated that if the primary service provider was not willing or able to replicate the required contractual provisions down the chain, a firm may need to refuse to enter into a contract with that service provider.
  • The EBA did not do much to clarify what it expects in terms of contingency plans and exit strategies, and whether it is sufficient for these to be in place internally within the firm, or whether they must be reflected in the contract with the service provider. Its only suggestion was that this depends on the nature of the service being provided.

Conclusion: Opportunity to Comment a Silver Lining

Although the Draft Cloud Guidelines, and the EBA responses at this stage, only go so far in addressing the regulatory difficulties firms face in adopting cloud solutions, the initiative to provide greater assistance to firms is very much to be welcomed. If nothing else, it gives credence to the use of cloud services by banks and investment firms and at least provides certainty that regulators are supportive of firms seeking to use these services.

The EBA requests responses to the consultation by 18 August 2017, and interested parties are encouraged to submit a response, indicating where the guidelines ought to be clarified or expanded to provide greater regulatory certainty. Responses can be submitted via the EBA’s website. The EBA plans to finalise the guidelines by the end of 2017, with a view to them coming into force around the middle of 2018.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP

Latham & Watkins LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.