ar130405 - Fotolia

EBA outsourcing guidelines: What banks, fintechs and cloud providers need to know

The regulatory landscape for financial services and outsourcing will undergo a refresh this month with new guidance from the European Banking Authority. We look at what banks, fintechs and cloud firms need to do

The Financial Conduct Authority (FCA)’s guidance on outsourcing IT to the cloud is often credited with having accelerated the pace of off-premise migrations within the banking sector, following its publication in 2016.

Until that time, the financial services community’s use of cloud could best be described as low-level and small-scale, as organisations sought to digitally transform within the confines of regulations that were drawn up before the term “cloud” was in common use.

The FCA guidance effectively had a starter pistol-like effect on the banking sector’s cloud migration plans, with various banks and building societies seizing on its advice to embark on “all-in” moves to the public cloud.

But while the FCA guidance effectively got banks and buildings societies going on their move to the cloud, it has since been superseded by other advice designed to ensure these entities are taking a long-term view of the risks involved in using off-premise technologies.

The aim is to ensure that as banks and building societies seek to run more of their applications and workloads in the cloud, they are not at risk of becoming too reliant on one provider or being stuck with them should their relationship sour later down the line.

“Regulators are concerned about what they call concentration risk, which is essentially putting all your eggs in one basket,” says Dan Read, a partner with the technology and IP division of financial services-focused law firm TLT LLP.

“The whole of the financial services industry or its banking operations, at least, could all be outsourced to Amazon, for example, and what if Amazon decides to turn it all off? That would not only affect those institutions, but would potentially bring our whole banking ecosystem to a grinding halt.”

This is particularly important, says Read, as consumers are increasingly favouring the use of mobile apps and internet banking services over visiting branches when it comes to interacting with their banks.

“Even small errors or short periods of service unavailability can have significant impact on customers, and preventing that is the regulators’ primary focus,” he adds.

Change and churn in regulations

This is evident from the contents of the European Banking Authority’s (EBA) cloud outsourcing guidelines, which, upon their publication in July 2018, meant that banks, building societies and certain categories of investment firms were no longer covered by the FCA’s guidance.

“The EBA recommendations provided further detail as to what is specifically required in cloud outsourcing contracts, and provided greater clarification and reassurance to financial institutions that are considering a move to cloud-based services,” says Read.

From that point onward, the journey to the cloud for the banking sector would be shaped by the EBA’s guidelines, which covered a lot of the same ground as the FCA’s, says Read, while providing financial institutions with a means of addressing some of its more “impractical” terms.

For example, the FCA guidance makes reference to the fact that organisations and their auditors should be able to access the “business premises” of any service provider to which they are outsourcing their IT, but states: “This does not necessarily include their datacentres.”

It then goes on to say that “service providers may, for legitimate security reasons, limit access to some sites, such as datacentres”.

While the wording itself gives cloud providers some grounds to turn down requests for users to visit their datacentres, the phrasing still suggests that a user might be able to demand and gain access if they absolutely require it.

“You can’t have customers turning up at your datacentre all the time if you’re a cloud provider,” says Read. “Amazon, Google and Microsoft would just not accept that, and that is a problem with the regulator requiring unfettered audit access to virtually anything going on there.”

The EBA guidelines seek to address this by including clauses that make it possible for organisations to achieve compliance through more indirect means – and, in turn, reduce the organisational burden caused by clients requiring on-demand and unfettered access to their service provider’s datacentres.

On this point, the EBA guidelines give financial institutions the option to embark on “pooled audits”, whereby a third party appointed by a group of clients undertakes a visit on behalf of all of them, or to rely on internal audit reports or the attainment of certain third-party certifications.

The major cloud providers have been accepting of these terms, says Read, because if they refused to play ball, their ability to do business with the banking sector would be severely impaired.

“The Microsofts of this world, the Amazons and Googles have got on board because they recognise they have to, in order to participate in the financial services market, and have all got their own [sector-specific] addendums attached to their terms,” he says.

“Google has a set of terms that it sticks onto the back of its standard terms, for example, that if you are a regulated institution, these are the terms that apply in addition. They will give you pooled audit information, and allow the regulators to have access, and enable clients to terminate whenever they want to, which are all things you have to have.

“So the big boys have all got involved because they realised that they are getting so much pushback from their regulated client base that they couldn’t afford not to.”

All change across Europe

In an industry as highly regulated as financial services, organisations are aware that the regulatory landscape in which they operate is subject to frequent change and revision. And this is just as well, given that the EBA rules will soon be integrated into a far larger and wider-ranging set of guidelines.

These are the EBA Guidelines on Outsourcing Arrangements, which come into effect on 30 September 2019, and are billed as a means of providing financial institutions with a single set of rules governing how they should approach all their outsourcing engagements – including their cloud contracts.

“Outsourcing [contracts] entered into, reviewed or amended after that date must comply with the guidelines,” says Jake Ghanty, a financial regulatory partner at technology-specialist law firm Kemp Little, during a panel discussion about the guidelines in early September 2019.

“That may sound like – in relation to existing outsourcings – that you don’t really need to worry about these guidelines right now, but that’s not strictly the case. If you were to amend an existing outsourcing, you need to start taking account of these guidelines.”

Also, by 31 December 2021, all entities whose activities fall under the scope of the guidelines must ensure their existing outsourcing contracts have been updated and reviewed to ensure compliance.

This means they will need to embark on a large-scale reassessment of every single outsourcing engagement they have in place in the light of these new requirements. And, given how prone financial services firms are to outsourcing, this is unlikely to be quick or easy.

Read says: “From the financial institution’s point of view, there is a lot to consider both internally and externally, when they’re contracting for these types of services or consuming them.

“They are going to have to read and review all of their existing contracts to get compliant again, like they’ve done with GDPR [General Data Protection Regulation], and like they’ve done with the 2018 [EBA] cloud guidance, but they are going to have to do it on a much broader scale.

“Because it could cover anything from outsourcing your datacentre security to your main banking platform, to a small bit of HR services, or it could be a small connector that fits to another system or whatever, because the scope and remit of the guidelines has got a lot broader.”

This is not just in terms of outsourcing types, adds Ghanty, but also with regard to the wide range of companies that will have to follow these guidelines – not just banks, building societies and investment firms, but also companies specialising in payment services, electronic money institutions and fintech providers.

The fact that these entities have been brought into the scope of the guidelines is a clear acknowledgement by the EBA that financial institutions are increasingly outsourcing a wider variety of their functions to third-party technology providers, says Ghanty.

“One positive act in relation to these guidelines it that they will now only need to consult one set of guidelines in relation to both cloud and non-cloud outsourcing,” he adds.

Outsourcing assessments and reviews

As detailed in the 125-page guidance, financial institutions will have to assess whether the arrangement they have in place falls under the EBA’s definition of outsourcing. And if it does, they then need to decide whether that particular process or activity would classified as critical or important to how the organisation functions.

If any disruption – in the form of what the EBA calls a defect or failure – in performance of the outsourced function were to “materially impair” its financials, the running of its business or its regulatory standing, that would be considered a critical or important function – and would be subject to more stringent controls.

Raphaels Bank: When outsourcing goes awry

A timely reminder as to why regulations like those outlined in the European Banking Authority (EBA) guidelines are important emerged in May 2019, when Raphaels Bank was fined £1.89m for failing to manage its outsourcing arrangements properly.

The failings came to light after an eight-hour technology “incident” on Christmas Eve 2015 at a service provider replied upon by Raphaels’ payment services division to manage its card programmes and payment authorisation services.

As a result, 5,356 point-of-sale, cash machine and online transactions worth a total of £550,000 could not be authorised.

A subsequent investigation by the Financial Conduct Authority and Prudential Regulation Authority uncovered what the pair called “deeper flaws” in the overall management and oversight of outsourcing risk at the company, from “board level down”, and “weaknesses” throughout its outsourcing systems that they claimed the bank should have known about since April 2014.

In a statement released in May 2019, Mark Steward, executive director of enforcement and market oversight at the FCA, said: “Raphaels’ systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience.

“There is no lower standard for outsourced systems and controls, and firms are accountable for failures by outsourcing providers.”    

Ghanty adds: “There are specific, additional provisions that will apply in relation to business continuity planning for these types of outsourcing and there is a higher level of due diligence required in relation to entering into a critical or important outsourcing.”

For example, he points to a portion of the guidelines that puts the onus on financial institutions to ensure their chosen outsourcing partner has some form of track record with taking care of critical and important functions on behalf of their clients.

Ghanty points out that this could have implications for startups, which may not have as many reference customers that they can call upon to verify their ability to deal with critical and important functions.  

“The guidelines aren’t prohibiting firms from outsourcing to businesses without a long track record, but they will need to document or record some kind of objective justification for choosing the outsourced service provider that they have,” he says.

As financial institutions become more and more reliant on third parties to operate, one of the overarching aims of the EBA guidelines is to prevent them from effectively becoming what it calls “empty shell” organisations.

“The guidelines clarify that the management body of each financial institution remains responsible for that institution and its activities at all times,” says the EBA in a statement.

“To this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements.

“Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised.”

Read more about financial services, outsourcing and cloud

The guidelines seek to prevent this happening to financial institutions in two different ways. The first is through the creation of a written outsourcing policy that is regularly reviewed and updated, and sets rules governing how outsourcing arrangements should be managed.

Ghanty says: “The guidelines require in-scope firms to implement a written outsourcing policy, defining principles, responsibilities and processes relevant to each phase of the outsourcing lifecycle. This policy needs to document internal risk management policies, and defined procedures for things like renewal processes.”

The second way the guidelines seek to protect financial institutions from becoming “empty shells” is by mandating that firms should maintain an updated register containing information on every single outsourcing arrangement they have in place.

According to the guidance, the register should log details about the start and renewal date of each outsourcing contract the financial institution operates, alongside a brief description about the function being outsourced and the identity of the third party responsible for overseeing it.

It also stipulates that institutions document where in the world these functions will be performed by the outsourcer, and take a note of whether the functions are considered critical or important, as well as the reasons why.

The guidelines state: “In the case of outsourcing to a cloud service provider, the cloud service and deployment models (public, private, hybrid, community), and the specific nature of the data to be held and the locations where such data will be stored should be recorded.”

The idea is that documenting such information will make it easier for organisations to keep on top of their current outsourcing arrangements, while also providing regulators with a means of tracking which suppliers financial services firms regularly do business with.

Outsourcing register: What to include and how to manage

The register is not exactly a new requirement, says Read, given that followers of the EBA cloud guidance were instructed to keep a similar register of all the suppliers from which they sourced off-premise services.

“All our clients have done it, and they’ve taken different views about how far they should push that definition of cloud outsourcing,” he says. “Some have said everything that has any element of cloud needs to be on the register, and others have taken a bit more of a granular view on it.”

The reason for that is because the guidelines are not overly prescriptive about how organisations should go about creating and managing these registers, which – based on the guidance – require firms to log substantial amounts of data about each outsourcing contract they embark upon.

Read says there are plans afoot to bring a degree of consistency and clarity to all this through the potential creation of a centralised, online portal – overseen by the Prudential Regulation Authority (PRA) – that financial services firms can use to log this information. 

“Someone will input a record of all their outsourcings into this with a bunch of dropdown fields or some sort of data taxonomy, so that’s all in one place, and people don’t have to keep wrestling with submissions from spreadsheets or other documents,” he says.

“Some organisations were working on building their own… but the expectation is there will be some sort of online register they can use, partly because of the experience [regulators have had] around GDPR notifications and the management of that, where everyone starts submitting loads of stuff, all the time, in random formats, which is a nightmare.”

As for when that online portal is likely to put in an appearance, Read suggests a pilot may not be in the offing until the December 2021 implementation end-date has passed. But if and when it does, it will make the administrative load for both regulators and their charges a little lighter.

Particularly, as Read points out, the guidance essentially encourages people to notify regulators “more frequently than they have ever done in the past” about any changes in their circumstances from an outsourcing point of view.

For regulators, the data gleaned from this register should also make it easier for them to gauge whether the sector is becoming too heavily reliant on certain providers and taking steps to protect themselves from any risks that might pose to their organisations, he adds.

“It means they can say, should we be encouraging or requiring people to have a more even spread across other cloud providers, for example,” says Read.

Preparation for new regulation

So it is clear that the financial services, fintech and cloud provider community have plenty of work to do to prepare for the guidelines coming into force, but – in our expert’s view – how ready are they?

From an end-user perspective, TLT LLP’s Read thinks many financial institutions have put their preparation work on the back burner because of the uncertainty over how the entire regulatory environment could change post-Brexit.

“I don’t think many institutions are ready for it yet,” he says. “Some of them are, and are getting on board about it, but some are waiting to see what the consequence of Brexit will be on the regulatory landscape, because this is not UK-specific guidance.

“But the expectation and intention from people like the regulators is that it will be applied in the UK, so it can’t be ignored.”

An EBA outsourcing guidelines checklist

Camilla Winlo, director of consultancy at data protection advisory firm DQM GRC, shares her step-by-step guide to what financial institutions should be doing now to ready their outsourcing setups for the incoming EBA guidelines on outsourcing.

Before the deadline, organisations should check that:

  • They have correctly identified all their “outsourcing” arrangements, and all the arrangements that affect “critical and important processing”.
  • No one can implement new cloud computing outsourcing arrangements without following the correct procedures. In particular, it is recommended to check for the use of free, personal (as opposed to company-owned) and low-cost services that may have been put through on expenses. 
  • The risk assessments are up to date, accurate, and include all necessary documentation.
  • Contracts have been reviewed and updated in line with the requirements.
  • Documentation is up to date, accurate and that all the documentation is properly aligned with no gaps or conflicts.
  • Incident response playbooks have been updated and tested. It is important that incidents are both recognised and reported quickly, while also ensuring that they do not interrupt normal business activities.
  • The company has exited a cloud computing arrangement if a decision has been made to do so. Where appropriate, evidence such as data deletion certificates or audit reports should be held to prove that the arrangement has ended, and the cloud services provider has securely erased and/or returned the organisation’s data.
  • There are appropriate audit trails to demonstrate management oversight of the decision-making process and cloud computing arrangements.
  • Each outsourcing arrangement has a documented owner who is aware of their responsibilities.
  • Appropriate training has been provided recently to ensure everyone understands the requirements and what they need to do personally to comply with them. It is also worth ensuring that people who have recently joined or changed roles have received the appropriate information and training.

From a cloud provider point of view, if suppliers took steps to ensure compliance with the EBA’s previous guidelines, they should be ready for what is to come, says Read.

“From the cloud provider point of view, from last year to this year’s guidance, nothing has really changed,” he says. “It is the same guidance that has been rolled into the new set of guidelines.”

Computer Weekly understands there has been a degree of pushback previously, particularly during the consultation process for the guidelines, from some members of the fintech community about the EBA’s plans to bring its organisations into the scope of the guidance.

From a preparation perspective, Read feels the fintech community is lagging behind its cloud provider counterparts, but, as is often the case with regulation, some firms are on more solid ground than others.

Luke Scanlon, head of fintech propositions at legal firm Pinsent Masons, tells Computer Weekly that part of that might be down to how long some of these firms have been operating.

“For fintech providers specifically, regulation isn’t front of mind for new technology providers, but it needs to be because sometimes they don’t understand that what is holding banks and other financial institutions back from purchasing their technologies is the lack of understanding around changes like this,” says Scanlon.

“Their initial meetings with innovation people and sales might get them excited, but it is the regulation barrier that is holding them back [from winning deals].”

As mentioned above, these guidelines will require firms to reassess all their current outsourcing agreements and rethink how they manage any new ones they enter into in the future, as they set about working out which ones could and should be considered critical or important.

During these determinations, it might transpire that a function that has previously been handed to a third-party fintech provider to do is now considered outsourcing, but was not previously.

Scanlon adds: “Banks, for example, might not have been thinking about their fintech suppliers too closely in the past from that regard, but with the guidelines focusing on critical and important functions, all suppliers will need to rethink their positions if they want to continue to service the financial services market.”

Read more on Platform-as-a-Service (PaaS)

Data Center
Data Management