EBA consults recommendation on outsourcing to cloud service providers

On 17 May 2017 the European Banking Authority (EBA) issued a consultation paper containing recommendation on outsourcing to cloud service providers.

This consultation paper follows the former general CEBS guidelines on outsourcing issued in 2006 which are still applicable. Nevertheless, the outsourcing evolves and institutions now concentrate on cloud services. The aim is to ensure that while institutions benefit of cloud computing on one hand, the risks are appropriately identified and managed on the other hand. Moreover, the supervisory convergence should be fostered.

First of all, institutions are recommended when they should inform their competent authorities about material cloud outsourcing.

Furthermore, it is recommended mainly:

• how to contractually secure both the right to audit for institutions and competent authorities and the physical access to the relevant business premises of cloud service providers;
• how to secure the data and systems used, including the data treatment and processing locations. Institutions are expected to implement adequate controls and measures such as the use of encryption technologies for data in transit, data in memory, and data at rest;
• how to mitigate the risks associated with “chain” outsourcing (i.e. the use of subcontractors);
• how to contract and organise contingency plans and exit strategies.

The deadline for the submission of comments to this consultation paper is 18 August 2017.  

13-7-2017