This article offers practical advice on how to navigate a changing regulatory environment with regards to the EBA guidance on outsourcing.
In recent years, following a rapid development in the capability of services offered by Cloud Service Providers, the use of Public Cloud has become an increasingly viable option for financial services firms. According to Refinitiv’s 2019 Public Cloud Report conducted in 2019, 48% of financial services’ IT budget will be invested in Public Cloud in 2020, up from 34% in 2018.
Given the increasingly ubiquitous nature of Cloud adoption by FS firms, from the world’s largest investment banks to new market entrants, the world’s financial regulators are moving to ensure that the implementation of Public Cloud does not threaten market stability.
Why is Cloud becoming so popular in FS?
One of the key reasons FS firms are keen to adopt Public Cloud is the breadth of potential use cases it has across the operating model. It can be used across front, middle, and back office areas as an efficient way to price complex derivatives; to provide predictive analytics on large sets of data; to upgrade legacy CRM & Trade Workflow products; to assist with capacity when processing bulk trades; and to automate repetitive human tasks, such as portfolio compressions and Confirmation & Settlement processes.
As a result of this, regulators are drawing up a comprehensive set of guidelines to ensure that Cloud is implemented responsibly and safely, with a particular focus on data security. Ultimately, firms must follow these guidelines to stay compliant.
The European Banking Authority recently published a piece of regulatory guidance to provide oversight on how firms use third party outsourcing providers, including Cloud providers.
Outsourcing register – get ahead now with a current state assessment
One of the main requirements which will likely come into force is financial institutions maintaining an outsourcing register, in which the details of all outsourced processes are logged, (including those which have been moved onto a Public Cloud).
This is a new requirement for many firms and the template for this register is yet to be confirmed by any national regulator. To get ahead of this requirement, it would be beneficial for firms to begin proactively assessing their outsourced services and functions. They should carry out a current state assessment of their outsourcing arrangements, which will also help them understand the value for money each service provides.
Create a comprehensive outsourcing policy
Firms are also required to demonstrate rigorous governance of outsourced functions. Firms using third party Public Cloud must be able to demonstrate that they have a comprehensive outsourcing policy, written and approved by the management team. This policy should include a risk profile, means of overseeing the service provider, business continuity measures, and metrics for measuring supplier performance.
A specific risk regarding the provision of Public Cloud is concentration risk, caused by the limited number of Public Cloud service providers capable of providing Cloud at scale. The EBA is concerned that, by outsourcing a number of key functions to a limited number of providers, there is a risk that firms will lose access to information in the event of a data or business continuity event should the Cloud provider faces an outage. Firms must be able to demonstrate that they have taken this into account and that their Public Cloud outsourcing strategy is diverse enough to avoid this risk, as well as show that they have robust business continuity plans in place.
Be ready to assess your Cloud solutions’ resilience and security
Similarly, operational resilience is a key focus area of the new guidance. Regulators are imposing fines on firms that experience interruptions in services that impact customers. Responsibility for this cannot be outsourced and the management body is still accountable for any data breach or operational incident. Firms must therefore be aware of the shared responsibility approach – they can rely on Cloud providers to provide resilient infrastructure and services, while at the same time must design their applications in a manner that meets regulatory and compliance obligations.
Data security and privacy is becoming increasingly important, as FS firms must contend with the growing number and sophistication of security threats and regulatory requirements. Firms must be able to prove that they have robust security measures in place and that they are able to control, monitor, and audit access to any sensitive data. They must know what and how sensitive data is processed in all formats - whether it exist in databases, exported spreadsheets, or in the Cloud. To do this effectively, it is best to leverage security and privacy products provided by the Cloud providers across the spectrum of security functions, including identity and access management (IAM), network security, endpoint security, data security, application security, and security monitoring.
In a nutshell
The best way for firms to become compliant is to be proactive, not reactive, in the above areas. However, they should not be dissuaded against pursuing Public Cloud adoption, as the benefits in terms of cost reduction and process efficiency can significantly outweigh such risks. A comprehensive Cloud strategy across all levels of the firm will ultimately decrease this risk.