This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



EBA issues draft recommendations on financial institutions’ use of cloud service providers

The European Banking Authority (‘EBA’) published on 17 May 2017 a consultation on its draft recommendations for the use of cloud service providers by financial institutions (‘Draft Recommendations’), setting out guidelines for those institutions who intend to adopt cloud computing. The Draft Recommendations build upon the general guidelines for outsourcing released in 2006 by the Committee of European Banking Supervisors (‘CEBS’) (‘CEBS Guidelines’) with specific recommendations applicable to those outsourcing to cloud service providers.

“Unlike CEBS the EBA goes into more detail around the key frictions that arise when using cloud services,” said Luke Scanlon, Head of Fintech Propositions at Pinsent Masons LLP. “As the general guidance was published back in 2006, issues around access to outsourcing premises, auditing rights and oversight of supply chains were not given the attention needed to be useful in a cloud context. The Draft Recommendations attempt to clarify frictions which occur in relation to these and other issues.”

The Draft Recommendations develop further guidance on the ‘right to audit’ established in the CEBS Guidelines, for example, elaborating on how institutions can exercise this right and on the concerns institutions may have, for example in terms of security or access to data in certain circumstances. “There is likely to be strong support [from industry] for the view that ‘alternative ways’ of auditing of cloud premises can be used,” believes Scanlon. “The discussion will be around how the examples of pooled audits, third party certification regimes and internal audits can be extended to other means also.”

The EBA discusses what it terms ‘chain outsourcing,’ wherein a cloud service provider subcontracts out elements of the service to other parties. The EBA notes that there is a need to ensure certainty as to when chain outsourcing can take place when companies outsource to the cloud. “The EBA says that the associated risks e.g. the insolvency or other failure of a subcontractor can be mitigated through arrangements to facilitate the orderly transfer of the affected activity, data or services from one subcontractor to another if needed, coupled with a requirement that any changes to subcontracting arrangements are notified by the service provider to the institution and a right for the institution to terminate the cloud services contract if the new subcontracting arrangements adversely impact its risk assessment of the outsourcing arrangements,” explains Tim Wright, Partner at Pillsbury LLP. “This will no doubt trigger some nifty contractual wording - whilst institutions will need to show that their contracts cover the requirement, the cloud provider will want to ensure that any such risk assessment is an objective assessment and cannot be used as a back-door right to terminate ‘for convenience.’”

The consultation on the Draft Recommendations will run until 18 August 2017.

Search Publication Archives



Our publication archives contain all of our articles, dating back to 2006.
Can’t find what you are looking for?
Try an Advanced Search

Log in to payments & fintech lawyer
Subscribe to payments & fintech lawyer
Register for a Free Trial to payments & fintech lawyer
E-Law Alerts
payments & fintech lawyer Pricing

Social Media

Follow payments & fintech lawyer on TwitterView our LinkedIn Profilepayments & fintech lawyer RSS Feed