May 2017 saw the EBA launch a consultation on its guidance for cloud outsourcing. The consultation period closed on 18 August, and we expect the final guidance to be published during the first quarter of 2018.

The EBA’s aim is to clarify supervisory expectations for institutions using, or planning to use, cloud computing. The underlying goal is to allow firms to realise the benefits of cloud services, while ensuring that any related risks are identified and managed in a harmonised way.

The new guidance builds on existing supervisory requirements, which have been in place in 2006. These apply to all outsourcing arrangements and were originally developed by CEBS, the EBA’s predecessor. The new rules will apply proportionately to the same institutions as the existing requirements (credit institutions and investment firms) according to the size and nature of their cloud outsourcing arrangements.

Our analysis of the draft guidelines suggests that implementation will require most banks to complete five key stages. These are:

• Materiality assessment. The draft guidance begins with directions for assessing the materiality of cloud outsourcing, drawing on the broader CEBS guidelines.
• Supervisor contact and information. The guidance dictates whether, when and how institutions should inform supervisors about their cloud outsourcing arrangements.
• Security of data and systems. The guidance sets out a risk-based approach to security, including for data in transit. This involves identifying and classifying outsourced activities; deciding on the levels of protection they require; and including these requirements in outsourcing agreements.
• Location of data and data processing. The guidance requires organisations to take a risk-based approach when considering where data is stored and processed as part of cloud outsourcing. It also sets specific requirements for outsourcing undertaken outside the EEA.
• Contingency plans and exit strategies. The guidance requires outsourcing banks to ensure they can exit cloud computing arrangements without disrupting customer services or regulatory compliance. 

KPMG member firms can support banks – and service providers - at each of these stages. That includes supporting materiality assessments, helping to create contingency plans and providing assurance over the security of data and systems outsourced to the cloud.

In addition to the main guidance, banks will need to ensure they are compliant with the EBA’s requirements on access rights and audit rights. The guidance expects outsourcing banks and their supervisors to retain the right to audit cloud outsourcing operations, and to obtain physical access to cloud providers’ premises.

It remains to be seen exactly what form the final guidance will take, and how it will be applied by joint supervisory teams. Even so, it seems clear that implementing the new guidance will present significant challenges for many banks. Most institutions that use cloud computing will already have controls in place, but this is the first time that they will need to comply with a formal framework. Furthermore, the requirements reach beyond regulated institutions to include outsourcing providers themselves. The guidance also stipulates that chain outsourcing (subcontracting by a cloud service provider) should never affect service levels.

In our view, banks should urgently conduct a gap analysis of their current outsourcing controls, if they have not done so already. They should then prepare themselves to be able to move forward rapidly to implementation once the final guidance appears. Some may want to consider making changes to their plans for cloud computing.

Finally, there is a strategic aspect for banks to consider. As they prepare for SEPA Instant Payments and the revised Payment Services Directive, many banks are contemplating the improvement or replacement of core systems. Cloud outsourcing - which can make such changes faster and easier to achieve - is likely to play an important role. Banks should therefore consider the impact of the new guidance on their new arrangements, and the value of taking a joined-up approach.