EBA Proposal on Outsourcing to Cloud Service Providers

Published: 18 May 2017

The European Banking Authority (EBA) has published a consultation setting out its guidance for the use of cloud service providers by financial institutions, including MiFID investment firms subject to CRD IV/CRR. The recommendations are intend to clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed. There are recommendations for institutions regarding materiality assessments, access and audit rights, security of data and systems, location of data and data processing, chain outsourcing and contingency plans and exit strategies.  If adopted, these recommendations would apply to covered institutions in addition to the FCA’s own requirements in relation to outsourcing to cloud providers. The consultation runs until 18 August 2017 and there is an open meeting at the EBA on 20 June 2017.  If you would like to contribute to a response to this consultation, please contact Jennifer Wood.