In the first blog of this series, we highlighted the regulators’ overarching approach to Cloud outsourcing and key areas of focus such as operational resilience, shared responsibility and concentration risk.
Guidance published by EU and national regulators clarifies regulatory expectations of firms using CSPs. However, firms have highlighted difficulties in applying these requirements in practice, and often cite them as significant barriers to further Cloud adoption1.
In this blog, we explore some of these barriers and assess them in the light of recent regulatory publications, and our own experience of supporting our clients in designing and implementing Cloud projects. We also highlight some of the key areas where firms appear to be lagging behind regulatory expectations. Our third and final blog will outline key considerations for firms looking to use the Cloud successfully for certain services, processes and functions.
How real are some of the regulatory barriers to Cloud adoption?
Regulatory barriers highlighted by firms often point to the lack of clarity of, and the difficulty in complying with, the existing regulatory framework. In response, the EBA, EIOPA and some national European regulators have set out detailed requirements or clarifications around using CSPs, including when outsourcing critical functions to them.
We explore below in Table 2 some of the regulatory barriers that firms cited most frequently, and discuss the regulatory expectations and firms’ own capabilities for overseeing and managing CSP-related risks.
Regulators have not expressed clear support for further Cloud adoption in FS
Perception real – now changing.
The regulatory approach to Cloud outsourcing has changed noticeably over the past few years.
In the UK, while regulators and supervisors have previously expressed their “uneasiness” at outsourcing large and sensitive parts of the financial system to the Cloud2, they have recently stated more explicitly their commitment to encourage firms to transition to the Cloud and its benefits, particularly relating to operational resilience3.
In the EU, the Commission has listed the removal of obstacles to Cloud services as a key priority for its FinTech Action Plan. As part of this programme, it will continue to assess the feasibility of creating a legislative action for the “monitoring of activities of third party providers when they are critical services providers to relevant entities”, as suggested by the ESAs4.
Therefore, while the regulatory position initially seemed unclear and somewhat reluctant to embrace fully the use of CSPs for outsourcing functions, regulators have more recently clarified their stance. Using CSPs, including for critical functions, can present significant opportunities in particular to improve the operational resilience of the financial system. However, firms are expected to demonstrate their readiness to use CSPs in a way that is secure, and does not cause harm to consumers, markets, and financial stability.
There is still a high degree of divergence in, and practical challenges to, the application of the EBA Recommendations across EU jurisdictions
Perception real – changes to be expected once the EBA Guidelines on outsourcing come into force.
The EBA Cloud Recommendations, recently integrated into the Guidelines on outsourcing arrangements, were issued to provide more clarity on regulatory expectations, while leaving enough flexibility to account for the complexity and diversity of Cloud arrangements entered into by FS firms. The EU Commission is also working on developing a framework for the certification of security of CSPs5. In the UK, the PRA has committed to publishing a Supervisory Statement, expected at the end of 2019, setting out clear expectations to give firms “assurance” on the use of Cloud outsourcing6.
However, there remains a lack of harmonisation in the regulatory and supervisory expectations concerning Cloud outsourcing7. In the EU, the EBA Recommendations on Cloud outsourcing, initially issued in December 2017, gave national jurisdictions some leeway to implement their own regulatory framework, particularly around the notification requirements for outsourcing critical functions and audit obligations. In the insurance sector, the EU-wide guidance is still in Consultation phase, and is expected to come into force only in July 2020.
Implementation of EBA Recommendations by national EU regulators has typically varied. For example, the EBA requires firms to notify their national competent authority about their plans to outsource critical functions, but in the UK and Luxembourg, the regulators require periodic reporting of all functions outsourced to the Cloud, alongside pre-authorisation for critical activities. Similarly, on contractual aspects of Cloud outsourcing frameworks, while the EBA addresses intra-group specificities, the Luxembourg regulator does not and instead places them on the same footing as any other outsourcing – although this may change as the regulator has planned to align its requirements with the EBA Guidelines8.
Another challenge concerns the implementation of pooled audits, whereby various firms coordinate to audit their CSP simultaneously. In its Recommendations, the EBA encouraged pooled audits as a way for firms to reduce costs and time to achieve the necessary assurance over their CSPs. Pooled audits, while useful, can also be challenging, as they require effective coordination between multiple FS firms with different resources, objectives and Cloud outsourcing models. To date, BaFIN has been the most vocal regulator around its acceptance of pooled audits as an assurance mechanism9.
In the short to medium term, this regulatory divergence can be a challenge for international firms looking to deploy a standardised international Cloud strategy, and to reaping the full cost and operational benefits of a Cloud strategy and infrastructure developed at scale.
The integration of the EBA Recommendations into the Guidelines on outsourcing aims to solve this regulatory divergence. But it remains to be seen whether harmonisation will improve after the Guidelines, which by nature are not binding, come into force on 30 September 2019.
Regulatory knowledge of Cloud technology and broader ecosystem is poor
Perception real – now changing.
Regulators have increased their skills and expertise, employing technical Cloud specialists and developing initiatives to build their own capability to supervise Cloud-enabled firms. In particular, information-sharing events involving Cloud practitioners, FS firms and regulatory/supervisory bodies and bilateral conversations with CSPs have enabled regulators to improve their understanding of the practical difficulties that FS firms encounter.
At the EU level, the first EU FinTech Lab, implemented as part of the Commission’s FinTech Action Plan, was dedicated to Cloud outsourcing, and brought together CSPs, FS firms and supervisors to explore Cloud use cases in the FS sector and some of the areas which would benefit from supervisory convergence10.
In the UK, the FCA has adopted an all-in Cloud strategy for its own data and services11. In addition to helping the regulators to develop Cloud-specialised skills, it will also provide them with deeper experience and knowledge of the risks and challenges associated with Cloud adoption and feed into their own regulatory approach to the technology. The BoE’s Financial Policy Committee will also conduct a review of Cloud services provision to the FS sector in the second half of 2019, which should give it a better understanding of the state of use of the technology in the sector12.
Undoubtedly, regulators as well as firms are still getting to grips with the Cloud technology, its risks, and the opportunities it presents for firms, the financial system, and for regulation and supervision. However, given that Cloud outsourcing is a major ticket on firms’ strategic agendas, we observe a very proactive commitment from regulators to deepen their understanding of the technology.
CSPs’ market power is too strong and FS firms have no influence on contractual requirements
Perception does not have to be a reality if firms organise themselves effectively. But in some cases, the (small) size of firms, and a lack of preparedness on their part, will make it almost impossible to have any impact on the terms of the contract.
The size of individual CSPs and the high degree of concentration among them change the dynamics of the traditional outsourcer-vendor relationship. Firms have highlighted the difficulty in complying with some of the key regulatory requirements for rights of access and audit in their contractual arrangements with their CSPs13.
Regulators have acknowledged this difficulty14. However, our experience has been mixed, with evidence that in certain circumstances, CSPs are prepared to amend contractual terms. Well-coordinated projects, staffed with the right business and technology stakeholders, with a clear Cloud strategy, were often more successful in negotiating CSP contracts which fulfilled regulatory expectations. In some jurisdictions, the largest CSPs have also started including FS-specific contract addendums that meet the supervisory expectations with regard to audit and access rights. Finally, the European Banking Federation has been working on a set of standard contractual clauses for Cloud outsourcing to support the European Commission’s work on the issue, as agreed in the FinTech Action Plan15.
Having the right stakeholders (i.e. legal, business, technical and subject matter experts) engaged early enough in the conversation with the CSP, and having a clear understanding of all the legal and business requirements are key if firms are to succeed in integrating additional terms into Cloud outsourcing contracts. The fact that regulators and CSPs have bilateral discussions means that CSPs should be fully familiar with what regulators expect of them in relation to successful Cloud adoption.
Notwithstanding any remaining areas of regulatory uncertainty, existing regulatory requirements should not be seen as a barrier to Cloud adoption, but rather as a broad framework within which firms need to satisfy themselves (and their regulators) about the robustness of their Cloud strategies and arrangements. In essence, most regulators are not trying to restrain firms from their plans to move to the Cloud. Nonetheless, they expect robust security, governance and controls over firms’ arrangements with CSPs, along with a frequent dialogue between themselves and FS firms to ensure that these plans are deployed in a secure way, without disrupting critical services to customers and the financial system more broadly. This transition is a complex and challenging task for firms migrating significant volumes from legacy systems to the Cloud. Robust planning and preparation are key to a positive regulatory engagement strategy. We discuss these further below.
Breaking down the key components of regulatory focus
Regulatory guidance issued at the EU and UK levels sets out what firms need to do to demonstrate their readiness and preparedness for Cloud adoption, across four key areas:
- clear business objectives and a robust business case for moving to the Cloud;
- a deep understanding of the business and technical risks introduced by using CSPs, across the whole business, including at Board and Risk committee level;
- capabilities to assess and mitigate the execution risks of a Cloud adoption/migration programme; and
- an appropriate risk management framework and related capabilities to oversee and manage risks arising from the shared responsibility model and any new ways of working16 and realistic timelines to achieve these.
Many firms fail to assess comprehensively and evidence their preparedness across these areas, particularly in terms of skills, as well as the governance and control frameworks deployed for the Cloud transformation process. We highlight some of these remaining practical issues, across the lifecycle of the Cloud strategy, in Figure 3.
In many ways, the key regulatory focus areas are very much aligned to an outsourcing firm’s business risks. In order to facilitate regulators’ approval of their Cloud strategy, firms will therefore need to demonstrate that they have assessed these risks, and have developed the capabilities to manage them across the entire business, including at Board and Risk committee levels. The outcome of this assessment may well be that certain critical functions cannot be migrated in the short term until capabilities are better developed.
However, one key obstacle seems to be the difficulty firms have in demonstrating to regulators their business assessment of migrating to the Cloud and their readiness to do so in a way that does not pose risks to customers and the financial system. Systemically-important firms face a higher challenge due to: their position at the core of the financial system, and the complexity of the services and products they offer; the need to shift from legacy systems to a new Cloud infrastructure; and the need to revisit entirely the way their business operates, including in terms of skills, governance and risk management frameworks.
Firms will need time to overcome these challenges. A clear, realistic timeline combined with strong engagement from the relevant teams across the whole business, along with early regulatory engagement, will be essential to ensure a successful and secure adoption of the Cloud.
We will explore some of these factors, and strategic recommendations for firms, in our final blog.
1 According to new Finastra research referred to Huw van Steenis’ Future of Finance report (link here).
2 Refer to Sam Woods’s interview with Bloomberg in July 2018 (link here).
4 Refer to the ESA’s Joint Advice on the need for legislative improvements relating to ICT risk management requirements in the EU financial sector (link).
6 Refer to the BoE’s response to the Future of Finance report (link here).
7 The appendix to the BIS report on “Regulating and supervising the clouds: emerging prudential approaches for insurance companies” gives a good insight into the current regulatory framework applicable to FS firms in multiple jurisdictions in the EU and worldwide.
8 Refer to the Luxembourg’s Bankers’ Association article published in June 2019 (link here).
9 Refer to BaFin’s article on “Cloud computing: compliance with the supervisory requirements regarding rights of information and audit and ability to monitor” (link here).
11 Refer to the FCA’s Business Plan 2019/2020 (link here).
12 Refer to the July 2019 Financial Stability Report (link here).
13 The EBA Guidelines indicate that firms should have contractual clauses in place to ensure that they, as well as their national supervisor, can audit and have physical access to the CSPs’ facilities. In its “Report on the impact of FinTech and payment institutions’ and e-money institutions’ business models”, the EBA noted that “small to medium-sized institutions appear to have weak bargaining power to successfully negotiate unrestricted audit and access rights with a global CSP”.
14 In his speech on “Resilience and continuity in an interconnected and changing world”, Lyndon Nelson, Deputy CEO and Executive Director of the BoE, observed: “However the dominance of just a few providers means that many buyers are not in a strong position to negotiate contract terms with their Cloud provider. This can leave them badly squeezed between regulatory requirements that will often look through an outsourcing and little leverage with their Cloud Supplier who is unregulated to deliver against the regulations” (link here).
15 Refer to the European Commission’s FinTech Action plan (link).
16 A report by the CBI highlighted that “failure of successful implementation of Cloud services is largely due to outdated governance and risk frameworks, poor awareness of an organisation’s risk appetite, insufficient security and access measures, and a lack of skilled expertise in the retained organisation” (link here).