EBA's guidance for the use of cloud service providers by financial institutions
The European Banking Authority (EBA) launched its final guidance for the use of cloud service providers by financial institutions. The EBA Recommendations clarify the EU-wide supervisory expectations if institutions intend to adopt cloud computing, so as to allow them to leverage the benefits of using cloud services, while ensuring that any related risks are adequately identified and managed.
The Recommendations fit into the broader EBA work on FinTech since cloud computing is an important enabling technology leveraged by financial institutions to deliver innovative financial products and services.
The growing importance of cloud services as a driver of innovation and the increasing interest for the use of cloud outsourcing solutions within the banking industry have prompted the EBA to develop these Recommendations on its own initiative. This guidance, which builds on the existing Guidelines on outsourcing developed by the Committee of European Banking Supervisors (CEBS), provides additional clarity on cloud computing.
In particular, the Recommendations address five key areas: the security of data and systems, the location of data and data processing, access and audit rights, chain outsourcing, and contingency plans and exit strategies.
The Recommendations, which are applicable as of 1 July 2018, are addressed to credit institutions, investment firms and competent authorities.
These Recommendations have been developed according to Article 16 of Regulation (EU) No 1093/2010 ("the EBA Regulation"), which mandates the EBA to issue guidelines and recommendations addressed to competent authorities, with a view to establishing consistent, efficient and effective supervisory practices and ensuring the common, uniform and consistent application of European Union law.