The European Central Bank (ECB) proposed a guide on outsourcing of cloud services for banks under its supervision and the comment period for this guide ends on July 15, 2024. ECB identified various vulnerabilities in the IT outsourcing arrangements of banks during its 2023 Supervisory Review and Evaluation Process (SREP). Thus, third-party risk management, including cloud outsourcing, is high on the ECB list of supervisory priorities for 2024-2026.
EU rules such as the Capital Requirements Directive (CRD) and the Digital Operational Resilience Act (DORA) require banks to establish effective governance of outsourcing risks. ECB is proposing this legally non-binding guide to set out its understanding of these specific rules and how they apply to the banks it supervises. DORA takes precedence over this guide, with ECB also emphasizing that this guide must be read in conjunction with DORA (and its implementing legislation) and the EBA guidelines on outsourcing arrangements. The final guide is expected to be published before DORA comes into force on January 17. 2025.
Banks are expected to thoroughly audit their outsourcing arrangements to determine how each outsourced service is provided and the extent to which the third-party providers rely on cloud service providers for cloud services. The key aspects of supervisory expectations and related good practices covered in the guide are outlined below:
Governance of cloud services. The governance aspect covers practices for pre-outsourcing analysis and emphasizes that responsibility remains with the institution, which must also ensure consistency between its cloud strategy and its overall strategy.
Availability and resilience of cloud services. The focus is on practices related to holistic perspective on business continuity measures for cloud solutions; proportionate requirements for critical functions; oversight over the planning, establishment, testing, and implementation of a disaster recovery strategy; and assessment of concentration and provider lock-in risks.
ICT security, data confidentiality, and integrity. This aspect addresses practices related to data encryption, data privacy, data residency, classification and inventory of IT assets, and identity and access management policies.
Exit strategy and termination rights. Expectation is to have detailed, granular exit plans and for the exit strategies to have clearly defined roles and responsibilities, with estimated costs drawn up for all outsourced cloud services performing critical or important functions before those systems go live. Also, the time required to exit should be in line with the transition period indicated in the relevant contractual agreement.
Oversight, monitoring, and internal audits. As stated good practices, banks must ensure that their internal audit functions regularly review risks of the use of cloud provider services and must monitor cloud services via a combination of the independent expert and own monitoring tools and processes. Contractual clauses should allow to follow up on ineffective provision or deterioration of services and seek remedial actions. Institutions could also consider working with other banks to put together a “joint inspection team” for the audit of commonly used cloud service providers.
Related Links
LEARN MORE
Find out how we can help
Moody’s brings together data, experience, and best practice capabilities to help banks with regulatory compliance.