Over the past few years, technological developments have drastically changed the way banks and other financial services firms operate and deliver their services. In a progressively more data-driven financial sector, outsourcing of data storage and processing to the cloud is a business option that is having a significant impact. Outsourcing to a third-party provider is not new. But outsourcing to the cloud offers a number of clear benefits over in-house IT solutions. First and foremost, the cloud allows a financial institution to avoid heavy, cyclical investments in hardware and software. The service provider can tailor what they offer to meet the bank's or insurance company's needs as they change over time. The service provider can also deal with IT maintenance, which allows the business to stay focused on its core activities, such as customer service and communication. Furthermore, the cloud offers a higher level of security, which helps guarantee business continuity and back-up options.

Benefits… but also challenges

However, there are a number of obstacles to cloud adoption. On the business side, there is a lack of clarity about regulatory expectations covering access to data, auditing rights, security, data location and the nature of the activities which can be outsourced. This is true both for cloud service providers, and for financial institutions – and for the latter there is the added concern of the lack of flexibility when moving from one vendor to another. Lack of information and understanding can act as a disincentive, and supervisory guidance and simplified compliance procedures could help improve this situation. From the supervisory point of view, the main challenge is the need for a deep understanding of the technology: risk assessment requires expertise, which can be obtained by upskilling and working closely with both cloud service providers and banks.

The EU is closely following developments in this area and taking policy action where necessary. In December 2017, the European Banking Authority (EBA) published a set of recommendations (applicable since 1 July 2018) on outsourcing to cloud service providers. These recommendations came in response to an increased interest in this kind of outsourcing and followed guidelines published in 2006 by the Committee of European Banking Supervisors (CEBS). The EBA has included the recommendations in its 'Single Rulebook Q&A' tool (which is aimed at industry) and is also planning a workshop in London in October 2018.

Meanwhile, the European Securities and Markets Authority (ESMA) – in its role as direct supervisor for credit rating agencies and trade repositories – is exploring these issues. Over the course of 2018, it intends to clarify which requirements these firms have to comply with when outsourcing to cloud services. The European Insurance and Occupational Pensions Authority (EIOPA) is also exploring the use of outsourcing to cloud services providers in the InsurTech area.

Resolving remaining obstacles

The European Commission’s proposal of June 2018 for a regulation on the free flow of non-personal data in the EU aims to remove unjustified data localisation restrictions and therefore tackle one of the main obstacles to cloud outsourcing which has been identified. The proposal also seeks to make the European market for cloud services more competitive, specifically addressing the problem of 'vendor lock-in' – where a customer is made dependent on a vendor for products and services. It will do this by requiring cloud service providers to develop self-regulatory codes of conduct in cooperation with business users of cloud services.

Codes of conduct also figure in the Commission's FinTech action plan, which was adopted in March 2018. According to the action plan, over the course of 2018 the Commission will gather relevant stakeholders – including cloud users from the financial industry – to join in the self-regulatory process with cloud providers. The financial sector will therefore play a key role in this cross-sectoral effort to develop codes of conduct to facilitate data portability and switching between cloud service providers.

Meanwhile, the Commission has dedicated the first meeting of the EU FinTech Lab to cloud outsourcing. The Lab offers an opportunity for supervisors to get hands-on training and a deeper understanding of the technologies that are transforming financial services. The first meeting took place on 20 June 2018, with the aim of giving supervisors a neutral space for exchanging views and information with technology providers and EU institutions.

Read more on cloud outsourcing and the work of the EBA in this area