Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Ambreesh Khanna, Group Vice President and General Manager of Oracle Financial Services

Financial services organizations find themselves in an IT quandary. Tech innovation has long been a hallmark of the industry, with firms embracing the business benefits that it can provide. When it comes to cloud, however, financial services organizations have proceeded cautiously, especially in tapping its power for heavily regulated risk and finance functions.

The skies appear to be clearing thanks to expectations surrounding the recent guidance from the European Banking Authority (EBA) – paving the way for firms to embrace cloud for a growing number of use cases.

In 2017, the European Banking Authority (EBA) issued its long-awaited Draft Recommendations on Cloud Outsourcing, with final guidance expected to follow shortly. The recommendations, once finalized, are expected to clear the way for accelerated cloud solution adoption among financial services institutions.

The recommendations highlight cloud services’ ability to deliver economies of scale, flexibility, and operational efficiencies. They also address the unique challenges that cloud services present and appear to offer guidance and recommendations in five key areas:

  • Data and system security– The EBA updates highlight the importance of data integrity and traceability, offering guidance on how financial institutions should address security when leveraging cloud service providers.Specifically, the report calls for appropriate traceability mechanisms designed to detect malicious attempts to undermine the security of data and systems.
  • Location of data and data processing – The EBA outlines a risk-based approach that includes implementation of adequate controls and measures, such as the use of encryption technologies for data in transit, in memory and at rest. As cloud services providers often operate a geographically dispersed computing infrastructure, the recommendations provide specific requirements for data and data processing locations.
  • Access and audit rights– The report calls attention to the need to contractually secure both the right to audit for institutions and competent authorities and the physical access to the relevant business premises of cloud service providers.
  • Chain outsourcing –Specific requirements were shared by the EBA for mitigating the risks associated with chain outsourcing, where a service provider subcontracts to other providers. There should be transparency as to when subcontracting is permitted, and assurance that the use of subcontractors by a cloud service provider will not affect the services provided under the outsourcing agreement.
  • Contingency plans and exit strategies – The recommendations provide guidance on contractual and organizational arrangements for contingency plans and exit strategies from a cloud service.The outsourcing institution should plan and implement arrangements to maintain the continuity of their business in the event that the provision of services by an outsourcing service provider fails or deteriorates to an unacceptable degree.

Assess, Define, Communicate, and Audit

In addition, the EBA outlines guidance for assessing, defining, and communicating the materiality of cloud services to regulatory organizations. It calls for firms to conduct a formal materiality assessment of risks and controls in using a cloud service. In addition, it suggests that local regulators are to approve each assessment and then regularly audit the cloud service provider for security, controls, and compliance with various privacy laws. Financial institutions may also be required to conduct such audits.

Consolidation with a single cloud services provider can help to mitigate the materiality assessment burden as multiple use cases (such as Basel and liquidity) can be covered thru a single comprehensive assessment and approval process. Fragmentation across different cloud vendors will naturally increase the complexity of this process.

Make A List

With the EBA guidelines nearing completion, financial services organizations will soon have new outline to accelerate their journey to the cloud. We share several of our considerations when selecting a cloud services partner:

  • Does the cloud provider have established security and privacy programs that are re-enforced by independent certifications?
  • Has the provider established a set of rich features to provide security and privacy protections?
  • Can the vendor support risk-based approach that includes implementation of adequate controls and measures, such as the use of encryption technologies for data in transit, data in memory, and data at rest?
  • Do they have confidence in network and computing resources to meet and scale enterprise business demands without impact to availability?
  • Does the provider have the required redundancy and protections at various levels to protect from business impact events such as disasters?
  • Is the provider committed to an experienced security function and is willing to collaborate on security and risk topics with the customer?
  • How does the provider help to support your migration/exit strategy if you decide to change services?
  • Are any of your configurations transportable outside their cloud service? What about core data?
  • Does the vendor offer a complete service lifecycle from production through cloud service / SaaS (single ownership)?
  • Does the vendor support comprehensive audit requirement in terms of right to audit for institutions and competent authorities and ensure physical access to their cloud services operations?

Up, Up, and Away

The EBA Recommendations on Cloud Outsourcing provide the clarity that financial services organizations need to create a comprehensive cloud strategy for their organization. As with any journey, careful planning is essential to success. In developing a migration strategy and choosing a partner, it is important to remain focus on the intended outcomes:  reduced complexity, greater flexibility and agility, lower costs, and better business outcomes.