October 7, 2019 By Stephanie Schmader 5 min read

A look at the revised EBA Guidelines and how they are beneficial to the adoption of cloud computing and the security and innovation agendas of financial institutions.

With a broad portfolio that includes Analytics, AI, Blockchain, Security, and Cloud, IBM is helping financial institutions worldwide continually meet growing demands to improve their customer experience and innovate to respond to fierce competition. In order to protect the trust financial institutions have built with their customers, employees, and regulators, it is most critical to safeguard and manage their enterprise data and innovate at scale. Additionally, regulatory supervision and guidance in the financial industry are continually evolving.

New European Bank Authority (EBA) Guidelines

In that context, the European Banking Authority (EBA) has recently revised its recommendations on outsourcing arrangements for financial institutions in the EU by issuing new EBA Guidelines. These EBA Guidelines cover information technology outsourcing, including fintech and outsourcing to cloud service providers.

The EBA Guidelines shed light on the controls needed to ensure compliance and provide a harmonized regulatory convergence for financial institutions in the EU in relation to the cloud. These EBA Guidelines echo the European Central Bank’s (ECB) supervisory priorities for 2019, which focus on IT and cyber risks.

In order to stay competitive in a shifting marketplace, outsourcing can be an opportunity for financial institutions to innovate and get relatively easy access to new technologies and to achieve economies of scale. The EBA acknowledges the continued importance of new financial technology providers that are helping lead financial institutions to adopt new business models. With the EBA Guidelines, it is now clear how financial institutions can achieve compliance while leveraging the benefits of the cloud.

IBM plays a vital role in the worldwide finance industry and serves a number of top financial institutions as a trusted advisor. IBM welcomes the revised EBA Guidelines and views them as beneficial to the adoption of cloud computing and the security and innovation agendas of financial institutions. As the revised EBA Guidelines entered into force on September 30, 2019, IBM is committed to assist our clients with their compliance requirements.

Financial institutions benefit from using IBM Cloud to stay compliant

The following are some of the ways that financial institutions can benefit from using IBM Cloud:

Transparency and ease of contracting in the IBM Cloud

To assist our EU financial institution clients in complying with the EBA Guidelines, IBM has developed an “EBA Cloud Compliance Certificate” to address the EBA Guidelines contractual requirements. Structured to provide full transparency into how IBM Cloud services and contracts align with and help clients meet the requirements in the EBA guidelines, the certificate will make it easier for clients to contract with IBM. EU financial institutions interested in learning more about the EBA Certificate and how to benefit from the IBM Cloud can contact their IBM account teams for further information.

Cloud Compliance Advisory Board

IBM has established a Cloud Compliance Advisory Board (CCAB) for financial institutions that meets on a quarterly basis to discuss individual and global regulatory requirements and address specific issues or concerns. Participating IBM clients can take advantage of additional transparency into how IBM manages the cloud, influence the cloud security roadmap, and access best practices from IBM’s experience working with global financial institutions.

Promontory Financial Group

With deep expertise in financial compliance, Promontory Financial Group, an IBM Company, is helping clients manage and resolve critical issues, particularly those with a regulatory dimension. Promontory professionals provide clients with frank, proactive advice informed by best practices and regulatory expectations.

EBA Guideline key areas

The following are key areas in which IBM can help financial institutions comply with the EBA Guidelines:

  1. Risk assessment: The EBA Guidelines require financial institutions to perform risk assessments on service providers prior to outsourcing and to maintain a register of both EBA regulated and non-regulated outsourced activities.
    IBM’s clear documentation on the technical and organizational measures utilized in the IBM Cloud around data security and privacy helps financial institutions perform their risk assessment when deploying to the cloud. These measures are defined in the Data Security and Privacy Principles for IBM Cloud Services, and additional specifics are covered in each Cloud Service Data Sheet. These documents also provide information about the business continuity plan and the data hosting and data processing locations each IBM Cloud service uses. All of this information is publicly available, simplifying the risk assessment process.
    These security measures are accompanied by independent third-party certifications, demonstrating IBM Cloud compliance program alignment with globally accepted standards.
  2. Right to access and right to audit: The EBA Guidelines provide that financial institutions and competent authorities should ensure they have certain access, inspection, and audit rights related to outsourced services, including sub-outsourcers. IBM’s EBA Certificate provides audit and access rights with predefined processes for executing such rights in a way that helps ensure client EBA compliance and protects IBM clients and their data.
  3. Security of the data and systems used: The EBA Guidelines require that outsourcing institutions classify the outsourced functions to determine appropriate level of governance and security.
    IBM provides a comprehensive set of suggested secure design patterns for all financial institutions to follow in their implementation and use of IBM Cloud services. These design patterns include robust capabilities to safeguard a financial institution’s data and systems to host their most demanding workloads, including: identity and access management, data security, application security, secure DevOps, network security, security monitoring and intelligence, and physical security. IBM and Promontory can empower financial institutions to tailor their own security assessment to best serve their needs and business.
    In addition, IBM Security offers the industry’s first mobile Security Operations Center, capable of traveling onsite for cybersecurity training, preparedness, and response.
  4. Data hosting and processing locations: The EBA Guidelines require that financial institutions that outsource adopt a risk-based approach to data and data processing locations, including legal risks and compliance issues.IBM Cloud is resilient, redundant, and highly available for unique workload needs, allowing financial institutions to select their preferred deployment location and deployment model for an IBM Cloud service and be confident that their service and data will remain within the selected location.
  5. Chain outsourcing: EBA Guidelines provide that financial institutions take into account the risks associated with ‘chain’ outsourcing.
    In accordance with this requirement, any sub-outsourcers used by IBM to provide cloud services in IBM Cloud data centers will follow similar obligations as agreed between IBM and the financial institution. Moreover, IBM will require sub-outsourcers with access to customer content to maintain technical and organizational security measures that will enable IBM to meet its obligations for a cloud service.
  6. Contingency plans and exit strategies: The EBA Guidelines require that financial institutions that outsource must plan and implement for the continuity of their business and include a right to termination of their contract.
    As explained above, IBM’s Data Security and Privacy Principles for IBM Cloud Services and each Cloud Service Data Sheet provide information about the business continuity plan for particular IBM Cloud services.
    The standard IBM Cloud Services Agreement includes the option to exit an IBM Cloud service if changes to that service cause financial institutions to be noncompliant with applicable laws. At the same time, IBM is prepared to help financial institutions manage the exit to ensure a smooth transition.
  7. Concentration risk: The EBA Guidelines are now putting a strong emphasis on mitigating the risk of becoming dependent on a single cloud service provider.
    With IBM’s next-generation hybrid multicloud platform, our clients can select the best architecture and approach to address the most critical application, data, and workload requirements for their business. IBM’s acquisition of Red Hat is about clients having power through portability. It also creates an opportunity for clients to modernize traditional workloads on an architecture that enables them to run that workload wherever is most efficient for them, including hybrid multicloud environments.

IBM is helping financial institution clients around the world apply technology to core business processes and workflows, infusing their businesses with automation, intelligence, and continuous learning to transform everything from supply chains and HR to finance and operations. It’s clear that continual transformation is the new normal for financial institutions. As their strategic technology partner, IBM is committed to helping them execute on that transformation in tandem with regulations in place.

Was this article helpful?

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters