A look at the revised EBA Guidelines and how they are beneficial to the adoption of cloud computing and the security and innovation agendas of financial institutions.
With a broad portfolio that includes Analytics, AI, Blockchain, Security, and Cloud, IBM is helping financial institutions worldwide continually meet growing demands to improve their customer experience and innovate to respond to fierce competition. In order to protect the trust financial institutions have built with their customers, employees, and regulators, it is most critical to safeguard and manage their enterprise data and innovate at scale. Additionally, regulatory supervision and guidance in the financial industry are continually evolving.
New European Bank Authority (EBA) Guidelines
In that context, the European Banking Authority (EBA) has recently revised its recommendations on outsourcing arrangements for financial institutions in the EU by issuing new EBA Guidelines. These EBA Guidelines cover information technology outsourcing, including fintech and outsourcing to cloud service providers.
The EBA Guidelines shed light on the controls needed to ensure compliance and provide a harmonized regulatory convergence for financial institutions in the EU in relation to the cloud. These EBA Guidelines echo the European Central Bank’s (ECB) supervisory priorities for 2019, which focus on IT and cyber risks.
In order to stay competitive in a shifting marketplace, outsourcing can be an opportunity for financial institutions to innovate and get relatively easy access to new technologies and to achieve economies of scale. The EBA acknowledges the continued importance of new financial technology providers that are helping lead financial institutions to adopt new business models. With the EBA Guidelines, it is now clear how financial institutions can achieve compliance while leveraging the benefits of the cloud.
IBM plays a vital role in the worldwide finance industry and serves a number of top financial institutions as a trusted advisor. IBM welcomes the revised EBA Guidelines and views them as beneficial to the adoption of cloud computing and the security and innovation agendas of financial institutions. As the revised EBA Guidelines entered into force on September 30, 2019, IBM is committed to assist our clients with their compliance requirements.
Financial institutions benefit from using IBM Cloud to stay compliant
The following are some of the ways that financial institutions can benefit from using IBM Cloud:
Transparency and ease of contracting in the IBM Cloud
To assist our EU financial institution clients in complying with the EBA Guidelines, IBM has developed an “EBA Cloud Compliance Certificate” to address the EBA Guidelines contractual requirements. Structured to provide full transparency into how IBM Cloud services and contracts align with and help clients meet the requirements in the EBA guidelines, the certificate will make it easier for clients to contract with IBM. EU financial institutions interested in learning more about the EBA Certificate and how to benefit from the IBM Cloud can contact their IBM account teams for further information.
Cloud Compliance Advisory Board
IBM has established a Cloud Compliance Advisory Board (CCAB) for financial institutions that meets on a quarterly basis to discuss individual and global regulatory requirements and address specific issues or concerns. Participating IBM clients can take advantage of additional transparency into how IBM manages the cloud, influence the cloud security roadmap, and access best practices from IBM’s experience working with global financial institutions.
Promontory Financial Group
With deep expertise in financial compliance, Promontory Financial Group, an IBM Company, is helping clients manage and resolve critical issues, particularly those with a regulatory dimension. Promontory professionals provide clients with frank, proactive advice informed by best practices and regulatory expectations.
EBA Guideline key areas
The following are key areas in which IBM can help financial institutions comply with the EBA Guidelines:
- Risk assessment: The EBA Guidelines require financial institutions to perform risk assessments on service providers prior to outsourcing and to maintain a register of both EBA regulated and non-regulated outsourced activities. IBM’s clear documentation on the technical and organizational measures utilized in the IBM Cloud around data security and privacy helps financial institutions perform their risk assessment when deploying to the cloud. These measures are defined in the Data Security and Privacy Principles for IBM Cloud Services, and additional specifics are covered in each Cloud Service Data Sheet. These documents also provide information about the business continuity plan and the data hosting and data processing locations each IBM Cloud service uses. All of this information is publicly available, simplifying the risk assessment process. These security measures are accompanied by independent third-party certifications, demonstrating IBM Cloud compliance program alignment with globally accepted standards.
- Right to access and right to audit: The EBA Guidelines provide that financial institutions and competent authorities should ensure they have certain access, inspection, and audit rights related to outsourced services, including sub-outsourcers. IBM’s EBA Certificate provides audit and access rights with predefined processes for executing such rights in a way that helps ensure client EBA compliance and protects IBM clients and their data.
- Security of the data and systems used: The EBA Guidelines require that outsourcing institutions classify the outsourced functions to determine appropriate level of governance and security. IBM provides a comprehensive set of suggested secure design patterns for all financial institutions to follow in their implementation and use of IBM Cloud services. These design patterns include robust capabilities to safeguard a financial institution’s data and systems to host their most demanding workloads, including: identity and access management, data security, application security, secure DevOps, network security, security monitoring and intelligence, and physical security. IBM and Promontory can empower financial institutions to tailor their own security assessment to best serve their needs and business. In addition, IBM Security offers the industry's first mobile Security Operations Center, capable of traveling onsite for cybersecurity training, preparedness, and response.
- Data hosting and processing locations: The EBA Guidelines require that financial institutions that outsource adopt a risk-based approach to data and data processing locations, including legal risks and compliance issues.IBM Cloud is resilient, redundant, and highly available for unique workload needs, allowing financial institutions to select their preferred deployment location and deployment model for an IBM Cloud service and be confident that their service and data will remain within the selected location.
- Chain outsourcing: EBA Guidelines provide that financial institutions take into account the risks associated with ‘chain’ outsourcing. In accordance with this requirement, any sub-outsourcers used by IBM to provide cloud services in IBM Cloud data centers will follow similar obligations as agreed between IBM and the financial institution. Moreover, IBM will require sub-outsourcers with access to customer content to maintain technical and organizational security measures that will enable IBM to meet its obligations for a cloud service.
- Contingency plans and exit strategies: The EBA Guidelines require that financial institutions that outsource must plan and implement for the continuity of their business and include a right to termination of their contract. As explained above, IBM’s Data Security and Privacy Principles for IBM Cloud Services and each Cloud Service Data Sheet provide information about the business continuity plan for particular IBM Cloud services. The standard IBM Cloud Services Agreement includes the option to exit an IBM Cloud service if changes to that service cause financial institutions to be noncompliant with applicable laws. At the same time, IBM is prepared to help financial institutions manage the exit to ensure a smooth transition.
- Concentration risk: The EBA Guidelines are now putting a strong emphasis on mitigating the risk of becoming dependent on a single cloud service provider. With IBM's next-generation hybrid multicloud platform, our clients can select the best architecture and approach to address the most critical application, data, and workload requirements for their business. IBM’s acquisition of Red Hat is about clients having power through portability. It also creates an opportunity for clients to modernize traditional workloads on an architecture that enables them to run that workload wherever is most efficient for them, including hybrid multicloud environments.
IBM is helping financial institution clients around the world apply technology to core business processes and workflows, infusing their businesses with automation, intelligence, and continuous learning to transform everything from supply chains and HR to finance and operations. It's clear that continual transformation is the new normal for financial institutions. As their strategic technology partner, IBM is committed to helping them execute on that transformation in tandem with regulations in place.