Esma Guidelines Call for Full Audits of Cloud Providers

Clients of cloud service providers (CSPs) such as Amazon Web Services and Microsoft Azure will have to more stringently negotiate contract terms that allow them to supervise the providers’ performance and carry out detailed audits under regulatory guidelines currently out for consultation.

A head of public policy at one investment bank in London says this kind of regulatory guidance—and other consultations, including the European Commission’s Digital Operational Resilience Framework for financial services—will provide clarity around contract terms for both users and providers of technology, and will facilitate easier negotiations over contracts.

“We need to be crystal clear to the cloud providers that we need to have it in our contracts that we have rights to on-site inspection. You can understand that the cloud providers were a bit nervous about that originally, because it’s a new world for them in terms of operating with a heavily regulated industry,” he says.

The European Securities and Markets Authority (Esma) published the consultation on cloud outsourcing on June 3. The draft guidelines map how financial firms and regulators will have to monitor and audit cloud providers. They would require service providers to hand over detailed information about the resilience of their systems, their security, and their performance, as well as where data is located and provisions for personal data protection to the client. 

The draft guidelines say that not only firms, but also regulators and national competent authorities will have the right to access and inspect “the books, premises, relevant systems and devices of the cloud service provider to the extent necessary to monitor the CSP’s performance under the cloud outsourcing arrangement and its compliance with the applicable regulatory and contractual requirements”.

Cloud providers, however, have been hesitant to provide access to what they see as—in some cases—intrusive audits, says Douglas Wilbert, managing director of the risk and compliance practice at consulting firm Protiviti in New York.

“If you wanted to go into Amazon’s datacenters and ask, ‘How do they operate? What is the technology? How does the data move? What are your safeguards? What are your secrets?’ Amazon would not be as forthcoming, as, for example, a smaller software-as-a-service provider that a bank is using,” Wilbert says.

Cloud providers are generally secretive about some aspects of their businesses, he says, and until recently there was little regulatory imperative for them to allow broader scrutiny of their systems, controls, and data. But authorities are beginning to focus on the operational risks posed by chain outsourcing and the reliance of the financial services market on a handful of providers.

The major names—notably, in the capital markets space, Azure, AWS, Google Cloud Platform (GCP), and IBM Cloud—command most of the cloud market share in financial services. So individual audits from financial firms are a major consideration for providers. 

“Regulators need on-site access and direct access. The problem is, if you are a company that has thousands and thousands of customers, that is logistically quite difficult,” the investment bank’s head of public policy says.

For this reason, these providers have tended to encourage pooled audits. Financial firms already band together to employ third-party providers to carry out pooled audits on the cloud providers, in an attempt to reduce the burden on all parties. Deutsche Börse, for instance, founded a collaborative cloud audit group in 2017, which includes banks and insurance companies, and has performed audits on Azure. 

The European Banking Authority’s revised guidelines on outsourcing, published in 2019, allow the use of such audits.    

Wilbert says that cloud providers will have to adapt to the regulatory needs of the industry, while financial firms and regulators will have to understand how cloud providers’ businesses work, and there will be growing pains on both sides.

“It’s going to be a struggle to find what that inflection point is, and I don’t think it’s going to be a very easy process for the cloud providers. They have to educate financial regulators, who are not necessarily used to [a cloud provider’s business model], and the cloud providers are not used to the intrusiveness that some of the financial regulators ask for. So it’s going to take time to work itself out,” he says.

The Road to Regulation

The latest guidance from the EU authority outlines the need to identify, address, and monitor the risks and challenges associated with cloud outsourcing. The paper follows other published guidance from regulators, including a joint release of consultation papers by UK regulatory authorities in December, aimed at strengthening the operational resilience of financial services firms and modernizing the regulatory framework on outsourcing and third-party risk management.

Esma’s guidance singles out cloud providers. This is not just because they are critical third-party vendors to some financial firms, says Wilbert, but also because they do not directly oversee the physical datacenters, systems, security, and operations in which their data and functions reside.

“As you move your applications and data to the cloud, you can’t touch and feel them; you can’t replace your server. The guy that has the beeper that goes off whenever anything goes wrong is no longer there and they [cloud providers] become, for many, that critical third-party vendor. And the interesting thing there is, they’re not just a critical third-party vendor, there’ll be a critical fourth- and possibly fifth-party vendor if you’re using the software as a service, and you have the same provider for the cloud as your software-as-a-service provider,” he says.

The draft guidelines require financial firms to ensure that their CSPs meet all outsourcing contractual obligations, even if they are sub-outsourcing critical or important functions, or part of them, to a fourth party. The cloud provider must also notify and seek approval from the financial firm for any changes to a sub-outsourcing agreement.

Wilbert says cloud regulation will probably take a two-pronged approach. 

“Based upon what I’m seeing from some of the cloud providers and within the industry, the regulators are going to start regulating the cloud providers more, and at the same point in time, they’re going to start pressing the industry to be more cognizant of how they use the cloud,” he says.

Cloud providers fall under the regulation of the EU cyber security legislation, the Network and Information Security Directive, but the head of public policy says there are questions about what direct regulation of the CSPs would look like, and whether it should be specific to the financial services industry.

“The real question is, do you treat them as a financial market infrastructure where they are core to financial services? That is just one vertical, and cloud providers are increasingly used by all areas of the economy. Or do you look at them as a utility? Do you look at them as something that is fundamental to the way the economy runs, or maybe more like telecom networks? So that is the debate,” he says.

Exit Strategies and Lock-ins

Esma’s draft guidelines provide financial firms—smaller ones in particular—with negotiating power to avoid being locked in to a contract with one CSP. Regulators worry that in a critical failure of a CSP, clients may be unable to easily port their data to another provider, which would have systemic risk implications for financial firms.

Firms can use the regulator’s advice to negotiate terms that would help them move their activities to another provider, or bring them back in-house, if a CSP were to fail at fulfilling their contractual duties or otherwise meeting expectations.

Wilbert says CSPs will probably be regulated according to the services they support. For example, systems that support the critical functions of systemically important institutions will be the most heavily scrutinized.

“I think the regulator is going to say [to systemically important firms]: You’re going to have a different burden when addressing the cloud than a smaller firm. And part of that may be that if you go down, how can you move to another cloud provider? If that cloud provider goes down, where’s your data? How is your data secured? Where is your replication of data? Where is the personally identifiable information and a whole host of other things?” he says.

Ksenia Duxfield-Karyakina, public policy, and government relations manager at Google Cloud, commented that the company already offers insight into its infrastructure, data access, and platform resiliency.

“We continuously engage with the financial services regulators to demonstrate our security, privacy, and transparency commitments and compliance programs,” she says.  

AWS and Microsoft Azure did not respond in time for the publishing of this story.

The comment period on Esma’s draft guidance closes on September 1, and the regulator aims to publish the final guidelines in Q1 2021.