What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

Jeff Axelrad

Worldwide Compliance Lead for Financial Services at Amazon Web Services (AWS)

Jeff Axelrad is the Worldwide Compliance Lead for Financial Services at Amazon Web Services (AWS). He is an experienced global managing director with a demonstrated history of working in the financial services industry. Before joining AWS in March last year, Jeff was with BNY Mellon for eight years, where he acted as the head of regulatory governance for global markets. He has a proven track record of successfully leading and implementing large scale regulatory and compliance projects.

Views 1626

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

10.10.2019 12:15 pm

Financial institutions across the globe use AWS to transform the way they do business. It’s exciting to watch our customers in the financial services industry, such as Allianz, Barclays, Goldman Sachs Monzo, Tandem, and Starling Bank, innovate in unique ways, across all geos and use cases. Regulations continue to evolve in this space, and we’re working hard to help customers proactively respond to new rules and guidelines. In many cases, the AWS Cloud makes it easier than ever before for customers to comply with different regulations and frameworks around the world.

In particular, AWS is enabling customers’ compliance with new EU regulatory guidance on how financial institutions should use third-party services, including cloud. New outsourcing guidelines issued by the European Banking Authority (EBA), a financial supervisory authority that develops EU-wide rules, took effect on September 30 and apply to banks, payment institutions, and other types of financial entities.

Risk-based approach

The EBA Guidelines incorporate a risk-based approach that expects regulated entities to identify, assess, and mitigate the risks associated with any outsourcing arrangement. The risk-based approach outlined in the EBA Guidelines is consistent with the long-standing AWS shared responsibility model. This approach applies throughout the EBA Guidelines, including the areas of risk assessment, contractual and audit requirements, data location and transfer, and security implementation.

  • Risk assessment: The EBA Guidelines emphasize the need for EU financial institutions to assess the potential impact of outsourcing arrangements on their operational risk. The AWS shared responsibility model helps customers formulate their risk assessment approach because it illustrates how their security and management responsibilities are defined based on the AWS services they use.
  • Contractual and audit requirements: The EBA Guidelines lay out requirements for the written agreement between an EU financial institution and its service provider, including access and audit rights. For EU financial institutions running regulated workloads on AWS services, we offer the EBA Financial Services Addendum to address the EBA Guidelines’ contractual requirements. We also provide these institutions the ability to comply with the audit requirements in the EBA Guidelines through the AWS Security & Audit Series, including participation in an Audit Symposium, to facilitate customer audits. To align with regulatory requirements and expectations, our EBA addendum and audit program incorporate feedback that we’ve received from a variety of financial supervisory authorities across EU member states. EU financial services customers interested in learning more about the addendum or about the audit engagements offered by AWS can reach out to their AWS account teams.
  • Data location and transfer: The EBA Guidelines do not put restrictions on where an EU financial institution can store and process its data, but rather state that EU financial institutions should “adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations.” Our customers can choose which AWS Regions they store their content in, and we will not move or replicate your customer content outside of your chosen Regions unless you instruct us to do so. Customers can replicate and back up their customer content in more than one AWS Region to meet a variety of objectives, such as availability goals and geographic requirements.
  • Security implementation: The EBA Guidelines require EU financial institutions to consider, implement, and monitor various security measures. Using AWS services, such as AWS Config or AWS Security Hub, customers can meet this requirement in a scalable and cost-effective way while improving their security posture.

As reflected in the EBA Guidelines, it’s important to take a balanced approach when evaluating responsibilities in a cloud implementation. AWS is responsible for the security of the AWS Global Infrastructure. In the EU, we currently operate AWS Regions in Ireland, Frankfurt, London, Paris, and Stockholm, with our new Milan Region opening soon. For all of our data centers, we assess and manage environmental risks, employ extensive physical and personnel security controls, and guard against outages through our resiliency and testing procedures. In addition, independent, third-party auditors test more than 2,600 standards and requirements in the AWS environment throughout the year.

Conclusion

We encourage customers to learn about how the EBA Guidelines apply to their organization. Our teams of security, compliance, and legal experts continue to work with our EU financial services customers, both large and small, to support their journey to the AWS Cloud.

 

Latest blogs

Nish Kotecha and Noslen Suárez PhD Finboot

How blockchain can help us have trust in the food we eat

Today’s food supply chains are global, connected and generally efficient, but the COVID-19 pandemic has shone a spotlight on areas of weakness. The urgent need for robust and resilient systems and processes has been brought sharply into focus, and Read more »

Chris Miller RSA Security

Back to Normality: Five Steps to Stay Resilient After Disruption

The financial services sector has lived through many global disruptions, but the nature of recent events has put an unprecedented strain on operational resilience; from needing to ensure critical functions could continue with skeleton staff and Read more »

TYRON JONES n/a

How Technology Has Disrupted the Used Car Buying Experience

We’ve seen many fields change rapidly as a result of the integration of modern technological advancements over the last couple of decades. And it looks like more is coming on the horizon as well, judging by current trends. One of the markets that Read more »

Shuvo G. Roy Mphasis

Reboot 1.0: How financial services technology can enable the supply chain to support a post-lockdown boom

Ground control and Captain Tom When veteran Captain Tom Moore decided to walk one hundred laps of his garden before his 100th birthday to raise funds to support NHS heroes battling Covid-19 from the frontline, he never imagined that he would Read more »

Lisa Gutu Salt Edge

Building a PSD2 compliant channel: challenges and opportunities for financial institutions

PSD2 obliges ASPSPs including banks, e-wallets, prepaid cards and other companies that offer payment accounts to provide at least one channel for secure communication with third party providers (TPP). Even neobanks or e-money institutions, including Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel