What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

Jeff Axelrad

Worldwide Compliance Lead for Financial Services at Amazon Web Services (AWS)

Jeff Axelrad is the Worldwide Compliance Lead for Financial Services at Amazon Web Services (AWS). He is an experienced global managing director with a demonstrated history of working in the financial services industry. Before joining AWS in March last year, Jeff was with BNY Mellon for eight years, where he acted as the head of regulatory governance for global markets. He has a proven track record of successfully leading and implementing large scale regulatory and compliance projects.

Views 1260

What are the European Banking Authority Guidelines on Outsourcing and what do they mean for financial services organisations?

10.10.2019 12:15 pm

Financial institutions across the globe use AWS to transform the way they do business. It’s exciting to watch our customers in the financial services industry, such as Allianz, Barclays, Goldman Sachs Monzo, Tandem, and Starling Bank, innovate in unique ways, across all geos and use cases. Regulations continue to evolve in this space, and we’re working hard to help customers proactively respond to new rules and guidelines. In many cases, the AWS Cloud makes it easier than ever before for customers to comply with different regulations and frameworks around the world.

In particular, AWS is enabling customers’ compliance with new EU regulatory guidance on how financial institutions should use third-party services, including cloud. New outsourcing guidelines issued by the European Banking Authority (EBA), a financial supervisory authority that develops EU-wide rules, took effect on September 30 and apply to banks, payment institutions, and other types of financial entities.

Risk-based approach

The EBA Guidelines incorporate a risk-based approach that expects regulated entities to identify, assess, and mitigate the risks associated with any outsourcing arrangement. The risk-based approach outlined in the EBA Guidelines is consistent with the long-standing AWS shared responsibility model. This approach applies throughout the EBA Guidelines, including the areas of risk assessment, contractual and audit requirements, data location and transfer, and security implementation.

  • Risk assessment: The EBA Guidelines emphasize the need for EU financial institutions to assess the potential impact of outsourcing arrangements on their operational risk. The AWS shared responsibility model helps customers formulate their risk assessment approach because it illustrates how their security and management responsibilities are defined based on the AWS services they use.
  • Contractual and audit requirements: The EBA Guidelines lay out requirements for the written agreement between an EU financial institution and its service provider, including access and audit rights. For EU financial institutions running regulated workloads on AWS services, we offer the EBA Financial Services Addendum to address the EBA Guidelines’ contractual requirements. We also provide these institutions the ability to comply with the audit requirements in the EBA Guidelines through the AWS Security & Audit Series, including participation in an Audit Symposium, to facilitate customer audits. To align with regulatory requirements and expectations, our EBA addendum and audit program incorporate feedback that we’ve received from a variety of financial supervisory authorities across EU member states. EU financial services customers interested in learning more about the addendum or about the audit engagements offered by AWS can reach out to their AWS account teams.
  • Data location and transfer: The EBA Guidelines do not put restrictions on where an EU financial institution can store and process its data, but rather state that EU financial institutions should “adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations.” Our customers can choose which AWS Regions they store their content in, and we will not move or replicate your customer content outside of your chosen Regions unless you instruct us to do so. Customers can replicate and back up their customer content in more than one AWS Region to meet a variety of objectives, such as availability goals and geographic requirements.
  • Security implementation: The EBA Guidelines require EU financial institutions to consider, implement, and monitor various security measures. Using AWS services, such as AWS Config or AWS Security Hub, customers can meet this requirement in a scalable and cost-effective way while improving their security posture.

As reflected in the EBA Guidelines, it’s important to take a balanced approach when evaluating responsibilities in a cloud implementation. AWS is responsible for the security of the AWS Global Infrastructure. In the EU, we currently operate AWS Regions in Ireland, Frankfurt, London, Paris, and Stockholm, with our new Milan Region opening soon. For all of our data centers, we assess and manage environmental risks, employ extensive physical and personnel security controls, and guard against outages through our resiliency and testing procedures. In addition, independent, third-party auditors test more than 2,600 standards and requirements in the AWS environment throughout the year.

Conclusion

We encourage customers to learn about how the EBA Guidelines apply to their organization. Our teams of security, compliance, and legal experts continue to work with our EU financial services customers, both large and small, to support their journey to the AWS Cloud.

 

Latest blogs

Dr Nicolai Baldin Synthesized

Big Data doesn’t need to be big, or daunting

Collecting and collating customer information in order to create new, or enhanced products and services is a strategy as old as business itself, but the process involved has always been a huge time and resource drain for companies. Yet in the Read more »

Kim Fournais Saxo Bank

Spread of Coronavirus reveals vulnerabilities and excessive risk in the global economy

Right now, we are seeing some very worrying trends in global financial markets, and I am truly concerned about where we are heading. The spread of coronavirus strikes fear into the markets and reveals that the recent bull years are built on a very Read more »

Steve Villegas PPRO

Where in the world is payments innovation? LATAM

When you think of the word innovation, many different concepts and places come to mind. You may think of high-speed rail transit in Japan or Elon Musk’s Hyperloop. But, while the world is focused on these established regions, several countries Read more »

Marine Le Picard Ingenico Group

Ingenico is taking a new approach to payment transactions for a more sustainable and inclusive growth

How can payment solutions be changed into a driver of sustainable development and corporate social responsibility? While more and more companies in the retail sector are adopting solidarity rounding, allowing customers to make micro-donations when Read more »

Thomas Pintelon Capilever

Are credits not too commoditized?

Since 1 July 2007, the Belgian electricity market has been liberalized. While in the first years, only few consumers switched electricity provider, this has reached a new high this year. Incumbent providers are still trying to convince Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel