The brief of bank operational risk managers is changing rapidly. Where once they spent their days fretting about internal systems, now they face a galaxy of potential points of failure and back doors for cyber attackers across thousands of third-party service providers. And regulators have made it increasingly clear that banks cannot delegate responsibility without maintaining a strict level of oversight.

In its latest guidelines on outsourcing, the European Banking Authority (EBA) requires banks, payment companies and certain investment firms to do more than ever before to vet their suppliers. Some argue complying will be no easy task and may even threaten the survival of existing arrangements in certain cases.

“These regulations have been brought in because there are significant risks that the industry needs to manage and it is not doing it well enough,” says Guy Warren, chief executive of software vendor ITRS Group. “What the regulator is saying is … ‘You need to decide what you can outsource profitably with the necessary supervision. If it’s going to cost you too much money to outsource, you shouldn’t be doing it.’”

Worries centre on a requirement concerning providers of “critical or important” functions. The guidelines state that financial and payment firms should ensure those vendors grant them full access to their business premises, including systems and data, as well as unrestricted audit rights related to the outsourcing arrangement.

Two sources point out that cloud providers, which service a growing number of banks, are particularly unlikely to give their customers such latitude.

If firms manage to obtain the access and audit rights from their outsourcers, solving one problem, they will acquire another: the bureaucracy and expense of auditing. They could make their life easier by clubbing together with competitors to carry out pooled audits – as Deutsche Börse has recently agreed with Microsoft. Firms could also use third-party certifications or audit reports, although the guidelines say they should not rely solely on these.

In what some see as the most radical aspect of the guidelines, they apply not just to third-party vendors but also to intragroup arrangements, where a subsidiary of a larger financial group outsources service provision to another part of the same group. Such existing contracts are not as robust as those drawn up with external suppliers and will require the biggest overhaul.

For others, the biggest changes lie elsewhere. BNP Paribas, for example, singles out stricter checks of subcontractors and greater focus on concentration risk posed by outsourcing multiple services to the same provider or by outsourcing important functions to one of a few dominant suppliers, meaning the supplier cannot be easily replaced if it fails.

Can I have a look around?

The new rules are part of a broader push by financial regulators around the world to strengthen firms’ operational resilience. The term comes up in the EBA guidelines and refers to the ability of firms and the financial system as a whole to absorb and adapt to shocks, to borrow the Bank of England’s definition.

Later this year, the central bank plans to publish a consultation paper on its proposed new policies in this area. Speaking in May, Nick Strange, the BoE’s director of supervisory risk specialists, said the bank’s approach will be to focus on continuity of important business services in the event of disruption.

On the global level, the Basel Committee on Banking Supervision set up the Operational Resilience Working Group in 2018 in order to contribute to national and international efforts to improve cyber risk management, among other things.

“Since breaches will inevitably occur regardless of the level of protection, the risk management approach … should also address how to respond, recover and learn from any breach,” the committee said in the document announcing the creation of the working group.

“This kind of contingency and continuity planning implies that a firm’s systems be mapped according to their criticality, and that a risk appetite be defined for the firm’s assets and businesses against relevant metrics. Such an approach also applies to operational disruptions from causes other than a cyber attack – for example, natural catastrophe or failure of a critical third-party service provider.”

The [main] cloud providers are very clear they’re not going to allow every bank to come in and walk around their data centres

Charles Forde, UBS

The distinction between critical and less important functions is repeated in the EBA guidelines, which update European banking rules on outsourcing issued in 2006 and incorporate the EBA’s December 2017 recommendations on outsourcing to cloud providers. An operational function is deemed critical or important if its failure would “materially impair” a firm’s compliance with its obligations, or its services or financial performance.

If such a function is outsourced, the guidelines require financial firms to negotiate the extensive rights of access and audit in contract talks with their providers. For the outsourcing of less important functions, firms are meant to ensure the access and audit rights where warranted.

Duncan Pithouse, intellectual property and technology partner at law firm DLA Piper, says outsourcers have traditionally been reluctant to give their clients the degree of access mandated by the guidelines and firms have had to make compromises – for example, accepting limited access rights to premises that deliver shared services.

He adds that cloud providers have been particularly challenging to negotiate with, with many even refusing to tell firms where data services are located.

Charles Forde, who oversees third-party risk at UBS, echoes that, saying: “The [main] cloud providers are very clear they’re not going to allow every bank to come in and walk around their data centres.”

Big cloud providers are cagey probably because they service hundreds of firms and would rather keep disruptive inspections to a minimum.

In a survey of banks in Europe conducted in late 2017, 55% of respondents were already using public cloud services or were aware that another part of their bank was using such services. The cloud industry is dominated by three providers: Amazon Web Services, Microsoft Azure and Google Cloud. Between them, they hold 58% of the global market, according to estimates by technology consultancy Canalys.

Some say financial companies would find it easier to negotiate with their suppliers if the EBA guidelines included standard clauses to be inserted into contracts. But, despite requests, no such clauses have been included. An EBA spokesperson says it is not the regulator’s job to do this, noting that it is up to institutions to evaluate and manage the relationships they have with service providers.   

Shortcuts and workarounds

Firms may be able to overcome outsourcers’ resistance or, at least, reduce the burden of scrutinising multiple vendors if they organise audits together with other clients of the same vendor.

This is, for instance, what Deutsche Börse agreed with Microsoft earlier this year when it struck a deal to use Microsoft’s cloud services. Deutsche Börse will examine the technology company via regular pooled audits performed by a so-called collaborative cloud audit group, which was set up in 2017 and includes large European Union banks and insurers.     

“Performing such audits as a group has a lot of advantages,” says Michael Girg, chief cloud officer at Deutsche Börse. “You can make use of the diverse experience of the participating internal auditors of the respective financial institutions and save resources on both sides. The CSP [cloud service provider] only needs to host one audit at a time, and the participants can decrease the costs.”

However, the exchange group has also secured the right to audit Microsoft individually, he notes, declining to provide further details.

Forde at UBS wants to see more collaboration between firms, arguing there is no competitive advantage to taking different approaches on things like the auditing of cloud companies. For example, the financial industry could come up with a standard list of questions for cloud providers, which could be supplemented with additional, company-specific questions, he says.

Firms can already use utilities such as TruSight and KY3P, set up by two different groups of big banks, to vet vendors. Each in its own way, the platforms gather information on providers and make it available to customers.  

Vendors themselves can help, too, by providing third-party or internal audit reports, as allowed by the guidelines.

For instance, Microsoft gives clients access to regular third-party audits, which cover controls for data security, availability, processing integrity, and confidentiality.

But such external stamps of approval do not let financial firms off the hook entirely. The EBA document says they can use external certifications and audit reports, as well as pooled audits, “without prejudice to their final responsibility regarding outsourcing arrangements”. When it comes to the outsourcing of critical or important functions, the EBA introduces another restriction, stating that financial companies should not rely solely on third-party certifications and reports “over time”.

A financial industry lobbyist flags a lack of clarity in the restriction: “How long can I rely on them? And how often? Every three years? Ten years?”   

Wider net

The burden of stricter rules on outsourcing is compounded by their extension to intragroup arrangements.

The industry tends to view outsourcing to a provider within the same group as less risky because firms should be able to influence internal providers more than they could with suppliers outside the group.

The EBA disagrees with the industry’s conclusion, though not with its reasoning. Its guidelines say that, when outsourcing within the same group, financial companies “may have a higher level of control over the outsourced function, which they could take into account in their risk assessment”.

Mark Kell, a banking director at Deloitte, says smaller UK banks face a steeper climb to implement the intragroup guidelines than their larger peers because, until now, they have been under less pressure to document their intragroup service arrangements. For example, banks with more than £10 billion ($13 billion) in assets have already started documenting critical services and their provision under UK “operational continuity in resolution” rules.

But large financial institutions, too, have some way to go to be fully compliant.

Amit Lakhani, a senior executive in IT and third-party risk management at BNP Paribas, reckons the bank has around 60% of the requirements in place, noting that the main areas that need more work are the bank’s subcontracting arrangements and concentration risk analysis.

In my view, for many legacy arrangements with third parties, the contracts never had the subcontracting clauses or conditions in place

Amit Lakhani, BNP Paribas

Among a number of new rules on using subcontractors, one states that financial firms can allow their service provider to outsource the provision of an important function only if the subcontractor grants it the same access and audit rights as those granted by the first outsourcer. According to another rule, before entering into an outsourcing arrangement, firms should assess the associated risk, and suboutsourcing of important functions should be part of the risk assessment.

“In my view, for many legacy arrangements with third parties, the contracts never had the subcontracting clauses or conditions in place,” says Lakhani. “This implies that we do not have leverage to ask our third parties to provide data on their subcontractors or the control framework they have in place to manage their own third parties – subcontractors for us – in many cases… In addition, with data protection laws it becomes much more difficult to get confirmation from our third parties to attest that data is only within certain geographical perimeters.”

On concentration risk, Lakhani says: “While we have been closely monitoring our critical outsourcing relationships, concentration risk was never a key driver of this work.”

At least with the second type of concentration risk – stemming from outsourcing important functions to one of a few dominant suppliers – regulators may soon give firms a helping hand.

In April, the EU’s top financial supervisors, including the EBA, asked the European Commission to consider legislating for an oversight framework for critical providers of IT services, mentioning specifically concentration and systemic risks. “This [framework] will be particularly relevant in the near term for cloud service providers,” the three bodies said in a joint paper.

Risk.net asked Amazon, Google, Microsoft and Cispe, a trade body representing cloud providers in Europe, what they thought of the proposal, as well as for their views on the EBA guidelines. Microsoft declined to comment, Cispe and Google did not respond, while a spokesperson for Amazon Web Services said: “AWS is fully committed to helping our customers achieve compliance with the EBA outsourcing guidelines, where applicable and as they pertain to their use of AWS services.”

The new rules apply from September 30, 2019, although there is a transitional period for existing contracts until the end of 2021. In addition, if firms are unable to review their outsourcing arrangements for important functions by the end of 2021, they will have to outline a plan of action to their national supervisors.

Editing by Olesya Dmitracova