EU Banking Authority distrusts cloud service providers

The EU Banking Authority (EBA) has warned financial institutions moving to the cloud that possible risks can arise including vendor-locking; lack of trust in data security and privacy; loss of governance; and uncertainty regarding cloud service providers (CSPs).

“Trust is important for institutions, and a possible reason for being cautious towards cloud computing, as concerns could arise when sensitive data and critical applications move to a cloud computing setup where CSPs may not be able to guarantee the effectiveness of security and privacy controls, because services are delivered from multiple jurisdictions or there may be uncertainty over the jurisdiction where the data is held, given that many large CSPs operate in multiple jurisdictions with potentially fungible data centres,” commented EBAs report.

Governance & compliance

According to the report, the pricing of CSP services could have implications for institutions’ business risk where sufficient knowledge is important to determine the complete cost of the service. The maintenance and follow-up of such an outsourced service could also affect the pricing, along with the institutions’ internal costs around the area of governance, compliance and information security.

The report continued: “In an outsourcing environment, such as the provision of public cloud services by a global CSP, the issue of transparency on chain outsourcing is another area to be taken into consideration. For example, the use of subcontractors from a high-risk area/country could negatively affect the wider operational risk and reputation risk of the institution.

ICT outsourcing risks

“Moreover, the institution’s competence insufficiently controlling the technological infrastructure used by a CSP could affect the ICT outsourcing risk of the institution. Therefore, the necessary skills and resources to adequately monitor these outsourced activities would become even more important.”

Nevertheless, according to EBA, the cloud computing approach could potentially speed up deployment while maintaining flexibility. Although this capability may mean that, as demand changes, it will not require adjustments in infrastructures to accommodate the changes.

The report also highlights the prudential risks and opportunities arising for institutions from fintech alongside other technologies such as big data, machine learning and blockchain.

Written by Leah Alger