Cloud: EBA encourages banks to pool their resources for cloud audits
The European Banking Authority (EBA) has made clear that banks are no longer required to provide their auditors (or themselves) with an independent right to audit their cloud service providers.
Historically, when engaged in a “material” outsourcing, regulations dictate that banks must guarantee that they (or their auditors) and their regulators have rights to physically access the premises of cloud service providers.
However, on 17 May 2017, the EBA released guidance that has nuanced the audit rights that a bank must obtain from cloud service providers to be compliant. Specifically, the guidance distinguishes between the access and audit rights banks have to provide for themselves (or their auditors) and the access and audit rights banks have to obtain for regulators.
Rather than conduct their own audit, the EBA has stated that banks may participate in “pooled audits performed jointly with other clients of the same cloud service provider” to “decrease the organisational burden both to clients and to the cloud service provider”. As an alternative, banks may rely on “third party certifications and third party or internal audit reports made available by the cloud service provider” provided that they are “in line with recognised standards” and the bank are satisfied with the capabilities of the “certifying or auditing party”. If a bank does rely on this, it must also have a contractual right to request the “expansion of scope of the certifications or audit reports to some systems and/or controls which are relevant”.
On the other hand, banks must continue to guarantee that national regulators (such as the FCA) have “full access rights” to the head offce and operations of any outsourced cloud service providers, including “the full range of devices, systems, networks and data used for providing the services to the outsourcing institution”.
Why is this important?
The guidance provides cloud service providers with alternative solutions to providing banks with physical access to their premises and systems for audit purposes. If this guidance is accepted and becomes the new “normal” it will undoubtedly change the way audit provisions are negotiated. However, diving into the audit pool is not an option for regulators, who will have to be granted physical access rights.