Clément Pellegrini
CTO

How are the EBA recommendations on outsourcing to public clouds an opportunity for the banking industry ?

March 30, 2018 - Finance

On December 2017, the European Banking Authority, or EBA, released a series of recommendations for financial institutions regarding outsourcing to cloud service providers. As a firm believer in the opportunities of cloud services for the banking industry, Qarnot understands these regulatory measures and believes a clear regulatory framework will encourage financial institutions to make the final leap towards cloud services.

 

What is the context behind this report?

Today, financial institutions face 2 challenges : the sharp increase in regulatory reportings and calculation and the need to improve the profitability of their businesses. Cloud outsourcing is seen as a way to reduce these costs and the demand is growing around the globe.

However, up to now, resorting to cloud providers was not an easy task for these institutions, restrained by the absence of up to date regulatory framework and lack of harmonized practices.

First attempts were made to address these issues by CEBS guidelines in 2006 and 2011 but their regulatory uncertainty on topics as crucial as data security, confidentiality, reputational and operational risks, has created market inefficiency.

The EBA’s recommendations in December 2017 set a concrete framework to clarify regulatory expectations regarding cloud outsourcing and allow financial institutions to fully grasp the benefits of cloud technologies such as the ones offered by Qarnot for distributed computing.

 

8 recommendations for cloud outsourcing

They were established to complete the initial guidelines and to set a clearer framework for financial and banking institutions wishing to outsource all or part of their activities to the cloud. We see this step taken by EBA as a way to facilitate cloud projects within financial institutions.

1) Materiality assessment: the criticality and risk profile of the outsourced activity in addition to potential disruption on revenue prospects must be clearly listed and identified

2) Obligation to properly inform the competent authorities on the nature and conditions of the outsourcing: the scope of information required is wider and a register should be held.

3) Access and audit rights for both institutions and competent authorities: a written agreement should be established in which the provider agrees to give right of access (to its business premises and to the full range of devices or systems used in the outsourcing process), to the institution, its auditor or any third party appointed for this matter.

4) Specifications regarding the right of access: the exercise of this right of access should be preceded by a notification prior the onsite visit and the cloud provider is expected to fully cooperate with the competent authority, the institution or its auditor.

5) Security of data and systems: in keeping with previous CEBS guidelines, the confidentiality, quality, performance, and security of the information transmitted by the institution to the cloud provider should be specified in writing in outsourcing contracts and service level agreements. Qarnot has set up a high level of encryption for any data transiting on its platform to guarantee an appropriate level of protection, integrity and traceability.  

6) Location of data and data processing: the EBA insists on the special attention that should be paid to location considerations when outsourcing to a cloud provider. Legal risks and compliance issues should be assessed regarding the countries where data is provided and stored and treated accordingly. Qarnot is fully in line with this recommendation since all of the data accessed by the platform is stored in France, respectfully to French legislation.

7) Chain outsourcing: when a cloud provider subcontracts part of his service to another provider, the institution should only agree to subcontractors if they respect the same obligations as initial cloud service providers. Qarnot does not outsource any of its computing services to guarantee the full security and compliance of its activity. To address seasonality issues, we have developed strategic partnerships and are working on a computing boiler based on the same concepts as the QH-1 computing heater.

8) Contingency plans and exit strategies: The outsourcing institution should define and implement a plan to guarantee the continuity of its activity or an exit management clause allowing the transfer of the activity to another cloud provider or the reintegration of the activity.The level of support offered by the cloud providers during this transition phase should be evaluated beforehand. At Qarnot, no data is stored in our servers and our technical architecture is simple and replicable on internal servers, meaning financial institutions can easily reintegrate the outsourced activity in case of exit decision.

 

Why Qarnot Computing as cloud provider?

Qarnot is a cloud computing provider offering ready-to-use, pay-as-you-go SaaS and PaaS accessible via a REST API and/or a web application. Qarnot offers batch processing, reserved or on-demand, in parallel and at scale for applications such as risk analysis in finance.

Since 2017, Qarnot operates 5000 computing cores, representing a heating capacity of 200MW. In the banking industry, Qarnot was recognized by major actors such as BNP Paribas, which decided in 2015 to switch 5% of its risk calculations on Qarnot’s platform. More than 8000 additional cores will be deployed before end of 2018.

Hybrid by design, Qarnot can dynamically and securely distribute computations across different infrastructures: ours, public and/or private cloud. Qarnot integrates state-of-the-art security modules for encryption and authentication for an end-to-end protection of clients’ data.

Qarnot is about 3 times cheaper than major cloud computing providers, and reduces the carbon footprint of computation by 75% thanks to its distributed infrastructure where computing power is no longer concentrated in data centres, but distributed throughout the city in the form of heating solutions. By avoiding data centre costs related to infrastructure, maintenance and cooling, Qarnot offers inexpensive computing power, strengthening the CSR policy of the banking industry leaders who have put sustainability as a pillar of their strategy.

___

Want to learn more about us? Follow this link!

Do you have specific needs or want to know more? Follow this one.

Try it for free, here!

Share on networks