Deutsche Börse Group Response

Similar documents
Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

Final Report. Recommendations on outsourcing to cloud service providers EBA/REC/2017/ December 2017

Statement of Guidance: Outsourcing Regulated Entities

Fiduciary Arrangements for Grant Recipients

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

ASX CLEAR OPERATING RULES Guidance Note 9

HSQF Scheme HUMAN SERVICES SCHEME PART 2 ADDITIONAL REQUIREMENTS FOR BODIES CERTIFYING HUMAN SERVICES IN QUEENSLAND. Issue 6, 21 November 2017

Project Clearing Bourse de Luxembourg

Brussels, 12 June 2014 COUNCIL OF THE EUROPEAN UNION 10855/14. Interinstitutional File: 2012/0266 (COD) 2012/0267 (COD)

Sector Specific. Statutory Quality Assurance Guidelines. developed by QQI for Designated Awarding Bodies. Designated Awarding Bodies (DABs)

The South African Council for the Project and Construction. Management Professions (SACPCMP)

Tel: ey.com

Current and future standardization issues in the e Health domain: Achieving interoperability. Executive Summary

Making sure all licensed doctors have the necessary knowledge of English to practise safely in the UK

DOD Anti-Counterfeit Rule Requires Immediate Action --By Craig Holman, Evelina Norwinski and Dana Peterson, Arnold & Porter LLP

Proposed Statement on Auditing Standard, Auditor Involvement With Exempt Offering Documents

COMMISSION IMPLEMENTING REGULATION (EU)

Pre-Qualification Document External Audit Services

Statement of responsibilities for grants certification Wales Audit Office

Accreditation of conformity assessment bodies with several locations

MINIMUM CRITERIA FOR REACH AND CLP INSPECTIONS 1

orkelated tress Results of the negotiations on work-related stress

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

November Innovative Medicines Initiative (IMI) Intellectual Property (IP) Policy. Guidance Note for IMI Applicants and Participants

The South African Council for the Project and Construction. Management Professions (SACPCMP)

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

Use of External Consultants

Occupational Health & Safety Policy

INTERNATIONAL BAR ASSOCIATION ANTITRUST COMMITTEE WORKING GROUP

England. Questions and Answers. Draft Integrated Care Provider (ICP) Contract - consultation package

Outsourcing of Child Welfare Services: Has Effective Oversight Been Established?

Notice of Proposed Rule Making NPRM 15-03

Performance audit report. Department of Internal Affairs: Administration of two grant schemes

2. This SA does not apply if the entity does not have an internal audit function. (Ref: Para. A2)

IAF Guidance on the Application of ISO/IEC Guide 61:1996

Nuclear Safety Council (State Official Gazette No. 268 of 8 th November 2007) October 2007, on the CSN Resident

Code of Ethics and Professional Conduct for NAMA Professional Members

The. News Release APB ISSUES PROPOSED ETHICAL STANDARDS FOR AUDITORS

Technical Position Paper

PATIENT ATTRIBUTION WHITE PAPER

Town of Derry, NH REQUEST FOR PROPOSALS PROFESSIONAL MUNICIPAL AUDITING SERVICES

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

Guidance for the Tripartite model Clinical Investigation Agreement for Medical Technology Industry sponsored research in NHS Hospitals managed by

Guidance on Effort Reporting and Certification Policies

Frequently Asked Questions (FAQs) regarding ISO/IEC 17025:2017 and the transition of accreditation from the previous version of the Standard

International Health Regulations - Comments from the Center for Law & the Public's Health

The Mineral Products Association

General Procurement Requirements

Western Australian Industry Participation Strategy (WAIPS)

EUROPEAN PARLIAMENT Committee on the Environment, Public Health and Food Safety

OMB Uniform Guidance: Cost Principles, Audit, and Administrative Requirements for Federal Awards

Appendix 3 to AO/1-7094/12/NL/CO Page 1

Circular 2008/7 Outsourcing. Outsourcing of business areas within the banking sector

The use of lay visitors in the approval and monitoring of education and training programmes

INTEGRATION SCHEME (BODY CORPORATE) BETWEEN WEST DUNBARTONSHIRE COUNCIL AND GREATER GLASGOW HEALTH BOARD

Banking Regulation and Policy Department Bangladesh Bank Head Office Dhaka

POLICY. Edith Cowan University (ECU) recognises that a safe and healthy working environment is conducive to job satisfaction and productivity.

Topic: CAP s Legislative Proposal for Laboratory-Developed Tests (LDT) Date: September 14, 2015

Methods: Commissioning through Evaluation

CHAPTER Senate Bill No. 400

February 18, Re: Draft Trusted Exchange Framework and Common Agreement

MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Outsourcing. a practical guide on how to create successful outsourcing solutions

REQUEST FOR PROPOSAL FOR AUDIT SERVICES RFP W.E. Upjohn Institute for Employment Research 300 S. Westnedge Ave. Kalamazoo, MI 49007

UCLA HEALTH SYSTEM CODE OF CONDUCT

Delayed Federal Grant Closeout: Issues and Impact

PPEA Guidelines and Supporting Documents

Department of Defense DIRECTIVE

Before the Federal Communications Commission Washington, D.C

III. The provider of support is the Technology Agency of the Czech Republic (hereafter just TA CR ) seated in Prague 6, Evropska 2589/33b.

September 16 th, Dockets Management Branch (HFA-305) Food and Drug Administration 5630 Fishers Lane, Rm Rockville, MD 20852

BRISTOL-MYERS SQUIBB DATA SHARING INDEPENDENT REVIEW COMMITTEE (IRC) CHARTER

portugalventures.pt

Shared Services Task force. Meeting notes

Action Plan Developed by. Ordre des Experts-Comptables du Royaume du Maroc (OEC) BACKGROUND NOTE ON ACTION PLANS

Stakeholder Consultation Workshop on the Draft Implementing Rule for Mode S Interrogator Code Allocation (MSI)

Revision of Executive Order Privacy and Civil Liberties Information Paper 1

Lyndon Township Broadband Implementation Committee Lyndon Township, Michigan

Cover Sheet for a Private Medical Services Agreement. Important Information Prior to the Agreement of Private Medical Services

RESEARCH POLICY MANUAL

Therefore the provision of medicines is an area for which a Community regulatory framework should be properly supervised to ensure full and

Application of Proposals in Emergency Situations

Context paper CWE Intraday

SA 610 (REVISED) USING THE WORK OF INTERNAL AUDITORS. Contents

Alberta Occupational Health and Safety Act Highlights of changes effective June 1, 2018

Town of Orange Park, Florida. Financial Auditing Services

HUMBOLDT STATE UNIVERSITY SPONSORED PROGRAMS FOUNDATION

Tax incentives for R&D

The Vision for the Future

Requirements for Tax-Exempt Hospital Billing and Collection Practices Under the ACA

Request for Proposal: Two (2) Mid-Size Sports Utility Vehicles (SUV)

consultation A European health service? The European Commission s proposals on cross-border healthcare Key questions for NHS organisations

Erasmus+ mid-term evaluation - the Swiss feedback 1 2 3

IASB Update Progress and plans

Work of Internal Auditors

Mandating patient-level costing in the ambulance sector: an impact assessment

Annex. Provisions on auditing notified conformity assessment bodies in the framework of Article 34 3 of the Agency Regulation 1

1. INTRODUCTION SNVEL

COUNCIL OF THE EUROPEAN UNION. Brussels, 29 May /06 COSDP 376 PESC 460 CIVCOM 207 FIN 207 CSC 26 CAB 19 BUDGET 27

Transcription:

Deutsche Börse Group Response to EBA/CP/2017/06 Draft recommendations on outsourcing to cloud service providers under Article 16 of Regulation (EU) No 1093/2010 published for consultation on 18 May 2017 Eschborn, 16 August 2017 Contact: Marija Kozica Telephone: +49 (0) 69 211-17178 Telefax: +49 (0) 69 211-13315 Email: marija.kozica@deutsche-boerse.com

Page 2 of 6 A. Introduction Deutsche Börse Group (DBG) welcomes the opportunity to comment on EBA consultative document Draft recommendations on outsourcing to cloud service providers under Article 16 of Regulation (EU) No 1093/2010 published 18 May 2017. DBG operates in the area of financial markets along the complete chain of trading, clearing, settlement and custody for securities, derivatives and other financial instruments and acts as such as a provider of highly regulated financial market infrastructures. Among others, Clearstream Banking S.A., Luxembourg and Clearstream Banking AG, Frankfurt/Main, acting as (I)CSD 1, as well as Eurex Clearing AG as a leading European Central Counterparty (CCP), are authorized as credit institutions within the meaning of point 1 of Article 4 (1) of the Capital Requirements Regulation (CRR). Moreover the Clearstream subgroup is supervised on a consolidated level as a financial holding group while in addition, Eurex Repo GmbH, Eurex Bonds GmbH and 360 Treasury Systems AG are operators of multilateral trading facilities (MTFs) and classify as CRR investment firms according to point 2 lit. c of Article 4 (1) CRR. Classifying as institutions within the meaning of point 3 of Article 4 (1) CRR, the aforementioned entities of DBG fall within the scope of these draft recommendations. As operational reliability, data availability and a high degree of data integrity are of utmost importance, not only for the institutions in our group being within the scope of the draft recommendations, but also for other group entities (including operators of regulated markets), DBG relies on a profound, secure and resilient IT-architecture. Due to the business-related importance of state-of-the-art IT-systems as well as the scalability of business, DBG has started early to investigate the potential use of cloud solutions and entered into intensive communication with major cloud service providers, competent authorities, standard setting organizations and peers. We consider a proper regulatory treatment and a consistently applicable audit framework together with an appropriate integration of the specificities related to the use of cloud solutions into the institution s risk management framework as well as its IT- and information security as of particular relevance. The document at hand contains our general comments to the draft recommendations on outsourcing to cloud service providers (Part B) as well as dedicated response to the questions raised in the consultative document (Part C). We included our insight and knowledge concerning the current developments on cloud computing solutions within our response to EBA s draft recommendations respectively. B. General comments Especially in view of the increasing use of cloud computing solutions and its growing importance for financial institutions, DBG welcomes EBA s draft recommendations on outsourcing to cloud service providers as these contribute to reducing uncertainty with regard to supervisory expectations. We are 1 (International) Central Securities Depository

Page 3 of 6 of the opinion that an appropriate regulatory framework for institutions using cloud technology supports due considerations of risks associated with the implementation of cloud solutions. Within this context, we would like to express our support for the circular on IT-outsourcing recently published by the Commission de Surveillance du Sector Financier, Luxembourg (CSSF) 2, providing for a detailed and decent framework for the use of cloud solutions. This circular might serve as a guideline for further developments due to its currently unique level of detail and scope. Regardless of our general consensus with the draft recommendations provided, we would appreciate further clarification on specific aspects of the recommendations in order to harmonise implementation of requirements and ensure an appropriate application of rules. Particularly the prescribed right to physical access to relevant business premises of the cloud service provider should be further clarified in order to avoid unnecessary requests to physical access to e.g. data centres, systems and networks of cloud service providers, which might result in a disproportionate burden for cloud service providers and thereby create itself an operational risk. Burdensome regulations on excessive audit rights might hinder potential cloud service providers to offer services to the financial industry and as such might lead to insufficient and concentrated offers of cloud solutions. Moreover, while we see the necessity to leave sufficient room for flexibility in interpretation, we would appreciate further clarifying remarks within the context of chain outsourcing. In addition, we highly support EBA s intention to feed the recommendations on outsourcing to cloud service providers, once finalised, into the update of the CEBS guideline on outsourcing as of 14 December 2006. Our demand for clarifications and adjustments is outlined further as part of our answers to the questions raised within the consultative document. C. Response to selected questions raised in the consultative document Q1. Are the provisions from these recommendations clear and sufficiently detailed to be used in the context of cloud outsourcing? DBG considers the recommendations on outsourcing to cloud service providers as sufficiently clear and feasible to account for specificities arising within the context of outsourcing, expect from few selected aspects. We are of the opinion that within the context of access and audit right as well as chain outsourcing further clarification should be provided in order to avoid misinterpretation and ensure a consistent application of the recommendations. 4.3. Access and audit rights Point 6 lit. (a) of the draft recommendations requires that the contractual basis ensures (among others) the outsourcing institution s right to access the cloud service provider s business premises, including the full range of devices, systems, networks and data used for providing the services 2 http://www.cssf.lu/fileadmin/files/lois_reglements/circulaires/hors_blanchiment_terrorisme/cssf17_654eng.pdf

Page 4 of 6 outsourced. Lit. (b) requires further, that the cloud service providing entity confers an unrestricted right of inspection and audit to the outsourcing institution. While we consider the institution s right to access and audit as generally reasonable, the phrasing of point 6 lit. (a) and (b) is to broad, as the audit right seems to cover unrestricted access to all data centres and systems as well as the right of unrestricted collection of data for the purpose of conferred inspections. As already pointed out by EBA during the Q&A session of the public hearing on 20 June 2017, such wide exercise of the right to access and audit might pose (additional) operational risks to the cloud service provider resulting from clients multiple inspections of data centres and systems. While such broad rights do not necessarily contribute to the performance of the institution s ultimate responsibility for the outsourced activity or function, it might discourage cloud service providers to agree to audit and access rights as recommended by EBA to institutions and therefore stop them from offering their services. In order to avoid misinterpretations of the right to full access to its [the cloud service providers] business premises, including the full range of devices, systems, networks and data used for providing the services outsourced as stated in point 6 lit. (a), we would highly appreciate a clarifying amendment of the aforementioned issue in accordance with EBA s explained appraisal. For that purpose, we suggest to amend paragraph 6 lit. (a) as follows: (a) to provide the institution, to any third party appointed for that purpose by the institution and to the institution s statutory auditor full access to its business premises, including the full range of devices, systems, networks and data used for providing the services outsourced (right of access) where reasonably necessary to fulfil rights of audit of the institution and in a way avoiding operational risk for the cloud service provider and its remaining customers; Point 8 requires outsourcing institutions to make use of (suggested) tools for exercising their right to audit, where an outsourcing institution does not employ own audit resources. Among others, pooled audits (s. point 8 lit (a)) are considered as such a tool. Under consideration of the current developments within the context of outsourcing to cloud service providers and the approaches favoured by affected market participants for meeting the requirement to exercise the outsourcing institution s right to audit, we would like to point out, that pooled audits are expected to be the rule rather than the exemption. Read conservatively, the current wording restricts pooled audits to cases, where no own resources are available. However, we understand that this is not intended. In order to avoid misinterpretation in such way that the exercise of the right to audit through own audit resources is to be preferred compared to suggested audit tools, (i.e. that such tools should only be used if own audit resources are not available) we suggest to rephrase point 8 in such way, that the usage of the tools is not linked in any way to the institution s own audit resources: 8. The outsourcing institution should exercise its right to audit and its right to access in a risk based manner. Apart from using own audit resources for the purpose of exercising its right of audit, the outsourcing institution can use (at least) one of the following tools: [ ]

Page 5 of 6 4.7 Chain outsourcing Sentence two of point 21 of the draft recommendations states that the outsourcing institution should agree to chain outsourcing only if. While the wording of should agree implies that the institution s explicit consent is required, the draft recommendations accompanying documents states under the Assessment of the technical options - Exhaustive and prescribed list of requirements vs. non-exhaustive list, that the requirement for explicit consent, when the outsourcer intends to change subcontractors, has not been included purposely. We kindly ask to adjust the wording of sentence two point 21 of the draft recommendations to reflect EBA s expectations as outlined in the draft recommendations accompanying documents. Moreover, the abovementioned sentence contains the requirement that the subcontractor has to fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider. Due to the different contractual subjects, which might be fundamental, underlying the respective relationship, we are of the opinion that it is not feasible that the service agreement between the cloud service provider and the subcontractor mirrors the agreement between the outsourcing institution and the cloud service provider fully. Therefore, we suggest aligning the wording of sentence two of point 21 to subparagraph 2 of Guideline 10 of the CEBS Guideline on outsourcing, which requires that contractual terms agreed between the outsourcing service provider and the subcontractor shall conform, or at least not be contradictory, to the provisions of the agreement with the outsourcing institution. In addition, clarification is demanded on whether this requirement encompasses also that the outsourcing institution shall retain an access and audit right at the level of the subcontractor. Point 23 requires cloud service providers to inform the outsourcing institution of any proposed significant changes to the subcontractor or the subcontractors services. With regard to the interpretation of what is to be considered significant in this context, EBA provided guidance during the public hearing held, referring to potential effects on the outsourcing institution s risk profile resulting from the proposed changes. We would appreciate the inclusion of such interpretation into the draft recommendations in order to ensure a consistent application of rules. Q2. Are there any additional areas which should be covered by these recommendations in order to achieve convergence of practices in the context of cloud outsourcing? At present, DBG does not see the need to cover additional areas by the proposed recommendations, in order to be able to achieve convergence of practice within the context of cloud computing. We consider the scope of the draft recommendations in generally suitable to achieve convergence in the context of could outsourcing, as relevant peculiarities of cloud outsourcing have been captured. Nevertheless, EBA should consider an appropriate transitional period for implementation in order to achieve convergence in practice properly. Referring to the presentation to the public hearing on recommendations on outsourcing to cloud service providers, final recommendations are expected to be issued in H2/2017, whereby application is envisaged mid-2018. Hence, after the final

Page 6 of 6 recommendations will have been published, institutions will have in total less than 12 months to comply with the requirements resulting from the recommendations. We consider the envisaged transitional period of less than 12 months as not being sufficient to account for necessary adjustments of existing general outsourcing structures as well as implementation of new requirements institutions might face. We consider a period of 24 months as appropriate to adequately take the time needed to implement the full scope of recommendations into account (in particular, amendments to the underlying outsourcing agreements as well as implementation and maintenance of registers, as required by point 4 of the draft recommendations, might be time consuming). * * * We are at your disposal to discuss the issues raised and proposals made if deemed useful. Faithfully, Jürgen Hillen Marija Kozica

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback