Written by Mickaël Tome and Cyril Pierre-Beausse, Avocats à la Cour

Published on 21.09.2020 - Paperjam

In June 2020, the European Central Bank (ECB) published a report highlighting the challenges that banks continue to face in terms of information technology. The lessons that can be drawn from it by the market players are numerous, in particular with regard to the evolution of the supervision of these issues by the CSSF.

As entities regulated by the ECB, systemic financial institutions in the Euro zone (mainly banks) are required, following an annual self-assessment, to provide information on their IT risk management and the controls they implement in this area. Based on the data collected for 2018, the ECB has just published its 2019 report.

An edifying report, and whose findings and conclusions, beyond the banks and entities supervised by the ECB, should challenge all financial sector professionals (FSPs).

In addition to interesting developments on the need for technical expertise at Board level, the management of the increasing complexity of the IT infrastructure and the prevention of associated risks (cybercrime, breakdowns, dependency), a significant part of the report's conclusions is devoted to outsourcing, and more particularly to the use of the cloud.

The ECB notes a 10% increase in outsourcing-related spending over the period under review, but also points to the progress that still needs to be made to better manage the IT risks associated with outsourcing.

For many, these risks and the weaknesses identified by the ECB relate to the insufficient - and sometimes failing - governance that surrounds many outsourcing projects.

Among these risks, the ECB notes that IT outsourcing is too concentrated, leading to a sometimes unacceptable dependence on a single outsourcer, which sometimes accounts for more than half of some institutions' IT spending. The ECB also observes losses due to the unavailability or poor quality of some outsourced services.

In order to limit the risks linked to outsourcing, the ECB makes a few recommendations which seem essential to us and which echo the requirements of the CSSF in this area.

Firstly, PFS should improve their management processes for outsourcing projects, in particular with respect to risk management. In particular, some PFS decide to outsource IT functions, sometimes essential, without having conducted a thorough risk analysis based on a recognized methodology (such as that of ENISA).

Others do not sufficiently document their risk management and mitigation decisions and measures. This is particularly the case for the assessment of the "materiality" of the outsourced function: this criterion, set by the CSSF, allows to distinguish projects presenting significant risks (and therefore requiring an authorization, or at least a simple review, as the case may be, by the regulator) from non-material projects, which are exempted from authorization (but not from the other CSSF requirements).

However, the CSSF is increasingly insisting on these governance aspects, and regularly rejects immature projects, notably in terms of reversibility ("exit strategy") or business continuity (BCP).

The regulator's demands are also strong in terms of contractualization. However, the service level agreements (SLAs) often imposed by certain large service providers are not always compatible with the CSSF circulars. This is notably the case with regard to the right of the PFS or the CSSF to audit the provider. It is therefore often necessary for the PFS to negotiate endorsements taking into account the minimum requirements of the regulator.

On this point, experience shows that one should not take at face value the statements of providers who claim that their cloud product is validated by the authorities, or that many other PFS are already using it without regulatory difficulties. These assertions rarely survive a thorough review of the project, let alone an audit with the regulator.

Moreover, once the service contract is in place, negotiations become more difficult on the above-mentioned riders, and providers are sometimes pulled in to respond.

Some of the most attractive offers are sometimes less attractive when you consider the costs and time required to comply with the solution. Compliance requirements must therefore be taken into account at a very early stage of the project, and before signing in all cases. This is not always easy when the tool is chosen at group level: in this case, the first step is to educate the parent company.

The ECB report demonstrates in these findings the validity of the CSSF's requirements: 45% of banks indeed indicate that they were forced to activate their continuity plan at least once in 2018. With the systemic and domino effect risks that this may induce on the whole financial sector.

Faced with the risk, the CSSF regularly refines its requirements, taking into account the experience gained in outsourcing cases and the European guidelines on cloud.

Each outsourcing project presents significant challenges in terms of technical, compliance (not to mention personal data protection issues) and governance. Finally, management must be aware of the time required to implement a mature project and to get it approved by the regulator.

There is no such thing as a small outsourcing project.

The image above is under license CC BY 2.0