How Oracle Cloud supports European Banking Authority guidelines on outsourcing arrangements

Banks worldwide are investing heavily in cloud services to improve how they interact with customers, innovate faster, and improve the performance, resiliency, and security of their technology infrastructure. To help support financial institutions in their cloud adoption, the European Banking Authority (EBA) guidelines on outsourcing arrangements set standards that apply to the outsourcing of certain functions to third-party service providers. The following requirements and a summary exhibit how Oracle Cloud Infrastructure (OCI) can support financial institutions in addressing them.

Due diligence

One key consideration for financial institutions that plan to move on-premises workloads to the cloud is the ability to conduct preoutsourcing due diligence on the prospective cloud services provider (CSP). They must assess the suitability of the CSP and any strategic subcontractors to determine if they meet the institution’s requirements.

Oracle provides several resources to assist prospective customers in reviewing Oracle as a CSP, including access to completed security questionnaires, such as the Consensus Assessment Initiative Questionnaire (CAIQ), audit reports, and other information regarding Oracle’s operational and security practices. Oracle also provides access to documents such as the Oracle Corporate Security Practices and Oracle Cloud Infrastructure Security Architecture advisory papers and global compliance reports, such as ISO 27001, SOC, PCI DSS, and HIPAA.

For further information about attestations and advisories, see the Oracle Cloud Compliance page.

Audits

Another essential component when evaluating a CSP is information, access, and audit rights. The EBA Guidelines might require a financial institution to obtain certain access, inspection, and auditing rights to enable it and its regulators to monitor outsourcings and fulfill applicable regulatory and contractual requirements.

Oracle customers and their regulators have the unrestricted right to access and to audit Oracle’s compliance with its regulatory and contractual obligations. These audit rights include the right to conduct emergency audits. Oracle also grants the same rights of access and audit of its strategic subcontractors. Oracle’s commitment to this process is described in the Financial Services Addendum to our cloud service agreement, which addresses the specific needs of financial institutions. It complements Oracle’s cloud policies and contracts that can be obtained from your Oracle account contact.

Suboutsourcing

A service provider under an outsourcing arrangement might transfer an outsourced function to another service provider. The EBA Guidelines require financial institutions to have a degree of visibility and control over this suboutsourcing to help mitigate potential risks.

Oracle can use strategic subcontractors to support certain aspects of its cloud infrastructure services. For example, Oracle might contract with a colocation provider to lease dedicated data halls and suites for the operation of OCI. We’re transparent with our customers and publish a list of our strategic subcontractors on My Oracle Support (MOS). Customers have a 30-day period to object to Oracle’s use of strategic subcontractors and to terminate the services if the objections are not adequately addressed.

Security

The EBA expects financial institutions to ensure that CSPs comply with appropriate IT security standards. So, evaluating the CSP’s security is a critical step when considering a provider.

Based on decades of experience with enabling data security for top-tier banks, Oracle delivers a robust and highly configurable infrastructure to help meet the demands of financial institutions. OCI operates under policies that are generally aligned with the ISO/IEC 27002 Code of Practice for information security controls.

Take a security-first approach by using services such as Oracle Cloud Security Zones and Cloud Guard to secure your data stored in or processed by Oracle Cloud services.

Business continuity

Like with most technology, the goal with cloud services is to keep operations running smoothly. The EBA guidelines acknowledge the importance of operational stability and require financial institutions to develop business continuity plans to prepare for disruptive events that can impact outsourcing arrangements. To quote Benjamin Franklin, “If you fail to plan, you are planning to fail.”

When considering your cloud computing needs, having redundant resources and fail-over strategies can help achieve high availability and support business continuity.

OCI availability domains contain three fault domains that distribute your instances so that the instances are not on the same physical hardware and act as a virtual data center within a single availability domain. Oracle stands behind its commitment to customers’ business continuity requirements with financially backed SLAs for availability, manageability, and performance. These goals are supported by Oracle’s business continuity plans and Risk Management and Resiliency Program.

Exit strategies

Oracle recognizes that efficiently migrating workloads into or out of a CSP is critical. Financial services institutions subject to the EBA guidelines must ensure they can exit outsourcing arrangements if needed in an orderly manner. For cloud customers, this process includes validating that outsourced functions and data can be removed from a CSP and transferred to an alternative provider. Oracle supports customers that require assistance with a transition, including by returning data in accordance with our contractual commitments.

As a risk mitigation strategy, financial organizations might consider using more than one cloud provider for their most critical workloads. Oracle enables customers to utilize multicloud service providers with the Oracle Azure interconnect and Oracle integration and migration products.

Want to know more?

For a deeper dive into how we’re supporting financial service institutions across Europe with their cloud compliance, download a copy of our advisory paper, Oracle Cloud Services and the European Outsourcing Guidelines.

We’re deeply committed to making our financial services customers successful in the cloud. If you want more information on using Oracle Cloud Infrastructure services in Europe, contact one of our representatives.

The information in this blog post may not be construed or used as legal advice about the content, interpretation or application of any law, regulation, or regulatory guideline. Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their use of Oracle services. Also note that the relevant contracts between you and Oracle determine the scope of services provided and the related legal terms and this blog post is provided for reference purposes only, is not part of, and does not otherwise create or amend, any agreement, warranties, representations, or other obligations between you and Oracle. Oracle disclaims any terms or statements contained herein that seek to impose legal or operational requirements on Oracle for the delivery of the services. Customers acknowledge that they remain solely responsible for meeting their legal and regulatory requirements. The information in this blog post was current as of January 28, 2022.