Co-authors - Jonathan Hay, Principal Program Manager Compliance – Rik De Deyn, Sr. Director FS Industry Strategy
Financial institutions know the importance of offering their customers' personalized digital experiences and continue to invest heavily in this area. To innovate faster, many financial institutions have adopted the cloud for their mission-critical operations. Customer trust and data security are key considerations when making the shift to the cloud.
We understand that addressing the guidance in the European Banking Authority (EBA) Guidelines on outsourcing arrangements is a crucial component in helping to build that trust.
Oracle’s banking customers will benefit from Oracle’s focus on security controls and transparency around these controls when delivering our Oracle Cloud products. This focus provides a strong foundation for our customers to achieve faster access to new technology and the benefits of the cloud.
Oracle’s next-generation cloud is a natural fit for mission-critical cloud adoption in a highly-regulated financial services world:
"In a highly-regulated industry, banks and other financial institutions need to be confident that their cloud strategy is built upon a platform that helps them innovate safely. Oracle customers are supported by Oracle's policies, documentation, and cloud services designed for: Risk assessment; Auditability; Data location; Sub-outsourcing; Security; Business continuity; Concentration risk and exit strategies; Regulatory assistance"
The common risk-based requirements framework in the EBA Guidelines allows financial institutions to efficiently collaborate with cloud service providers such as Oracle.
The EBA Guidelines advises that financial institutions assess the potential impact of a cloud outsourcing arrangement on their operational risk before outsourcing.
Oracle makes it easy for financial institutions to assess Oracle Cloud Infrastructure. Oracle is transparent about our security and compliance posture, providing documents such as the Oracle corporate security practices, the Oracle Cloud Infrastructure Security Architecture whitepaper, and various compliance reports such as ISO 27001, SOC, PCI DSS, HIPAA, and FedRAMP. The complete list can be found on the Oracle Cloud Compliance page.
The EBA Guidelines require an agreement between the bank and Oracle to allow access, inspection, and auditing of cloud services. To address this requirement, Oracle permits financial customers and their regulators to perform audits, as described in the Oracle Financial Services Addendum.
The EBA Guidelines stipulate that European financial services institutions should adopt a risk-based approach to data storage and data processing locations, and information security considerations. Financial institutions should identify in their registers the location where services will be performed, including the location (country or region) where the data will be stored. Oracle Cloud Infrastructure enables customers to select the Data Center Region where the cloud services are provisioned. Oracle will not change the applicable Data Center Region without customer consent.
To the extent that the provision of cloud services includes sub-outsourcing, European banks need to take into account any associated risks. The Oracle cloud team analyzes each third party providing services related to Oracle Cloud Infrastructure and determines whether the third party is necessary for Oracle to continue to provide the cloud service. Vendors deemed as necessary are categorized as strategic subcontractors. Customers can see the list of Oracle's strategic subcontractors, published on My Oracle Support (MOS), and the Oracle Financial Services Addendum explains how financial services customers can review Oracle’s strategic subcontractors.
EU financial institutions are encouraged to implement and monitor governance and security measures. Oracle Cloud Infrastructure security practices are demonstrated via Oracle compliance reports and certification with additional details within the Oracle Cloud Infrastructure Security Architecture whitepaper. Oracle also provides customers with security best practices to help customers securely configure Oracle Cloud Infrastructure services and resources.
Based on decades of experience securing data and applications for top-tier banks, Oracle delivers a highly configurable Cloud Infrastructure to our financial services customers. Oracle’s security-first approach and security zones enable you to secure your data by using stringent network virtualization, and the possibility to store cloud data in your own data centers. Oracle Cloud Infrastructure offers security and encryption of data at rest and inflight, across different deployment options, ranging from public cloud OCI to Cloud@Customer. Oracle Cloud Infrastructure provides a broad range of security services, including OCI Cloud Guard, Web Application Firewall (WAF), DataSafe, and Database Vault.
The EBA recommends that financial institutions develop business continuity plans and test them periodically for critical or important functions.
Oracle enables customers to configure their Oracle Cloud Infrastructure architecture to meet business continuity requirements by utilizing Oracle Regions. An Oracle Cloud Infrastructure Region is a localized geographic area, and an availability domain is one or more data centers located within a Region. Most Oracle Cloud Infrastructure resources are either regionspecific, such as a virtual cloud network, or availability domain-specific, such as a compute instance. Each availability domain contains three fault domains. Fault domains provide antiaffinity: you can distribute your instances so that the instances are not on the same physical hardware within a single availability domain. Here is more information about Regions and Availability Domains.
Oracle is the preferred partner to banks, for database, middleware, and application technologies, because of its heritage in business continuity. Customers benefit from Oracle’s Disaster Recovery (DR) and Maximum Availability Architectures (MAA) and its Service Level Agreements for Oracle Cloud Infrastructure (OCI). In addition, Oracle maintains its own business continuity program with the objective of maintaining Oracle’s internal operations of the cloud services. This program is described in the Oracle Financial Services Addendum and here.
Concentration risk and exit strategies
Financial services institutions should monitor and manage the risk of becoming dependent on a single cloud provider. Effective risk management includes having appropriate exit strategies and the ability to export data at the end of the contract.
The Financial Services Addendum provides customers with the right to terminate Cloud Infrastructure services based on regulatory requirements, as well as a transition period and services during an exit from the contract with Oracle.
Oracle Cloud Infrastructure enables customers to utilize multi-cloud service providers via the Oracle to Azure interconnect and Oracle integration and migration products. Oracle provides workload portability across a broad set of services, including Kubernetes, VMware, the Oracle Database, and Weblogic.
In some cases, regulatory authorities might ask for more information about cloud services or seek information directly from a cloud service provider.
Oracle provides ample information to customers so they can address their regulatory requirements through Oracle compliance reports and certification and attestations as well as Oracle Cloud Infrastructure Security Architecture white paper. Where required, Oracle will also cooperate with financial services regulators to provide further necessary information (e.g., summaries of reports and documents) regarding the activities outsourced to Oracle.
As a longstanding technology and applications partner for the largest financial institutions in the world, Oracle Cloud Infrastructure provides controls that help meet the needs of customers looking to address the Guidelines on outsourcing arrangements from the EBA a well as regional regulatory requirements. Cloud technology has become a means for financial services companies to capture new customers, create new services, and reduce costs.