The European Banking Authority (EBA), an EU financial supervisory authority, recently provided EU financial institutions (which includes credit institutions, certain investment firms, and payment institutions) with new outsourcing guidelines (PDF), which may apply to the use of Informatica Cloud Services and Informatica Support Services. We’re ready and able to support our customers’ compliance with their obligations under the EBA Guidelines and to help meet their regulators’ expectations. Upon request to your Informatica’s account manager or representative, Informatica may provide with the EBA Guidelines Chart to aid Informatica customers and prospects how we address each of the considerations in the EBA Guidelines as well as the Informatica EBA Addendum which incorporates certain additional benefits to Customer to meet such requirements.
The common risk-based requirements framework in the EBA Guidelines allows financial institutions to efficiently collaborate with cloud service providers such as Informatica.
Risk assessment
The EBA Guidelines advises that financial institutions assess the potential impact of a cloud outsourcing arrangement on their operational risk before outsourcing.
Informatica is transparent about its security and compliance posture, providing documents such as the Security Addendum at https://www.informatica.com/content/dam/informatica-com/en/docs/legal/online-cloud-and-support-security-addendum.pdf; security practices on the Trust site at https://www.informatica.com/gb/trust-center.html and various compliance reports such as SOC2 Type 2 and HIPAA.
Auditability
The EBA Guidelines require an agreement between the institution and service provider to allow access, inspection, and auditing of cloud services. Informatica’s data processing agreement (DPA) available online (https://www.informatica.com/content/dam/informatica-com/en/docs/legal/online-data-processing-agreement.pdf) explains the right of customer or a third party auditor, which may include the regulator, to conduct an audit, including where necessary an on-site audit of Informatica. Customers may discuss with Informatica any additional audit requirements necessary to satisfy obligations under the EBA as appropriate.
Data Location
The EBA Guidelines stipulate that European financial services institutions should adopt a risk-based approach to data storage and data processing locations. Financial institutions should identify in their registers the location where services will be performed, including the location (country or region) where the data will be stored.
Informatica can help ensure that most Informatica Cloud Services are not performed in third countries. Informatica is able to offer new European customers production servers exclusively in the European Union upon request as may be required. (Some Data-as-a-Service offerings may include a subprocessor located outside Europe, and some Cloud Services may transmit metadata to cloud operations systems in other jurisdictions as needed to operate the Cloud Services) Informatica currently backs up relevant data from a production server in the European Economic Area at a disaster recovery server also in the European Economic Area.
Informatica Support Services are provided from multiple locations, including locations outside of Europe consistent with Informatica’s follow-the-sun support model. Informatica Support Services generally do not require customer data.
For personal data transferred from the EEA or from the United Kingdom, Switzerland, or Brazil, Informatica will conduct the transfer: (a) pursuant to the EU Standard Contractual Clauses; or (b) any other data transfer mechanism permitted under applicable data protection law, such as binding corporate rules.
Sub-outsourcing
To the extent that the provision of Cloud services and Support Services includes sub-outsourcing, European banks need to take into account any associated risks. The Informatica Cloud and Support teams analyze each third party providing services related to Informatica Cloud and Support. Customers can see the list of Informatica subcontractors available at available at https://www.informatica.com/legal/informatica-subprocessors.html.
Security
EU financial institutions are encouraged to implement and monitor governance and security measures. Informatica Cloud Infrastructure security practices are demonstrated via Informatica compliance reports and certification.
Based on decades of experience securing data and applications for top-tier banks, Informatica delivers secured Cloud Services to our financial services customers. All products on our Informatica Intelligent Cloud Services platform encrypt all data in motion (even traffic within a pod) and all data at rest (at both file and database level).
Business continuity
The EBA recommends that financial institutions develop business continuity plans and test them periodically for critical or important functions.
Informatica maintains a business continuity and disaster recovery program. A summary of the applicable policy is available under NDA upon request.
Concentration risk and exit strategies
Financial services institutions should monitor and manage the risk of becoming dependent on a single cloud provider. Effective risk management includes having appropriate exit strategies and the ability to export data at the end of the contract.
The Security Addendum provides customers with the right to retrieve data as well as the transition period and services during an exit from the contract with Informatica.
Regulatory assistance
In some cases, regulatory authorities might ask for more information about cloud services or seek information directly from a cloud service provider.
Informatica can help provide information necessary for customers supervised by the EBA to conduct due diligence, including but not limited to information related to our reputation, abilities, expertise, capacity, resources, organizational structure, and required regulatory compliance. Where required, Informatica will also cooperate with financial services regulators to provide further necessary information (e.g., summaries of reports and documents) regarding the activities outsourced to Informatica.
Resources
See resources on the Informatica Trust Center at https://www.informatica.com/trust-center.html
Informatica subcontractors available at available at https://www.informatica.com/legal/informatica-subprocessors.html
Informatica’s data processing agreement (DPA) available at https://www.informatica.com/content/dam/informatica-com/en/docs/legal/online-data-processing-agreement.pdf
Security Addendum at https://www.informatica.com/content/dam/informatica-com/en/docs/legal/online-cloud-and-support-security-addendum.pdf
Or contact your sales representative for more information.
Disclaimer
This document is provided for informational purposes only. A customer’s rights and Informatica’s obligations are defined solely in the contract governing provision of the Cloud Services and Support Services.
Customers are responsible for ensuring their own compliance with various applicable laws and regulations. Customers are solely responsible for obtaining professional legal advice as to the identification and interpretation of any relevant laws and regulations that may affect the customers’ business and any actions the clients may need to take to comply with such laws and regulations. Informatica does not provide legal, accounting or auditing advice. Informatica also does not represent or warrant that its services or products will ensure that customers s are compliant with any applicable laws or regulations.