Featured Product

    MFSA Clarifies Whether SaaS Cloud Model is an Outsourcing Arrangement

    March 08, 2021

    MFSA published a circular clarifying whether the Software-as-a-Service (SaaS) cloud model is an outsourcing arrangement. The circular also provides brief guidance on how license holders shall manage the relevant outsourcing risks associated with SaaS arrangements, including but not limited to risks associated with the data being processed by the SaaS third-party providers. MFSA states that license holders need to, for instance, give due consideration to business continuity in case of disruptions on the part of the SaaS third-party providers, including migration and exit strategies. The circular also states that SaaS third-party providers should be subject to adequate due diligence both at the initial stage and on an ongoing basis.

    The MFSA circular presents the definition of (verbatim) SaaS as stated in the EC cloud strategy from May 2019 and the differing definition of ICT third-party provider as stated under the proposed Regulation on Digital Operational Resilience. Within the context of the vendor-user relationship, the SaaS model allows the vendor to manage the business application(s) that would otherwise have to be managed in-house. With respect to establishing whether SaaS is an outsourcing arrangement, the circular states that, under normal circumstances, the management element of the service rendered by SaaS third-party providers to license holders qualifies as an outsourcing arrangement. SaaS qualifies as an outsourcing arrangement if the service is performed on a recurrent or an ongoing basis and if the service would normally fall within the scope of functions that would or could realistically be performed by the license holder, even if the license holder has not performed this function in the past. License holders are to assess and determine whether SaaS currently being consumed or planned to be acquired, qualifies as an outsourcing arrangement. License holders are to further assess and determine whether the outsourcing arrangement entails the outsourcing of a critical or important function.  

    Additional guidance on outsourcing risk and on whether certain arrangements quality as outsourcing can be found within the MFSA Guidance on Technology Arrangements ICT and Security Risk Management and Outsourcing Arrangements and on the guidelines of ESAs on outsourcing arrangements and/or outsourcing to cloud service providers. License holders are reminded of their obligation to comply with any applicable Acts, Regulations, rules, and sector-specific guidelines pertaining to outsourcing arrangements.

     

    Related Links

    Keywords: Europe, Malta, Banking, SAAS, Cloud Computing, Outsourcing Risk, Operational Resilience, Third-Party Arrangements, MFSA

    Related Articles
    News

    PRA Finalizes Supervisory Approach for Non-Systemic Banks in UK

    PRA published the policy statement PS8/21, which contains the final supervisory statement SS3/21 on the PRA approach to supervision of the new and growing non-systemic banks in UK.

    April 15, 2021 WebPage Regulatory News
    News

    EBA Finalizes Standards on Methods of Prudential Consolidation

    EBA published a report that sets out the final draft regulatory technical standards specifying the conditions according to which consolidation shall be carried out in line with Article 18 of the Capital Requirements Regulation (CRR).

    April 15, 2021 WebPage Regulatory News
    News

    EBA Updates List of Other Systemically Important Institutions in EU

    EBA updated the list of other systemically important institutions (O-SIIs) in EU.

    April 15, 2021 WebPage Regulatory News
    News

    BCBS Report Concludes Basel Risk Categories Can Capture Climate Risks

    BCBS published two reports that discuss transmission channels of climate-related risks to the banking system and the measurement methodologies of climate-related financial risks.

    April 14, 2021 WebPage Regulatory News
    News

    UK Authorities Welcome FSB Review of their Remuneration Regime

    UK Authorities (FCA and PRA) welcomed the findings of FSB peer review on the implementation of financial sector remuneration reforms in the UK.

    April 14, 2021 WebPage Regulatory News
    News

    PRA and FCA Letter on Addressing Risks from Use of Deposit Aggregators

    PRA and FCA jointly issued a letter that highlights risks associated with the increasing volumes of deposits that are placed with banks and building societies via deposit aggregators and how to mitigate these risks.

    April 14, 2021 WebPage Regulatory News
    News

    MFSA to Amend Banking Act and Rules in Coming Months to Transpose CRD5

    MFSA announced that amendments to the Banking Act, Subsidiary Legislation, and Banking Rules will be issued in the coming months, to transpose the Capital Requirements Directive (CRD5) into the national regulatory framework.

    April 14, 2021 WebPage Regulatory News
    News

    EC Delegated Regulation on Specialized Lending Exposures Under CRR

    EC finalized the Delegated Regulation 2021/598 that supplements the Capital Requirements Regulation (CRR or 575/2013) and lays out the regulatory technical standards for assigning risk-weights to specialized lending exposures.

    April 14, 2021 WebPage Regulatory News
    News

    OSFI Proposes to Enhance Assurance Expectations for Basel Returns

    OSFI launched a consultation to explore ways to enhance the OSFI assurance over capital, leverage, and liquidity returns for banks and insurers, given the increasing complexity arising from the evolving regulatory reporting framework due to IFRS 17 (Insurance Contracts) standard and Basel III reforms.

    April 13, 2021 WebPage Regulatory News
    News

    ECB Issues Results of Benchmarking Analysis of Recovery Plans of Banks

    ECB published results of the benchmarking analysis of the recovery plan cycle for 2019.

    April 13, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 6858