ESMA published the final guidelines on outsourcing to cloud service providers. These guidelines apply from July 31, 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms should review and, accordingly, amend the existing cloud outsourcing arrangements to ensure that these arrangements consider the guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalized by December 31, 2022, firms should inform their competent authority about this, along with the measures planned to complete the review or the possible exit strategy.
These guidelines are intended to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision. The guidelines apply to competent authorities; investment firms; credit institutions when carrying out investment services and activities; tier 2 third-country central counterparties that comply with the relevant requirements of European Market Infrastructure Regulation (EMIR); data reporting services providers and market operators of trading venues; credit rating agencies; trade repositories; securitization repositories; and administrators of critical benchmarks. The guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements that could span from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities to providing for exit strategies. The guidelines cover the following key elements:
- Governance. A firm should have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s relevant strategies and internal policies and processes, including in relation to information and communication technology, information security, and operational risk management.
- Pre-outsourcing analysis and due diligence. Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function; identify and assess all relevant risks of the cloud outsourcing arrangement; undertake appropriate due diligence on the prospective cloud service provider; and identify and assess any conflict of interest that the outsourcing may cause.
- Key contractual elements. The respective rights and obligations of a firm and its cloud service provider should be clearly set out in a written agreement.
- Exit strategies. In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
- Access and audit rights. A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.
- Sub-outsourcing. If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider should, among other things, specify any part or aspect of the outsourced function that are excluded from potential sub-outsourcing.
- Written notification to competent authorities. A firm should notify, in writing, its competent authority in a timely manner about the planned cloud outsourcing arrangements that concern a critical or important function.
- Supervision of cloud outsourcing arrangements. Competent authorities should assess risks arising from a firm's cloud outsourcing arrangements as part of their supervisory process; this assessment should focus on the arrangements that relate to the outsourcing of critical or important functions.
Keywords: Europe, EU, Banking, Securities, Cloud Service Providers, Fintech, Regtech, Outsourcing, Cloud Computing, ESMA
Previous ArticleEBA Publishes Data on Deposit Guarantee Schemes
The Board of Governors of the Federal Reserve System (FED) published the final rule that amends Regulation I to reduce the quarterly reporting burden for member banks by automating the application process for adjusting their subscriptions to the Federal Reserve Bank capital stock, except in the context of mergers.
The European Banking Authority (EBA) published its assessment of risks through the quarterly Risk Dashboard and the results of the Autumn edition of the Risk Assessment Questionnaire (RAQ).
The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0.
The Hong Kong Monetary Authority (HKMA) published a circular, along with the reporting form and instructions, for self-assessment, by authorized institutions, of compliance with the Code of Banking Practice 2021.
The Financial Conduct Authority (FCA) decided to register European DataWarehouse Ltd and SecRep Limited as securitization repositories under the UK Securitization Regulation, with effect from January 17, 2022.
The European Commission (EC) published the Delegated Regulation 2022/25, which supplements the Investment Firms Regulation (IFR or Regulation 2019/2033) with respect to the regulatory technical standards specifying the methods for measuring the K-factors referred to in Article 15 of the IFR.
The Bank of International Settlements (BIS) published a paper that assesses the ways in which platform-based business models can affect financial inclusion, competition, financial stability and consumer protection.
The Central Bank of Egypt (CBE) published a circular with instructions on emergency liquidity assistance to banks that are unable to meet their liquidity requirements.
The European Supervisory Authorities (ESAs) published the list of identified financial conglomerates for 2021.
The Australian Prudential Regulation Authority (APRA) updated the list of authorized deposit-taking institutions, granting license to Barclays Bank PLC and Crédit Agricole Corporate and Investment Bank to operate as foreign authorized deposit-taking institutions under the Banking Act 1959.