ESMA published the final report on the guidelines for outsourcing to cloud service providers. The guidelines apply to competent authorities and various entities under the ESMA remit, including credit rating agencies, investment firms and credit institutions when they carry out investment services and activities, data reporting services providers, and market operators of trading venues. The guidelines apply from July 31, 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. In addition, ESMA announced recognition of Euroclear UK & Ireland Limited, a UK-established central securities depository (CSD) as a third-country CSD after Brexit transition on December 31, 2020. Yet another announcement involves registration of DTCC Data Repository (Ireland) PLC (by ESMA) as a trade repository under the European Market Infrastructure Regulation (EMIR) and the Securities Financing Transactions Regulation (SFTR), with effect from December 23, 2020.
The guidelines are intended to help firms identify, address, and monitor the risks arising from cloud outsourcing arrangements. The guidelines are also intended to support a convergent approach to the supervision of cloud outsourcing arrangements across competent authorities in EU. The report incorporates feedback received during the consultation process for these draft guidelines (during June 03, 2020 to September 01, 2020) as well as the relevant outsourcing guidelines from EBA and EIOPA. While working on these guidelines, ESMA has been also mindful of the proposal for a Digital Operational Resilience regulation, which the EC published in September 2020. The guidelines in this report focus on:
- Risk assessment and due diligence that firms should undertake with respect to the cloud service providers
- Governance, organizational, and control frameworks that firms should put in place to monitor the performance of cloud service providers
- How to exit the cloud outsourcing arrangements without undue disruption to business
- Contractual elements that a cloud outsourcing agreement should include
- Information to be notified to competent authorities
The guidelines apply from July 31, 2021 and firms should review and amend accordingly the existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalized December 31, 2022, firms should inform the respective competent authority about this, including the measures planned to complete the review or the possible exit strategy.
Keywords: Europe, EU, Banking, Securities, Outsourcing, Cloud Computing, DTCC, Euroclear, ESMA
The Australian Prudential Regulation Authority (APRA) has published the findings of its latest climate risk self-assessment survey conducted across the banking, insurance, and superannuation industries.
The French Prudential Supervisory Authority (ACPR) published a notice related to the methods for calculating and publishing prudential ratios under the Capital Requirements Directive (CRD IV) and the minimum requirement for own funds and eligible liabilities (MREL).
The Financial Stability Institute (FSI) of the Bank for International Settlements recently published a paper proposing a framework for classifying financial stability regulation as either entity-based or activity-based.
The European Insurance and Occupational Pension Authority (EIOPA) published the risk dashboard based on Solvency II data and the final version of the application guidance on climate change materiality assessments and climate change scenarios in the Own Risk and Solvency Assessment (ORSA).
The European Banking Authority (EBA) and the European Central Bank (ECB) published their responses to the consultations of the International Sustainability Standards Board (ISSB) and the European Financial Reporting Advisory Group (EFRAG) on sustainability-related disclosure standards.
A Consultative Group on Risk Management (CGRM) at the Bank for International Settlements (BIS) published a report that examines incorporation of climate risks into the international reserve management framework.
The European Banking Authority (EBA) published the final guidelines on liquidity requirements exemption for investment firms, updated version of its 5.2 filing rules document for supervisory reporting, and Single Rulebook Question and Answer (Q&A) updates in July 2022.
The European Insurance and Occupational Pensions Authority (EIOPA) published Version 2.8.0 of the Solvency II data point model (DPM) and XBRL taxonomy.
The European Union published, in the Official Journal of the European Union, an opinion from the European Economic and Social Committee (EESC); the opinion is on the proposal for a regulation to amend the Capital Requirements Regulation (CRR).
HM Treasury published a draft statutory instrument titled “The Financial Services (Miscellaneous Amendments) (EU Exit) Regulations 2022,” along with the related explanatory memorandum and impact assessment.