Featured Product

    EIOPA Finalizes Guidelines on Outsourcing to Cloud Service Providers

    February 06, 2020

    EIOPA published the final guidelines on outsourcing to cloud service providers. The guidelines are addressed to national supervisory authorities and inform market participants on how outsourcing provisions in the legislative framework need to be applied in case of outsourcing to cloud service providers. These outsourcing provisions have been set forth in the Solvency II Directive, in the Commission Delegated Regulation 2015/35, and in the EIOPA guidelines on system of governance. The guidelines apply from January 01, 2021 and undertakings should ensure compliance by December 31, 2022.

    The consultation on draft guidelines on outsourcing to cloud service providers ran from July 01 to September 30, 2019 and EIOPA received 28 responses. The stakeholder input helped EIOPA to prepare the final version of these guidelines, which have been streamlined taking into account the principle of proportionality and a risk-based approach to implementation. In the final guidelines, EIOPA mainly focused on outsourcing of critical or important operational functions or activities to cloud service providers. The guidelines cover the following areas:

    • Criteria to distinguish whether cloud services should be considered within the scope of outsourcing
    • Principles and elements of governance of cloud outsourcing, including documentation requirements and list of information part of the notification to supervisory authorities
    • Pre-outsourcing analysis, including a set of criteria to be followed to assess whether a cloud outsourcing arrangement relates to an operational function or activity that is critical or important
    • Principle-based instructions on how the risk assessment of the cloud outsourcing and the due diligence on the cloud service providers should be performed
    • Contractual requirements
    • Management of access and audit rights; security of data and systems; sub-outsourcing of critical or important operational functions or activities; monitoring and oversight of cloud outsourcing; and exit strategies
    • Principle-based instructions for national supervisory authorities on the supervision of cloud outsourcing arrangements including, where applicable, at group level.

    The final report of these guidelines also contains the feedback statement to the consultation, the final impact assessment, and the resolution of non-confidential comments provided by the stakeholders during the consultation. EIOPA developed these guidelines to provide clarification and transparency to market participants and to avoid potential regulatory arbitrage. The guidelines may also foster supervisory convergence regarding the expectations and processes applicable in relation to cloud outsourcing. In accordance with Article 16 of Regulation (EU) No 1094/2010, within two months of the issuance of these guidelines, each competent authority shall confirm if it complies or intends to comply with these guidelines. In case a competent authority does not comply or does not intend to comply, it shall inform EIOPA, stating the reasons for non-compliance.

    The guidelines apply from January 01, 2021 to all cloud outsourcing arrangements entered into or amended on or after this date. Undertakings should review and amend accordingly the existing cloud outsourcing arrangements related to critical or important operational functions or activities with a view to ensuring compliance with these guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements related to critical or important operational functions or activities is not finalized by December 31, 2022, the undertaking should inform its supervisory authority about this, including the measures planned to complete the review or the possible exit strategy. The supervisory authority may agree with the undertaking on an extended timeline for completing that review, where appropriate. The update (where needed) of the undertaking’s policies and internal processes should be done by January 01, 2021 while the documentation requirements for cloud outsourcing arrangements related to critical or important operational functions or activities should be implemented by December 31, 2022.

     

    Related Links

    Effective Date: January 01, 2021

    Keywords: Europe, EU, Insurance, Reinsurance, Guidelines, Outsourcing, Governance, Fintech, Insurtech, Regulatory Arbitrage, Proportionality, Cloud Outsourcing, Supervisory Convergence, Solvency II, EC, EBA, EIOPA

    Featured Experts
    Related Articles
    News

    ESAs Assess Risks to Financial Sector After COVID-19 Outbreak

    ESAs (EBA, EIOPA, and ESMA) published the first joint report that assesses risks in the financial sector since the outbreak of the COVID-19 pandemic.

    September 22, 2020 WebPage Regulatory News
    News

    ECB Allows Temporary Relief in Leverage Ratio Amid COVID-19 Pandemic

    ECB published a decision allowing the euro area banks under its direct supervision to exclude certain central bank exposures from the leverage ratio.

    September 21, 2020 WebPage Regulatory News
    News

    ESAs Launch Survey on Templates for Product Disclosures Under SFDR

    ESAs launched a survey seeking feedback on the presentational aspects of product templates under the Sustainable Finance Disclosure Regulation (SFDR or Regulation 2019/2088).

    September 21, 2020 WebPage Regulatory News
    News

    ECB Proposes Integrated Reporting Framework to Reduce Burden for Banks

    ECB published input of the European System of Central Banks (ESCB) into the EBA feasibility report on reducing the reporting burden for banks in EU.

    September 21, 2020 WebPage Regulatory News
    News

    EBA to Phase Out Guidelines on Loan Repayment Moratoria

    EBA has decided to phase out the guidelines on legislative and non-legislative moratoria of loan repayments, in accordance with the earlier specified end of September deadline.

    September 21, 2020 WebPage Regulatory News
    News

    EC Deems UK Framework for CCPs Temporarily Equivalent to EMIR Rules

    EC adopted a decision determining, for a limited period of time, that the regulatory framework applicable to central counterparties, or CCPs, in the UK and Northern Ireland is equivalent to the requirements laid down in the European Market Infrastructure Regulation (EMIR or Regulation 648/2012).

    September 21, 2020 WebPage Regulatory News
    News

    EBA Provides Opinion on Definition of Credit Institution in CRR

    EBA published an Opinion addressed to EC to raise awareness about the opportunity to clarify certain issues related to the definition of credit institution in the upcoming review of the Capital Requirements Directive and Regulation (CRD and CRR).

    September 18, 2020 WebPage Regulatory News
    News

    ECB Finalizes Methodology to Assess CCR and A-CVA Risk of Banks

    ECB finalized the guide on assessment methodology for the internal model method for calculating exposure to counterparty credit risk (CCR) and the advanced method for own funds requirements for credit valuation adjustment (A-CVA) risk.

    September 18, 2020 WebPage Regulatory News
    News

    FED to Temporarily Revise FR Y-14 Reports to Conduct Stressed Analysis

    FED is proposing to temporarily revise the capital assessments and stress testing reports (FR Y-14A/Q/M) to implement the changes necessary to conduct stressed analysis in connection with the re-submission of capital plans, using data as of June 30, 2020.

    September 17, 2020 WebPage Regulatory News
    News

    FED Revises Information Collection Under Market Risk Capital Rule

    FED adopted a proposal to extend for three years, with revision, the information collection under the market risk capital rule (FR 4201; OMB No. 7100-0314).

    September 17, 2020 WebPage Regulatory News
    RESULTS 1 - 10 OF 5813