MFSA published a circular clarifying whether the Software-as-a-Service (SaaS) cloud model is an outsourcing arrangement. The circular also provides brief guidance on how license holders shall manage the relevant outsourcing risks associated with SaaS arrangements, including but not limited to risks associated with the data being processed by the SaaS third-party providers. MFSA states that license holders need to, for instance, give due consideration to business continuity in case of disruptions on the part of the SaaS third-party providers, including migration and exit strategies. The circular also states that SaaS third-party providers should be subject to adequate due diligence both at the initial stage and on an ongoing basis.
The MFSA circular presents the definition of (verbatim) SaaS as stated in the EC cloud strategy from May 2019 and the differing definition of ICT third-party provider as stated under the proposed Regulation on Digital Operational Resilience. Within the context of the vendor-user relationship, the SaaS model allows the vendor to manage the business application(s) that would otherwise have to be managed in-house. With respect to establishing whether SaaS is an outsourcing arrangement, the circular states that, under normal circumstances, the management element of the service rendered by SaaS third-party providers to license holders qualifies as an outsourcing arrangement. SaaS qualifies as an outsourcing arrangement if the service is performed on a recurrent or an ongoing basis and if the service would normally fall within the scope of functions that would or could realistically be performed by the license holder, even if the license holder has not performed this function in the past. License holders are to assess and determine whether SaaS currently being consumed or planned to be acquired, qualifies as an outsourcing arrangement. License holders are to further assess and determine whether the outsourcing arrangement entails the outsourcing of a critical or important function.
Additional guidance on outsourcing risk and on whether certain arrangements quality as outsourcing can be found within the MFSA Guidance on Technology Arrangements ICT and Security Risk Management and Outsourcing Arrangements and on the guidelines of ESAs on outsourcing arrangements and/or outsourcing to cloud service providers. License holders are reminded of their obligation to comply with any applicable Acts, Regulations, rules, and sector-specific guidelines pertaining to outsourcing arrangements.
Keywords: Europe, Malta, Banking, SAAS, Cloud Computing, Outsourcing Risk, Operational Resilience, Third-Party Arrangements, MFSA
Previous ArticleIFRS Sets Out Strategic Direction for Sustainability Standards Board
Next ArticleMNB Revises Principles for Setting MREL for Banks
The European Commission (EC) published the Delegated Regulation 2021/1527 with regard to the regulatory technical standards for the contractual recognition of write down and conversion powers.
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to provide guidance to authorized deposit-taking institutions on the interpretation of APS 120, the prudential standard on securitization.
The Single Resolution Board (SRB) published a Communication on the application of regulatory technical standard provisions on prior permission for reducing eligible liabilities instruments as of January 01, 2022.
The Australian Prudential Regulation Authority (APRA) published a new set of frequently asked questions (FAQs) to clarify the regulatory capital treatment of investments in the overseas deposit-taking and insurance subsidiaries.
The European Banking Authority (EBA) published the final report on the guidelines specifying the criteria to assess the exceptional cases when institutions exceed the large exposure limits and the time and measures needed for institutions to return to compliance.
The Prudential Regulation Authority (PRA) issued the policy statement PS20/21, which contains final rules for the application of existing consolidated prudential requirements to financial holding companies and mixed financial holding companies.
The European Banking Authority (EBA) revised the guidelines on stress tests to be conducted by the national deposit guarantee schemes under the Deposit Guarantee Schemes Directive (DGSD).
The European Commission (EC) announced that Nordea Bank has signed a guarantee agreement with the European Investment Bank (EIB) Group to support the sustainable transformation of businesses in the Nordics.
The Hong Kong Monetary Authority (HKMA) issued a circular, for all authorized institutions, to confirm its support of an information note that sets out various options available in the loan market for replacing USD LIBOR with the Secured Overnight Financing Rate (SOFR).
The Office of the Comptroller of the Currency (OCC) issued a new "Problem Bank Supervision" booklet of the Comptroller's Handbook. The booklet covers information on timely identification and rehabilitation of problem banks and their advanced supervision, enforcement, and resolution when conditions warrant.