MFSA Clarifies Whether SaaS Cloud Model is an Outsourcing Arrangement
MFSA published a circular clarifying whether the Software-as-a-Service (SaaS) cloud model is an outsourcing arrangement. The circular also provides brief guidance on how license holders shall manage the relevant outsourcing risks associated with SaaS arrangements, including but not limited to risks associated with the data being processed by the SaaS third-party providers. MFSA states that license holders need to, for instance, give due consideration to business continuity in case of disruptions on the part of the SaaS third-party providers, including migration and exit strategies. The circular also states that SaaS third-party providers should be subject to adequate due diligence both at the initial stage and on an ongoing basis.
The MFSA circular presents the definition of (verbatim) SaaS as stated in the EC cloud strategy from May 2019 and the differing definition of ICT third-party provider as stated under the proposed Regulation on Digital Operational Resilience. Within the context of the vendor-user relationship, the SaaS model allows the vendor to manage the business application(s) that would otherwise have to be managed in-house. With respect to establishing whether SaaS is an outsourcing arrangement, the circular states that, under normal circumstances, the management element of the service rendered by SaaS third-party providers to license holders qualifies as an outsourcing arrangement. SaaS qualifies as an outsourcing arrangement if the service is performed on a recurrent or an ongoing basis and if the service would normally fall within the scope of functions that would or could realistically be performed by the license holder, even if the license holder has not performed this function in the past. License holders are to assess and determine whether SaaS currently being consumed or planned to be acquired, qualifies as an outsourcing arrangement. License holders are to further assess and determine whether the outsourcing arrangement entails the outsourcing of a critical or important function.
Additional guidance on outsourcing risk and on whether certain arrangements quality as outsourcing can be found within the MFSA Guidance on Technology Arrangements ICT and Security Risk Management and Outsourcing Arrangements and on the guidelines of ESAs on outsourcing arrangements and/or outsourcing to cloud service providers. License holders are reminded of their obligation to comply with any applicable Acts, Regulations, rules, and sector-specific guidelines pertaining to outsourcing arrangements.
Related Links
Keywords: Europe, Malta, Banking, SAAS, Cloud Computing, Outsourcing Risk, Operational Resilience, Third-Party Arrangements, MFSA
Previous Article
IFRS Sets Out Strategic Direction for Sustainability Standards BoardNext Article
MNB Revises Principles for Setting MREL for BanksRelated Articles
ISSB Sustainability Standards Expected to Become Global Baseline
The finalization of the two sustainability disclosure standards—IFRS S1 and IFRS S2—is expected to be a significant step forward in the harmonization of sustainability disclosures worldwide.
IOSCO, BIS, and FSB to Intensify Focus on Decentralized Finance
Decentralized finance (DeFi) is expected to increase in prominence, finding traction in use cases such as lending, trading, and investing, without the intermediation of traditional financial institutions.
BCBS Assesses NSFR and Large Exposures Rules in US
The Basel Committee on Banking Supervision (BCBS) published reports that assessed the overall implementation of the net stable funding ratio (NSFR) and the large exposures rules in the U.S.
Global Agencies Focus on ESG Data, Climate Litigation and Nature Risks
At the global level, supervisory efforts are increasingly focused on addressing climate risks via better quality data and innovative use of technologies such as generative artificial intelligence (AI) and blockchain.
ISSB Standards Shine Spotlight on Comparability of ESG Disclosures
The finalization of the IFRS sustainability disclosure standards in late June 2023 has brought to the forefront the themes of the harmonization of sustainability disclosures
EBA Issues Several Regulatory and Reporting Updates for Banks
The European Banking Authority (EBA) recently issued several regulatory publications impacting the banking sector.
BCBS Proposes to Revise Core Principles for Banking Supervision
The Basel Committee on Banking Supervision (BCBS) launched a consultation on revisions to the core principles for effective banking supervision, with the comment period ending on October 06, 2023.
US Proposes Final Basel Rules, Transition Period to Start in July 2025
The U.S. banking agencies (FDIC, FED, and OCC) recently proposed rules implementing the final Basel III reforms, also known as the Basel III Endgame.
FSB Report Outlines Next Steps for Climate Risk Roadmap
The Financial Stability Board (FSB) recently published the second annual progress report on the July 2021 roadmap to address climate-related financial risks.
EBA Plans on Ad-hoc ESG Data Collection and Climate Scenario Exercise
The recognition of climate change as a systemic risk to the global economy has further intensified regulatory and supervisory focus on monitoring of the environmental, social, and governance (ESG) risks.
