Featured Product

    ESMA Issues Guidelines on Outsourcing to Cloud Service Providers

    May 10, 2021

    ESMA published the final guidelines on outsourcing to cloud service providers. These guidelines apply from July 31, 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms should review and, accordingly, amend the existing cloud outsourcing arrangements to ensure that these arrangements consider the guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalized by December 31, 2022, firms should inform their competent authority about this, along with the measures planned to complete the review or the possible exit strategy.

    These guidelines are intended to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision. The guidelines apply to competent authorities; investment firms; credit institutions when carrying out investment services and activities; tier 2 third-country central counterparties that comply with the relevant requirements of European Market Infrastructure Regulation (EMIR); data reporting services providers and market operators of trading venues; credit rating agencies; trade repositories; securitization repositories; and administrators of critical benchmarks. The guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements that could span from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities to providing for exit strategies. The guidelines cover the following key elements:

    • Governance. A firm should have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s relevant strategies and internal policies and processes, including in relation to information and communication technology, information security, and operational risk management.  
    • Pre-outsourcing analysis and due diligence. Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function; identify and assess all relevant risks of the cloud outsourcing arrangement; undertake appropriate due diligence on the prospective cloud service provider; and identify and assess any conflict of interest that the outsourcing may cause.
    • Key contractual elements. The respective rights and obligations of a firm and its cloud service provider should be clearly set out in a written agreement.
    • Exit strategies. In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
    • Access and audit rights. A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.
    • Sub-outsourcing. If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider should, among other things, specify any part or aspect of the outsourced function that are excluded from potential sub-outsourcing. 
    • Written notification to competent authorities. A firm should notify, in writing, its competent authority in a timely manner about the planned cloud outsourcing arrangements that concern a critical or important function. 
    • Supervision of cloud outsourcing arrangements. Competent authorities should assess risks arising from a firm's cloud outsourcing arrangements as part of their supervisory process; this assessment should focus on the arrangements that relate to the outsourcing of critical or important functions. 

     

    Related Links

    Keywords: Europe, EU, Banking, Securities, Cloud Service Providers, Fintech, Regtech, Outsourcing, Cloud Computing, ESMA

    Related Articles
    News

    PRA Proposes Changes to Consolidated Prudential Rules Under CRD5/CRR2

    PRA proposed rules (in CP12/21) for the application of existing consolidated prudential requirements to financial holding companies and mixed financial holding companies that have been approved or designated in accordance with Part 12B of the Financial Services and Markets Act 2000 (FSMA).

    June 21, 2021 WebPage Regulatory News
    News

    ECB Extends Leverage Ratio Relief for Banks Until March 2022

    ECB Banking Supervision announced that euro area banks it directly supervises may continue to exclude certain central bank exposures from the leverage ratio until March 2022.

    June 18, 2021 WebPage Regulatory News
    News

    OSFI Consults on Treatment of Credit Valuation Adjustments

    OSFI decided to increase the Domestic Stability Buffer from 1.00% to 2.50% of total risk-weighted assets, with effect from October 31, 2021.

    June 18, 2021 WebPage Regulatory News
    News

    HKMA Requires Banks to Submit Plans for Fintech Adoption

    HKMA is requesting banks to participate in a tech baseline assessment, which forms part of the HKMA Fintech 2025 strategy.

    June 18, 2021 WebPage Regulatory News
    News

    OSFI Consults on Operational Risk Capital Data Management Expectations

    OSFI published two documents to consult on the management of operational risk capital data for institutions required, or for those applying, to use the Basel III standardized approach for operational risk capital in Canada.

    June 18, 2021 WebPage Regulatory News
    News

    NGFS on Addressing Financial Stability Issues from Biodiversity Loss

    The NGFS Study Group on Biodiversity and Financial Stability published a Vision paper exploring the case for action in addressing the financial stability concerns arising from biodiversity loss.

    June 18, 2021 WebPage Regulatory News
    News

    ACPR Publishes CREDITIMMO Version 2.3.0 Taxonomy for Banks

    ACPR published the final version of CREDITIMMO 2.3.0 taxonomy for the decree of October 31, 2021.

    June 18, 2021 WebPage Regulatory News
    News

    EC Prolongs Italian Guarantee Scheme for Non-Performing Loans

    EC, has approved, under the EU State Aid rules, the fourth prolongation of the Italian guarantee scheme to facilitate the securitization of non-performing loans.

    June 18, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Temporary Collateral Easing Measures

    ECB published Guideline 2021/975, which amends Guideline ECB/2014/31, on the additional temporary measures relating to Eurosystem refinancing operations and eligibility of collateral.

    June 17, 2021 WebPage Regulatory News
    News

    EIOPA Releases Report on Artificial Intelligence Governance Principles

    EIOPA published a report, from the Consultative Expert Group on Digital Ethics, that sets out artificial intelligence governance principles for an ethical and trustworthy artificial intelligence in the insurance sector in EU.

    June 17, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7128