Featured Product

    ESMA Issues Guidelines on Outsourcing to Cloud Service Providers

    May 10, 2021

    ESMA published the final guidelines on outsourcing to cloud service providers. These guidelines apply from July 31, 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms should review and, accordingly, amend the existing cloud outsourcing arrangements to ensure that these arrangements consider the guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalized by December 31, 2022, firms should inform their competent authority about this, along with the measures planned to complete the review or the possible exit strategy.

    These guidelines are intended to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision. The guidelines apply to competent authorities; investment firms; credit institutions when carrying out investment services and activities; tier 2 third-country central counterparties that comply with the relevant requirements of European Market Infrastructure Regulation (EMIR); data reporting services providers and market operators of trading venues; credit rating agencies; trade repositories; securitization repositories; and administrators of critical benchmarks. The guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements that could span from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities to providing for exit strategies. The guidelines cover the following key elements:

    • Governance. A firm should have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s relevant strategies and internal policies and processes, including in relation to information and communication technology, information security, and operational risk management.  
    • Pre-outsourcing analysis and due diligence. Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function; identify and assess all relevant risks of the cloud outsourcing arrangement; undertake appropriate due diligence on the prospective cloud service provider; and identify and assess any conflict of interest that the outsourcing may cause.
    • Key contractual elements. The respective rights and obligations of a firm and its cloud service provider should be clearly set out in a written agreement.
    • Exit strategies. In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
    • Access and audit rights. A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.
    • Sub-outsourcing. If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider should, among other things, specify any part or aspect of the outsourced function that are excluded from potential sub-outsourcing. 
    • Written notification to competent authorities. A firm should notify, in writing, its competent authority in a timely manner about the planned cloud outsourcing arrangements that concern a critical or important function. 
    • Supervision of cloud outsourcing arrangements. Competent authorities should assess risks arising from a firm's cloud outsourcing arrangements as part of their supervisory process; this assessment should focus on the arrangements that relate to the outsourcing of critical or important functions. 

     

    Related Links

    Keywords: Europe, EU, Banking, Securities, Cloud Service Providers, Fintech, Regtech, Outsourcing, Cloud Computing, ESMA

    Related Articles
    News

    EBA Updates Filing Rules for Supervisory Reporting

    The European Banking Authority (EBA) published version 5.1 of the filing rules for supervisory reporting.

    October 19, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Procedures for Collection of AnaCredit Data

    The European Central Bank (ECB) Guideline 2021/1829 on the procedures for the collection of granular credit and credit risk data has been published in the Official Journal of European Union.

    October 19, 2021 WebPage Regulatory News
    News

    ECB Amends Guideline on Procedures for Collection of AnaCredit Data

    The European Central Bank (ECB) Guideline 2021/1829 on the procedures for the collection of granular credit and credit risk data has been published in the Official Journal of European Union.

    October 19, 2021 WebPage Regulatory News
    News

    EBA Publishes Standards on Disclosure of Investment Policy Under IFR

    The European Banking Authority (EBA) published the final draft regulatory technical standards on disclosure of investment policy by investment firms, under the Investment Firms Regulation (IFR).

    October 19, 2021 WebPage Regulatory News
    News

    APRA Finalizes Guidance for New Prudential Standard on Remuneration

    The Australian Prudential Regulation Authority (APRA) published the prudential practice guide CPG 511 to assist banks, insurers, and superannuation licensees in meeting requirements of CPS 511, the new prudential standard on remuneration.

    October 18, 2021 WebPage Regulatory News
    News

    OCC Updated LIBOR Self-Assessment Tool for Banks

    The Office of the Comptroller of the Currency (OCC) published a bulletin that provides an updated self-assessment tool for banks to evaluate their preparedness for cessation of the London Interbank Offered Rate (LIBOR).

    October 18, 2021 WebPage Regulatory News
    News

    TCFD Updates Guidance for Financial Disclosures on Climate Risk

    The Financial Stability Board (FSB) published a report that examines the progress made toward disclosures aligned with recommendations of the Task Force on Climate-related Financial Disclosures (TCFD).

    October 14, 2021 WebPage Regulatory News
    News

    BCBS Report Examines Progress on Adoption of Basel III Framework

    The Basel Committee on Banking Supervision (BCBS) published the progress report on adoption of the Basel III regulatory framework in member jurisdictions.

    October 14, 2021 WebPage Regulatory News
    News

    ACPR Implements Updates Related to DPM Version 3.1

    The French Prudential Supervisory Authority (ACPR) has implemented, in its information system, updates linked to the Data Point Model (DPM) version 3.1.

    October 14, 2021 WebPage Regulatory News
    News

    EBA Note Examines Transition Risks of Benchmark Rates

    The European Banking Authority (EBA) published a thematic note that aims to identify and raise awareness of the transition risks of benchmark rates, as the London Interbank Offered Rate (LIBOR) and the Euro Overnight Index Average (EONIA) are close to being phased out.

    October 14, 2021 WebPage Regulatory News
    RESULTS 1 - 10 OF 7571