Featured Product

    ESMA Issues Guidelines on Outsourcing to Cloud Service Providers

    May 10, 2021

    ESMA published the final guidelines on outsourcing to cloud service providers. These guidelines apply from July 31, 2021 to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms should review and, accordingly, amend the existing cloud outsourcing arrangements to ensure that these arrangements consider the guidelines by December 31, 2022. Where the review of cloud outsourcing arrangements of critical or important functions is not finalized by December 31, 2022, firms should inform their competent authority about this, along with the measures planned to complete the review or the possible exit strategy.

    These guidelines are intended to establish consistent, efficient, and effective supervisory practices within the European System of Financial Supervision. The guidelines apply to competent authorities; investment firms; credit institutions when carrying out investment services and activities; tier 2 third-country central counterparties that comply with the relevant requirements of European Market Infrastructure Regulation (EMIR); data reporting services providers and market operators of trading venues; credit rating agencies; trade repositories; securitization repositories; and administrators of critical benchmarks. The guidelines aim to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements that could span from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities to providing for exit strategies. The guidelines cover the following key elements:

    • Governance. A firm should have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm’s relevant strategies and internal policies and processes, including in relation to information and communication technology, information security, and operational risk management.  
    • Pre-outsourcing analysis and due diligence. Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function; identify and assess all relevant risks of the cloud outsourcing arrangement; undertake appropriate due diligence on the prospective cloud service provider; and identify and assess any conflict of interest that the outsourcing may cause.
    • Key contractual elements. The respective rights and obligations of a firm and its cloud service provider should be clearly set out in a written agreement.
    • Exit strategies. In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with its obligations under the applicable legislation, as well as the confidentiality, integrity and availability of its data.
    • Access and audit rights. A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s and competent authority’s effective exercise of the access and audit rights and oversight options on the cloud service provider.
    • Sub-outsourcing. If sub-outsourcing of critical or important functions (or material parts thereof) is permitted, the cloud outsourcing written agreement between the firm and the cloud service provider should, among other things, specify any part or aspect of the outsourced function that are excluded from potential sub-outsourcing. 
    • Written notification to competent authorities. A firm should notify, in writing, its competent authority in a timely manner about the planned cloud outsourcing arrangements that concern a critical or important function. 
    • Supervision of cloud outsourcing arrangements. Competent authorities should assess risks arising from a firm's cloud outsourcing arrangements as part of their supervisory process; this assessment should focus on the arrangements that relate to the outsourcing of critical or important functions. 

     

    Related Links

    Keywords: Europe, EU, Banking, Securities, Cloud Service Providers, Fintech, Regtech, Outsourcing, Cloud Computing, ESMA

    Related Articles
    News

    EU Agencies Update LCR Rule and Macro-Prudential Policy Recommendation

    The European Commission (EC) published the Delegated Regulation 2022/786 with regard to the liquidity coverage requirements for credit institutions under the Capital Requirements Regulation (CRR).

    May 23, 2022 WebPage Regulatory News
    News

    EBA Publishes Regulatory Standards to Identify Shadow Banking Entities

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying the criteria to identify shadow banking entities for the purposes of reporting large exposures.

    May 23, 2022 WebPage Regulatory News
    News

    OSFI Discusses Benchmark Rate Transition, Sets Out Work Priorities

    The Office of the Superintendent of Financial Institutions (OSFI) published the strategic plan for 2022-2025 and the departmental plan for 2022-23.

    May 17, 2022 WebPage Regulatory News
    News

    EBA Proposes Standards to Support Secondary NPL Markets

    The European Banking Authority (EBA) is consulting, until August 31, 2022, on the draft implementing technical standards specifying requirements for the information that sellers of non-performing loans (NPLs) shall provide to prospective buyers.

    May 17, 2022 WebPage Regulatory News
    News

    EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution

    The European Council and the Parliament reached an agreement on the revised Directive on security of network and information systems (NIS2 Directive).

    May 13, 2022 WebPage Regulatory News
    News

    EBA Issues Standards for Crowdfunding Service Providers Under ECSPR

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying information that crowdfunding service providers shall provide to investors on the calculation of credit scores and prices of crowdfunding offers.

    May 13, 2022 WebPage Regulatory News
    News

    EU to Amend Credit Risk Adjustment Rules; ESAs Submit Queries on SFDR

    The European Council published a draft Commission Delegated Regulation to amend the regulatory technical standards on specification of the calculation of specific and general credit risk adjustments.

    May 13, 2022 WebPage Regulatory News
    News

    EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution

    The European Securities and Markets Authority (ESMA) published a paper that examines the systemic risk posed by increasing use of cloud services, along with the potential policy options to mitigate this risk.

    May 12, 2022 WebPage Regulatory News
    News

    MAS Amends Notice 635 and Issues Second Proposal on Green Taxonomy

    The Monetary Authority of Singapore (MAS) published amendments to Notice 635, which sets out requirements that a bank in Singapore has to comply with when granting an unsecured non-card credit facility to individuals.

    May 12, 2022 WebPage Regulatory News
    News

    EC Consults on PSD2 and Open Finance; EU Reaches Agreement on DORA

    The European Commission (EC) published a public consultation on the review of revised payment services directive (PSD2) and open finance.

    May 11, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8201