The new guidelines reflect the European Commission’s aim to provide additional certainty for regulated entities outsourcing to cloud services.
On 3 June 2020, ESMA published a consultation paper on draft guidelines regarding outsourcing to cloud service providers.
The purpose of the proposed guidelines is to provide guidance on the outsourcing requirements applicable to firms where they outsource to cloud service providers. The draft guidelines are intended to help firms identify, address, and monitor the risks that may arise from their cloud outsourcing arrangements (from making the decision to outsource, selecting a cloud service provider, and monitoring outsourced activities, to providing for exit strategies).
In addition, Steven Maijoor, Chair of ESMA, stated: “Financial markets participants should be careful that they do not become overly reliant on their cloud services providers… They need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary… [the] proposals will help firms understand and mitigate the risks that they are exposed to when outsourcing to cloud service providers”.
ESMA confirmed that the proposed guidelines are consistent with (although there are some notable differences between) the recommendations on outsourcing to cloud service providers published by the EBA in February 2017, and subsequently incorporated into revised EBA guidelines on outsourcing arrangements in February 2019, and the guidelines on cloud outsourcing published by EIOPA in February 2020. (See EIOPA Issues Final Guidelines on Outsourcing and What EBA’s Outsourcing Guidelines Mean for Financial Institutions for further information.)
The proposed guidelines apply to a long list of regulated entities that fall within ESMA’s scope of supervision, including “investment firms and credit institutions when carrying out investment services and activities”, data reporting services providers, market operators, AIFMs, CCPs, and benchmark administrators.
Credit institutions are already subject to the EBA’s guidelines on outsourcing, and the EBA has made clear that those guidelines apply without prejudice to any ESMA guidance regarding investment services and activities. Some credit institutions will therefore need to comply with both the EBA and ESMA guidelines if they have an investment arm, and groups that also have an insurance arm are also likely to be subject to the EIOPA guidelines. Therefore, some firms could potentially be subject to three outsourcing regimes, in addition to the IOSCO Principles on Outsourcing.
The proposed guidelines
The nine draft guidelines set out:
- The governance, documentation, oversight, and monitoring mechanisms that firms should have in place
- The pre-outsourcing analysis and due diligence to be undertaken by a firm on its cloud service provider
- The minimum elements that outsourcing and sub-outsourcing agreements should include
- The approach regarding information security
- The approach regarding exit strategies
- The approach regarding access and audit rights that should be catered for
- The approach regarding sub-outsourcing
- The notification requirements to competent authorities
- The supervision of cloud outsourcing arrangements by competent authorities
The guidelines apply to any “cloud outsourcing arrangement”, which is defined as both an outsourcing to a cloud service provider and use of a cloud service provider in a supply chain. Therefore, the guidelines have a broad scope that will impact firms utilising fintech platforms which frequently leverage cloud technology to operate.
There are some key differences between the draft ESMA, the EBA, and the EIOPA guidelines. ESMA’s draft guidelines are much shorter and less detailed overall than the EBA guidelines in particular. The EBA guidelines contain a number of paragraphs on the governance framework, including in relation to internal audit, business continuity, and termination rights. ESMA only touches on these areas briefly. Unlike the EBA and EIOPA guidelines, the ESMA guidelines do not provide detailed information on how they will be applied to groups. In contrast, the ESMA guidelines do provide detailed information on information security, including a requirement that firms, in relation to access management, should ensure that “strong authentication mechanisms, for example two factor authentication, are implemented”.
ESMA’s suggested approach regarding the pre-outsourcing analysis and due diligence a firm should undertake on its cloud service provider is similar to the EBA guidelines. In addition, the ESMA guidelines set out that firms should consider the cloud service provider’s “service support, including support plans and contacts, and incident management processes”.
The consultation closes on 1 September 2020 and seeks feedback from both competent authorities and financial market participants that use cloud services provided by third parties. ESMA states that the consultation is also important for cloud service providers, as the draft guidelines aim to ensure that potential risks firms may face from the use of cloud services are properly addressed.
ESMA has indicated that it will consider the responses it receives to the consultation paper in Q3 2020 and expects to publish a final report and guidelines in Q4 2020/Q1 2021. The guidelines are due to apply, from 30 June 2021, to all cloud outsourcing arrangements entered into, renewed, or amended on or after this date. Firms should therefore review and amend existing cloud outsourcing arrangements to ensure that they take into account these guidelines by 31 December 2022.