Getting Cautious on Cloud Outsourcing: ESMA Consults on Proposed Guidelines
In Short
The Situation: On June 3, 2020, the European Securities Market Authority ("ESMA") published a consultation paper on Outsourcing to Cloud Service Providers ("Proposed Guidelines"), which will apply to any institution under the direct or indirect jurisdiction of ESMA.
The Result: ESMA proposes a set of guidelines limited to cloud outsourcing, which are partially inspired by the 2019 EBA guidelines on outsourcing. The guidelines must be endorsed by EU national competent authorities and will not override more stringent rules applicable to certain categories of institutions.
Looking Ahead: The Proposed Guidelines are under consultation until September 1, 2020, and once adopted will enter into force on June 30, 2021. They will apply to all new or revised cloud arrangements, and legacy arrangements will have to conform to the Proposed Guidelines no later than December 31, 2022.
Scope
The Proposed Guidelines would apply to a large range of financial institutions and market infrastructures. These include AIFM, UCITS, fund depositories, investment firms, and credit institutions, when these entities act as investment service providers, market operators of trading venues, and central counterparties ("CCPs"), including Tier 2 third-country CCPs, credit rating agencies, central securities depositories, securitization repositories, or administrators of benchmark (together, "institutions").
This new set of guidelines would apply, under subject-matter jurisdiction, to specific provisions listed in each relevant piece of regulation currently applicable to the institutions, when an institution intends to outsource services or functions to cloud service providers ("CSPs"). Should these services or activities qualify as critical or important functions, outsourcing arrangements would be subject to additional obligations.
EBA Guidelines
Some institutions already may be subject to the EBA guidelines for outsourcing arrangements, which include outsourcing arrangements with CSPs ("EBA Guidelines"). However, although part of the Proposed Guidelines replicates what is applicable under the EBA Guidelines, nothing is provided to avoid duplication of compliance with both guidelines for credit institutions acting as investment service providers, for example (similar to CCPs benefiting from a credit institution license).
Governance and Assessment
As in the EBA Guidelines, the Proposed Guidelines would require institutions to maintain a register of all their CSP outsourcing arrangements, with detailed data if relating to critical or important functions. ESMA should be asked in the consultation process to confirm the possibility of holding such register at the group level.
Thorough pre-assessment should be conducted through due diligence to ensure the technical and legal soundness of the envisaged arrangement, including elements external to the CSP, such as the legal and political environment applicable to it.
Contracts and Procedures
ESMA acknowledges that institutions, particularly independent and small ones, may have difficulties negotiating agreements with large CSPs. However, most of the mandatory provisions to be reflected in such agreements would relate only to critical or important functions, and those essentially reflect the mandatory provisions required under the EBA Guidelines. Such provisions are intended to give institutions control over a number of key elements of the outsourcing, such as location of the CSP, applicable service levels, required security arrangements, reporting obligations of the CSP, and definition of continuity and recovery plans.
Access, Audit Rights, and Exit Plan
In addition to establishing proper internal policies and procedures, and to reflecting those in arrangements to the extent necessary, institutions should consider the following when putting in place cloud outsourcing: ensuring access to the outsourced data, ensuring such data are safely and confidentially stored, implementing adequate segregation in the CSP networks, and using encryption technology if needed. Exit strategies should be also planned when relating to critical or important functions. ESMA particularly stresses the high level of technical complexity in the cloud area and the necessity for institutions to have proper resources, or consultants, able to perform the required audits.
Sub-outsourcing
Sub-outsourcing of critical or important functions requires that attention and care be taken when establishing the arrangement. Defining the scope of potential sub-outsourcing, ensuring proper supervision of third parties by the CSP, or recognizing the right to object to intended sub-outsourcing plans are key considerations.
Three Key Takeaways
- Institutions outsourcing part or all of their data to cloud service providers should respond to the consultation to confirm proportionality of any aspect of the new rules envisaged in the Proposed Guidelines.
- Groups that are already subject, for some of their entities, to the EBA guidelines on outsourcing should seek external advice to propose amendments ensuring proper articulation with the Proposed Guidelines and to avoid any redundancy.
- At the same time, institutions should begin preparing for compliance and, in particular, get ready to review their outsourcing agreements and documentation.