In recognition of the increased tendency over recent years of financial institutions to outsource their IT function, and cloud computing becoming the preferred option for many firms, the European Securities and Markets Authority ("ESMA") has published a consultation paper dated 3 June 2020 providing Draft Guidelines on Outsourcing to Cloud Service Providers ("the Guidelines"), in line with the EBA Guidelines on Outsourcing Arrangements which came into effect on 30th September 2019. The full text of the Guidelines may be accessed here
The Guidelines aim to provide guidance on the institutions' obligations to ensure that, when outsourcing to cloud service providers, compliance with their legal and regulatory obligations is not compromised.
The Guidelines are organized under nine headings, a brief summary of which is provided below.
Guideline 1 – Governance, oversight and documentation
ESMA has identified that there is a risk of cloud-based outsourcing to be conceived purely as an IT matter, and, to this end, insufficient attention is given to its use.
Firms should come up with a defined cloud outsourcing strategy, and ensure that sufficient resources are allocated to ensure compliance with the Guidelines and surrounding obligations, as well as clear assignment of the oversight responsibility internally.
A register should be kept containing all information with regard to the cloud outsourcing arrangement of the firm and ongoing monitoring based on a risk-based approach should be established.
Guideline 2 – Pre-outsourcing analysis and due diligence
Cloud service providers often offer a one-size-fits-all approach which may not be suitable for all firms.
To this end, firms should carry out a pre-outsourcing analysis and due diligence proportionate to the risks inherent to the function to be outsourced as well as its nature, scale and complexity.
When outsourcing a critical function, the firm should also assess the suitability of the cloud service provider, which should be re-assessed if a significant deficiency or change to the service provided is identified.
Guideline 3 – Contractual requirements
The respective rights and obligations of the parties should be clearly allocated and set out between the firm and the cloud service provider, and the firm should have the explicit right to terminate, when necessary.
Additional requirements apply to the contractual terms where critical or important functions are outsourced.
Guideline 4 – Information Security
A firm should have clearly set out information security requirements in its internal policies and ensure that these are observed and monitored on an ongoing basis within its cloud outsourcing agreements.
Minimum requirements apply where critical or important functions are outsourced.
Guideline 5 – Exit Strategies
In the event of the outsourcing of critical or important functions, clearly defined exit strategies should be incorporated in a firm's cloud outsourcing arrangements to ensure that the firm will be able to exit the agreement without undue disruption to its business activities and services to its clients, and without detriment to its compliance with applicable legal requirements, confidentiality, integrity and availability of its data.
Guideline 6 – Access and audit rights
Firms must ensure that the cloud outsourcing agreements in place do not limit their ability to effectively exercise their access and audit rights as well as their oversight of the cloud service provider.
Given the technical complexities presented by cloud solutions, firms must ensure that the staff performing the audit is properly skilled and qualified to perform the audit effectively.
Guideline 7 – Sub-outsourcing
In the event that the cloud service provider sub-outsources to a third-party provider all or part of critical or important functions of the firm, the cloud outsourcing agreement between the cloud service provider and the firm should explicitly set out the terms and conditions of this sub-outsourcing, and safeguard the firm's ability to comply with its obligations, and safeguard its right to terminate the agreement.
Guideline 8 – Written notification to competent authorities
Firms should notify the competent authorities of any outsourcing arrangement of critical or important functions in a timely manner.
Minimum requirements with regard to the information to be included in the notification are set out based on the principle of proportionality.
Guideline 9 – Supervision of cloud outsourcing arrangements
Competent authorities should assess the risks arising from the firms' cloud outsourcing arrangements, with particular focus on the outsourcing of critical or important functions, and should be satisfied that they are able to supervise effectively, especially in terms of arrangements where critical or important functions are performed outside the EU.
The Guidelines will apply from 30th June 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. Firms must review their arrangements in light of the Guidelines by 31st December 2022.
ESMA's final report and guidelines on the matter are anticipated in Q4 2020/Q1 2021. CySEC will adopt the Guidelines as part of its supervisory activities once these are finalised and published by ESMA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.