Regulatory requirements applicable to outsourcing (including cloud) are rooted in sector-specific legislation at both EU and national level and can vary widely between different types of firms.
At EU level, these were often devised as minimum harmonisation directives or principle-based regulation, leaving substantial room for diverging approaches across Member States. For service-providers, this can make it difficult to know which legal requirements apply to different types of financial services customer in different jurisdictions.
Regulation of outsourcing and cloud computing began to increase in July 2018, with the European Banking Authority's (EBA's) Recommendations on Cloud Outsourcing. In September 2019, these principles were extended to apply to outsourcing more widely under the EBA's Guidelines on Outsourcing, which also extended the requirements to payment and e-money institutions (this is covered in more detail here).
The guidelines imposed detailed requirements on aspects such as internal governance, risk assessment and risk management, and contractual arrangements. As a result, the industry has been busy working to update contractual arrangements to ensure compliance with the EBA Outsourcing Guidelines.
Outside the banking sector, in February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers. Due to enter into force on 1 January 2021, they will require EU insurance undertakings to implement similar requirements to the EBA Outsourcing Guidelines, although they are specific to cloud computing rather than all outsourcing.
The European Securities and Markets Association has also published for consultation its own draft Guidelines on Outsourcing to Cloud Service Providers. These draft requirements cover similar ground to the EIOPA Cloud Guidelines but are less detailed in some areas.
UK banks, building societies, IFPRU investment firms, payment and e-money institutions already need to comply with the EBA Outsourcing Guidelines, which entered into force before the UK's exit from the EU. However, as the EIOPA Cloud Guidelines will enter into force after the EU's withdrawal transition period is expected to end, the Financial Conduct Authority has confirmed that they will not apply to regulated activities within the UK's jurisdiction.
Instead, the FCA will continue to apply its FG16/5 Guidance for firms outsourcing to the cloud and other third-party IT services. The FCA has indicated that it will keep this guidance under review and, where appropriate, consult to update this for consistency with international standards. Insurance undertakings carrying out activities in the EU will still be subject to the EIOPA Cloud Guidelines in relation to those activities.
The Prudential Regulatory Authority has taken a different approach. In December 2019, the PRA published Consultation on outsourcing and third-party risk management, including a draft Supervisory Statement, which takes into account both the EBA Outsourcing Guidelines and the EIOPA Cloud Guidelines. The requirements would apply across all outsourcing (not just cloud), widening the compliance requirements on UK insurance undertakings as compared to the EIOPA Cloud Guidelines. For institutions with insurance and banking arms, the approach may at least provide some welcome consistency.
Overall, the combination of different sectoral requirements, the differing approaches of the FCA and the PRA, and the UK's departure from the EU, have added to the patchwork of requirements for financial services outsourcing. The FCA's indication that it will update its guidelines on use of cloud and IT services could however prove to be an opportunity for the FCA to make its requirements on outsourcing more consistent, both across sectors, and with other regulation on digital operational resilience.
Many of the risks associated with outsourcing (and cloud computing in particular) are similar across sectors and one of EIOPA's intentions was to foster harmonisation of requirements and practice relating to cloud outsourcing.
As a result, EIOPA substantially aligned many of its requirements with the approach taken by the EBA. By contrast, the draft ESMA Cloud Guidelines cover many of the same minimum elements as the EBA and EIOPA Guidelines but diverge on the more detailed requirements. The industry has (understandably) expressed concern about the compliance burden that a fragmented approach might cause for firms regulated by both ESMA and the EBA or EIOPA.
For firms operating across both the UK and the EU27, Brexit has (perhaps not unsurprisingly) increased this fragmentation. Within the EU27, the EBA and EIOPA guidelines do appear to be achieving their aim of greater harmonisation; the vast majority have implemented the EBA Outsourcing Guidelines and stated that they intend to comply with the EIOPA Cloud Guidelines.
One notable exception is Poland, where the Polish Financial Supervision Authority has implemented its own national requirements on use of cloud in the financial services sector. The cross-border nature of ICT risks supports a consistent approach across the EU and, where relevant, with international standards.
Reforms following the 2008 financial crisis have largely focussed on financial resilience. This decade looks set to focus on operational and digital resilience. When firms make use of third-party service providers, operational resilience goes hand in hand with the regulatory requirements on outsourcing.
In December 2019, the FCA and PRA published for consultation their draft proposals on operational resilience. The proposals (which we cover in further detail here) would require in-scope firms to:
Both the FCA and PRA consultations have, however, been postponed due to the COVID-19 outbreak. It's now expected that firms and financial market infrastructures will not need to meet the requirements resulting from the consultations before the end of 2021.
As part of the EU’s Digital Finance package, on 24 September 2020, the European Commission published Proposal for a Regulation on Digital Operational Resilience for the Financial Sector. The proposed Regulation would introduce a detailed and comprehensive framework on digital operational resilience and management of ICT-risk, that would apply across the banking, insurance and securities sectors.
The proposal aims first at consolidating and upgrading the ICT risk requirements currently addressed across a myriad of separate EU sectoral legislation. All provisions addressing digital risk in finance would instead be brought together in a consistent manner in a single legislative act. This may prove welcome given the current fragmentation and inconsistencies.
The proposals focus on the management of ICT risks and seeks to enshrine target rules on ICT risk management capability, reporting and testing. It includes requirements on firms in relation to:
Proportionality and risk-based application is embedded in the proposal, through qualitative and quantitative assessment criteria (among other measures). This is intended to enable firms to tailor the requirements to the risks and needs of their specific characteristics in terms of size, business profiles, and technology risks.
The proposed Regulation would also establish a framework for the oversight of ICT third-party service providers which the European Supervisory Authorities (acting through their Joint Committee) designate as “critical” for financial entities, based on specified criteria including their systemic importance to the EU financial system. This might help provide additional reassurance for firms that rely on external ICT service providers for critical or important operational functions.
Given the risk-based focus of the requirements, compliance teams will need to work closely with business and technology teams to manage their technology and cloud outsourcing in a way which is appropriate for the specific workloads and services used. Key tips are:
If you'd like to discuss the legislation and guidelines discussed in this article, please contact a member of our Financial Services Regulatory team.
Fintech policy developments and considerations you need to know about.
1 von 5 Insights
A round up of the key cryptoasset-related developments and regulatory concerns in the UK and the EU.
2 von 5 Insights
We unpack a variety of global initiatives to establish open banking.
3 von 5 Insights
A look at the growth of identity-as-a-service fintechs.
5 von 5 Insights