Outsourcing in financial services – regulatory developments and practical tips

Regulatory requirements applicable to outsourcing (including cloud) are rooted in sector-specific legislation at both EU and national level and can vary widely between different types of firms. 

At EU level, these were often devised as minimum harmonisation directives or principle-based regulation, leaving substantial room for diverging approaches across Member States. For service-providers, this can make it difficult to know which legal requirements apply to different types of financial services customer in different jurisdictions.

Increasing regulation of outsourcing and cloud computing

Regulation of outsourcing and cloud computing began to increase in July 2018, with the European Banking Authority's (EBA's) Recommendations on Cloud Outsourcing. In September 2019, these principles were extended to apply to outsourcing more widely under the EBA's Guidelines on Outsourcing, which also extended the requirements to payment and e-money institutions (this is covered in more detail here).

The guidelines imposed detailed requirements on aspects such as internal governance, risk assessment and risk management, and contractual arrangements. As a result, the industry has been busy working to update contractual arrangements to ensure compliance with the EBA Outsourcing Guidelines.

Outside the banking sector, in February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers. Due to enter into force on 1 January 2021, they will require EU insurance undertakings to implement similar requirements to the EBA Outsourcing Guidelines, although they are specific to cloud computing rather than all outsourcing.

The European Securities and Markets Association has also published for consultation its own draft Guidelines on Outsourcing to Cloud Service Providers. These draft requirements cover similar ground to the EIOPA Cloud Guidelines but are less detailed in some areas.

The response of the UK regulators and Brexit

UK banks, building societies, IFPRU investment firms, payment and e-money institutions already need to comply with the EBA Outsourcing Guidelines, which entered into force before the UK's exit from the EU. However, as the EIOPA Cloud Guidelines will enter into force after the EU's withdrawal transition period is expected to end, the Financial Conduct Authority has confirmed that they will not apply to regulated activities within the UK's jurisdiction.

Instead, the FCA will continue to apply its FG16/5 Guidance for firms outsourcing to the cloud and other third-party IT services. The FCA has indicated that it will keep this guidance under review and, where appropriate, consult to update this for consistency with international standards. Insurance undertakings carrying out activities in the EU will still be subject to the EIOPA Cloud Guidelines in relation to those activities. 

The Prudential Regulatory Authority has taken a different approach. In December 2019, the PRA published Consultation on outsourcing and third-party risk management, including a draft Supervisory Statement, which takes into account both the EBA Outsourcing Guidelines and the EIOPA Cloud Guidelines. The requirements would apply across all outsourcing (not just cloud), widening the compliance requirements on UK insurance undertakings as compared to the EIOPA Cloud Guidelines. For institutions with insurance and banking arms, the approach may at least provide some welcome consistency.

Overall, the combination of different sectoral requirements, the differing approaches of the FCA and the PRA, and the UK's departure from the EU, have added to the patchwork of requirements for financial services outsourcing. The FCA's indication that it will update its guidelines on use of cloud and IT services could however prove to be an opportunity for the FCA to make its requirements on outsourcing more consistent, both across sectors, and with other regulation on digital operational resilience. 

Has harmonisation of approach to cloud and outsourcing been achieved?

Many of the risks associated with outsourcing (and cloud computing in particular) are similar across sectors and one of EIOPA's intentions was to foster harmonisation of requirements and practice relating to cloud outsourcing. 

As a result, EIOPA substantially aligned many of its requirements with the approach taken by the EBA. By contrast, the draft ESMA Cloud Guidelines cover many of the same minimum elements as the EBA and EIOPA Guidelines but diverge on the more detailed requirements. The industry has (understandably) expressed concern about the compliance burden that a fragmented approach might cause for firms regulated by both ESMA and the EBA or EIOPA. 

For firms operating across both the UK and the EU27, Brexit has (perhaps not unsurprisingly) increased this fragmentation. Within the EU27, the EBA and EIOPA guidelines do appear to be achieving their aim of greater harmonisation; the vast majority have implemented the EBA Outsourcing Guidelines and stated that they intend to comply with the EIOPA Cloud Guidelines. 

One notable exception is Poland, where the Polish Financial Supervision Authority has implemented its own national requirements on use of cloud in the financial services sector. The cross-border nature of ICT risks supports a consistent approach across the EU and, where relevant, with international standards. 

Operational resilience goes mainstream

Reforms following the 2008 financial crisis have largely focussed on financial resilience. This decade looks set to focus on operational and digital resilience. When firms make use of third-party service providers, operational resilience goes hand in hand with the regulatory requirements on outsourcing.

In December 2019, the FCA and PRA published for consultation their draft proposals on operational resilience. The proposals (which we cover in further detail here) would require in-scope firms to:

• identify their important business services
• set impact tolerances for each important business service
• map the people, processes, technology, facilities and information that support each important business service, and
• take actions to be able to remain within their impact tolerances through a range of "severe but plausible" disruption scenarios. 

Both the FCA and PRA consultations have, however, been postponed due to the COVID-19 outbreak. It's now expected that firms and financial market infrastructures will not need to meet the requirements resulting from the consultations before the end of 2021.

In the pipeline: EU proposal on digital operational resilience

As part of the EU’s Digital Finance package, on 24 September 2020, the European Commission published Proposal for a Regulation on Digital Operational Resilience for the Financial Sector. The proposed Regulation would introduce a detailed and comprehensive framework on digital operational resilience and management of ICT-risk, that would apply across the banking, insurance and securities sectors. 

The proposal aims first at consolidating and upgrading the ICT risk requirements currently addressed across a myriad of separate EU sectoral legislation. All provisions addressing digital risk in finance would instead be brought together in a consistent manner in a single legislative act. This may prove welcome given the current fragmentation and inconsistencies.

The proposals focus on the management of ICT risks and seeks to enshrine target rules on ICT risk management capability, reporting and testing. It includes requirements on firms in relation to:

• ICT risk management
• governance and responsibility of the management body
• the monitoring, classification and reporting of ICT-related incidents; testing, including threat-led penetration testing, and
• ICT third-party risk management (including contractual requirements).

Proportionality and risk-based application is embedded in the proposal, through qualitative and quantitative assessment criteria (among other measures). This is intended to enable firms to tailor the requirements to the risks and needs of their specific characteristics in terms of size, business profiles, and technology risks. 

The proposed Regulation would also establish a framework for the oversight of ICT third-party service providers which the European Supervisory Authorities (acting through their Joint Committee) designate as “critical” for financial entities, based on specified criteria including their systemic importance to the EU financial system. This might help provide additional reassurance for firms that rely on external ICT service providers for critical or important operational functions.

Practical tips for compliance and navigating third party negotiations

Given the risk-based focus of the requirements, compliance teams will need to work closely with business and technology teams to manage their technology and cloud outsourcing in a way which is appropriate for the specific workloads and services used. Key tips are:

• Critical or important operational functions: one thing that is consistent across all the existing guidelines is that higher compliance standards apply when firms outsource or use cloud for critical or important operational functions. Firms will need to carefully assess whether third party arrangements relate to operational functions which are (or have the potential to become) critical or important operational functions, and monitor this over time.
• Risk assessments and risk-based approach: regulators are increasingly focused on risks stemming from reliance on ICT. Firms should be able to show that they understand and monitor the risks of the technology they use, and take corrective action when weakness are identified.
• Sub-outsourcing and understanding supply chains: another area receiving regulator attention is the complex supply chains often involved in the procurement of technology. For example, where firms use SaaS providers for critical or important operational functions, those SaaS providers may rely on cloud and other technology providers for the delivery of those services. Firms need to be aware of these arrangements and build this into their risk assessments.
• Audit and balancing with security risks: given the multi-tenant nature of cloud computing and importance of physical security at data centres, one area that has proved particularly controversial to date is the requirements under the EBA Guidelines for unrestricted on-site audits. Firms should be aware that ICT providers need to seek a balance between providing the audit rights that customers need to comply with the EBA and EIOPA Guidelines and maintaining the security of the cloud environment.
• Contractual documentation: many suppliers have sought to help customers' compliance by preparing additional terms for customers subject to the EBA Guidelines. Firms should ensure that any contractual terms provided by service providers fit with their own use of the services and internal risk management framework.

Find out more

If you'd like to discuss the legislation and guidelines discussed in this article, please contact a member of our Financial Services Regulatory team.