On 10 May 2021, the European Securities and Markets Authority (ESMA) has published final Guidelines on outsourcing to cloud service providers (ESMA Guidelines) which aim to provide guidance to financial institutions and supervisory authorities with respect to steps that are to be followed in relation to ever increasing use of cloud outsourcing. The ESMA Guidelines build on the existing ESA’s guidance framework on outsourcing that is based on European Banking Authority’s (EBA) Guidelines on outsourcing arrangements published in February 2019 (EBA Guidelines), and the European Insurance and Occupational Pensions Authority’s (EIOPA) Guidelines on cloud outsourcing from 8 December 2020 (EIOPA Guidelines).
Whereas EBA Guidelines apply to all types of outsourcing arrangements entered into by credit institutions, investment firms that are subject to CRD IV framework, payment and e-money institutions, ESMA Guidelines follow the similar approach like EIOPA Guidelines by focusing only on outsourcing arrangements to cloud service providers.
The ESMA Guidelines apply to a wide range of firms including among others Alternative Investment Fund Managers (AIFMs), UCITS Management Companies, investment firms and credit institutions (in part in which they provide investment services), operators of trading venues, CSDs, credit rating agencies etc.
Cloud outsourcing arrangement
The definition of “cloud outsourcing arrangement” under ESMA Guidelines covers arrangements in any form (including delegation arrangements) between a regulated firm and a provider of services based on cloud computing (cloud service provider CSP), by which the CSP performs a function that would otherwise be undertaken by the firm itself. Further, ESMA Guidelines equally apply to arrangements between a regulated firm and a third-party that itself relies on a CSP to perform its functions in which case all references to CSPs are to be read as referring to such third-party.
The ESMA Guidelines will apply to all in-scope outsourcing arrangements of regulated firms entered into or amended on or after 31 July 2021. When it comes to existing outsourcing arrangements, firms will have until 31 December 2022 to make necessary amendments in accordance with ESMA Guidelines.
Divided in nine focus areas, the ESMA Guidelines set out the following governance and process requirements that in-scope firms will have to comply with when entering into outsourcing arrangements with cloud service providers. To that end, ESMA follows the similar approach taken previously by the EBA and EIOPA by stipulating specific group of enhanced requirements that apply to outsourcing of critical or important functions. By following the principles set out in the MiFID II Delegated Regulation (EU) 2017/565, ESMA consider any function within the firm as critical or important whose defect or failure in performance would materially impair firm’s compliance with applicable regulatory requirements, its financial performance or soundness and continuity of its main services and activities. In-scope firms will be required to differentiate between the outsourcing of critical or important functions and other outsourcing arrangements and will need to provide a brief summary of reasons for the classification of each outsourcing arrangement.
Governance , oversight and documentation: In-scope firms will be required to develop an outsourcing strategy, which establishes appropriate governance arrangements that make proper allocation of roles and responsibilities and sufficient resources for compliance. Further, as part of the outsourcing strategy, firms are required to establish a cloud outsourcing oversight function or to designate a member of senior staff who will be directly accountable to the management body and responsible for the management and oversight of risks associated with cloud outsourcing arrangements.
Pre-outsourcing analysis and due diligence: Before entering into outsourcing arrangements with cloud service providers, in-scope firms will be required to identify and assess all relevant risks attached to the proposed outsourcing arrangement. Further, in-scope firms will be required to conduct due diligence on potential impacts that the cloud outsourcing arrangement could have on their operational, legal, compliance and operational risks. In the case of outsourcing o critical or important functions, firms will be required to take additional steps at this stage, by evaluating the suitability of the cloud service provider (in terms of its business reputation, organisational structure, skills and resources) for the performance of a particular function.
The ESMA Guidelines come as the final piece of ESA’s Guidance Framework on outsourcing arrangements.
As part of its Digital Finance Package published in September 2020, the EU Commission has published a proposal for the Regulation on digital operational resilience for the financial sector (also known as Digital Operational Resilience Act “DORA”) which aims to harmonise rules on identification, mitigation and management of information and communication technology (ICT) risks for financial institutions. To the certain extent, DORA also aims to harmonise rules on outsourcing arrangements that are currently contained in sector specific pieces of legislation (e.g. MIFID II, AIFMD and CRD IV), given that in the absence of common standards on contractual arrangements on outsourcing the ICT risks attached to outsourcing service providers cannot be adequately addressed.