Following on from a consultation process that took place in mid-2020, the European Securities and Markets Authority (ESMA) published in December 2020 its final report on guidelines on outsourcing to cloud services providers (Guidelines). These Guidelines set down the minimum requirements for cloud outsourcing arrangements.
Who do the Guidelines apply to?
The Guidelines apply to a wide range of firms, including investment firms and banks when carrying out investment services and activities, AIFMs, UCITS management companies, SMICs, depositaries of AIFs and UCITS, CCPs, trade repositories, data reporting services providers and market operators of trading venues, CSDs, credit rating agencies, securitisation repositories and benchmark administrators.
The guidelines also apply to national competent authorities. We expect the Central Bank of Ireland (Central Bank) to notify ESMA of its intention to comply with the Guidelines in full. The Central Bank will be responsible for ensuring that firms comply with the Guidelines.
When do the Guidelines apply?
The Guidelines will apply from 30 June 2021 in relation to all cloud outsourcing arrangements entered into, renewed or amended on or after this date.
Firms are also required to ensure that any cloud outsourcing arrangements entered into prior to 30 June 2021 are compliant with the Guidelines by 31 December 2022. If they fail to do so, such firms must notify their national competent authority accordingly.
What do the Guidelines require?
The Guidelines aim to help firms and competent authorities identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider (CSP), to monitoring outsourced activities and providing for exit strategies.
The majority of the Guidelines apply where the firms use cloud services for "critical or important functions" (as defined in the Guidelines in a manner consistent with the MIFID II framework and Commission Delegated Regulation (EU) No 2017/565).
ESMA specifies that the Guidelines are without prejudice to applicable requirements in sectoral legislation and notes that national competent authorities should have regard to the principle of proportionality when supervising compliance with the Guidelines.
Guideline 1: Governance, oversight and documentation
By way of summary, a firm should:
- have a defined and up-to-date cloud outsourcing strategy that is consistent with the firm's relevant strategies and internal policies and processes.
- establish a cloud outsourcing oversight function or designate senior staff members who are directly accountable for the management and oversight of cloud outsourcing arrangements.
- where the firm is small and less complex, at least ensure a clear division of tasks and responsibilities for the management and oversight of cloud outsourcing arrangements.
- ensure that monitoring of CSPs is risk-based with a primary focus on outsourced critical or important functions.
- maintain an updated register of information on all its cloud outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements, including a brief summary of the reasons why the outsourced function is or is not considered critical or important.
- include certain additional information in the register in the case of critical or important functions.
Guideline 2: Pre-outsourcing analysis and due diligence
By way of summary, a firm should:
- identify and assess: (i) all relevant risks of the cloud outsourcing arrangement and undertake appropriate due diligence on the prospective CSP; and (ii) identify and assess any conflict of interest that the outsourcing may cause.
- include in its due diligence at least an assessment of the potential impact of the cloud outsourcing arrangement on the firm's operational, legal, compliance, and reputational risks.
- ensure that the assessment and the due diligence is proportionate to the nature, scale and complexity of the function to be outsourced and the risks inherent to that function.
For critical or important functions, the Guidelines set out further details as regards the assessment of risks required. In such cases firms are also required to undertake an evaluation of the suitability of the CSP, as further detailed in the Guidelines.
Guideline 3: Key contractual elements
A firm is required to:
- set out the rights and obligations of a firm and its CSP (including termination rights) in a written agreement.
- include certain prescribed contractual provisions in critical or important outsourcing agreements.
Guideline 4: Information security
A firm is obliged to:
- include information security requirements in their internal policies and procedures and within the cloud outsourcing written agreement.
- monitor compliance with these requirements on an ongoing basis.
- in the case of outsourcing of critical or important functions, consider various specified information security requirements.
It is recognised that these requirements should be proportionate to the nature, scale and complexity of the function that the firm outsources to the CSP and the risks inherent to that function.
Guideline 5: Exit strategies
A firm should:
- develop and update (as needed) exit plans that are comprehensive, documented and sufficiently tested.
- identify alternative solutions and develop transition plans to remove the outsourced function and data from the CSP.
- ensure certain matters specified in the Guidelines concerning the exit strategy are considered and addressed in the cloud outsourcing written agreement, including an obligation on the CSP to support the orderly transfer of the outsourced function.
Guideline 6: Access and Audit Rights
- must ensure that it and its national competent authority is able to effectively exercise access and audit rights and oversight options on the CSP.
- may use third-party certifications and audit reports only under certain specified conditions.
- ensure that the staff performing the audit, as well as any staff reviewing the certifications or audit reports provided by the CSP, have the right skills and knowledge to properly assess the relevant cloud services and perform effective and relevant audit.
Guideline 7: Sub-outsourcing
In the case of the sub-outsourcing of critical or important functions, or 'material' parts thereof, the Guidelines set out minimum standards for the written agreement with the CSP.
Guideline 8: Written notification to competent authorities
Firms are obliged to notify their competent authority, in writing and in a timely manner, of planned cloud outsourcing arrangements that concern a critical or important function. Certain specified information is required to be provided by the firm as part of that notification.
Guideline 9: Supervision of cloud outsourcing arrangements
The Central Bank will be obliged to assess the risks arising from cloud outsourcing arrangements by firms as part of its supervisory process.
Within two months of the date of publication of the guidelines on ESMA's website in all EU official languages, EEA national competent authorities must notify ESMA whether they: (i) comply, (ii) do not comply, but intend to comply, or (iii) do not comply and do not intend to comply with the Guidelines. We expect the Central Bank of Ireland to notify ESMA of its intention to comply with the Guidelines in full.
Firms will need to assess the impact of the requirements of the Guidelines on their existing policies, processes and outsourcing contracts.
Originally Published by Dillon Eustace, January 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.