The European Securities and Markets Authority (ESMA) on May 10 published final guidelines on outsourcing to cloud service providers (ESMA Guidelines) to help firms and competent authorities identify, address, and monitor the risks and challenges arising from cloud outsourcing arrangements. Subject to a few clarifications, the ESMA Guidelines are broadly consistent with the draft guidelines.
Following publication, competent authorities in the European Union have two months in which to notify ESMA whether they comply or intend to comply with the ESMA Guidelines. Firms are not required to report whether they comply with the ESMA Guidelines.
The ESMA Guidelines follow the European Banking Authority’s (EBA’s) guidelines on cloud outsourcing (EBA Guidelines), which apply to the banking, investment, and payment activities and services of financial institutions, such as investment firms and credit institutions, and the European Insurance and Occupational Pensions Authority’s guidelines on cloud outsourcing, which apply to insurance and reinsurance undertakings.
Firms Subject to the Guidelines
The ESMA Guidelines are relevant to, among others, investment firms, alternative investment fund managers, undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of alternative investment funds and of UCITS, central counterparties, and central securities depositaries, each to the extent operating in the European Union.
The ESMA Guidelines will apply from July 31, 2021, to all in-scope cloud outsourcing arrangements entered into, renewed, or amended on or after that date, and firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account the guidelines by December 31, 2022.
The ESMA Guidelines are structured around nine principles with which competent authorities and firms are expected to make every effort to comply.
Certain guidelines refer or are limited in application to the outsourcing of “critical or important functions,” which ESMA defines as any function whose defect or failure in its performance would materially impair (a) a firm's compliance with its obligations under the applicable legislation; (b) a firm’s financial performance; or (c) the soundness or continuity of a firm’s main services and activities. This definition is consistent with the EBA Guidelines and, in its final report on the draft guidelines, ESMA stated that the assessment criteria for such functions are to be considered as those in the MiFID framework and Commission Delegated Regulation (EU) No 2017/565.
- Governance, oversight, and documentation: ESMA expects a firm to have a defined and up-to-date cloud outsourcing strategy. This includes establishing a cloud outsourcing oversight function or designating senior staff to be directly accountable and responsible for managing and overseeing cloud outsourcing risks. In the final ESMA Guidelines, ESMA added within this principle that the firm should periodically reassess whether its cloud outsourcing arrangements concern a critical or important function and whenever the risk, nature, or scale of an outsourced function has materially changed. There are also detailed recordkeeping expectations.
- Pre-outsourcing analysis and due diligence: Before entering into any cloud outsourcing arrangement a firm should, among other actions, assess if it concerns a critical or important function and identify and assess any conflict of interest that the outsourcing may cause. The pre-outsourcing analysis and due diligence on the prospective cloud service provider should be proportionate to the nature, scale, and complexity of the outsourced function, although including at least an assessment of operational, legal, compliance, and reputational risks. More detailed due diligence expectations apply in respect of outsourcing critical or important functions, including an assessment of the legal system (e.g., insolvency and data protection laws) of the countries where the outsourced functions would be provided.
- Key contractual elements: ESMA expects the cloud outsourcing written agreement to expressly allow a firm to terminate it “where necessary,” although ESMA does not expand on necessity. There are specific expectations of what the written agreement should include, such as a clear description of the outsourced function, whether sub-outsourcing is permitted and any associated conditions, the regions or countries in which data will be processed and stored, service levels including qualitative and quantitative performance targets, and access and audit rights for the firm and its competent authorities.
- Information security: A firm’s internal policies and procedures and the cloud outsourcing written agreement should set information security requirements and the firm should monitor compliance with these requirements on an ongoing basis. ESMA lists specific requirements that it expects in the case of outsourcing critical or important functions, such as identity and access management, use of encryption technologies, and business continuity and disaster recovery controls.
- Exit strategies: In respect of critical or important functions, ESMA expects a firm to ensure that it can exit the outsourcing arrangement without undue disruption to its business activities and services. This includes developing comprehensive, documented, and tested exit plans; defining trigger events; and identifying alternative solutions and challenges that may arise from the location of data. In the final ESMA Guidelines, ESMA added that the written agreement should require the cloud service provider to support an orderly transfer of the outsourced function and related treatment of data.
- Access and audit rights: The written agreement should not limit a firm’s and competent authority’s effective exercise of the access and audit rights and oversight options of the cloud service provider. If the audit rights create a risk for the cloud service provider’s environment or other clients, the parties should agree on alternative ways to achieve a similar result.
- Sub-outsourcing: If sub-outsourcing of any part of critical or important functions is permitted, then the written agreement should include certain controls such as any parts of the functions excluded from sub-outsourcing, conditions to be complied with, notification of and a firm’s right to object to sub-outsourcing or material changes thereof, and a contractual right of the firm to terminate the cloud outsourcing arrangement if it so objects or in the event of undue sub-outsourcing.
- Written notification to competent authorities: ESMA expects firms to notify their relevant competent authority of cloud outsourcing concerning a critical or important function.
- Supervision of cloud outsourcing arrangements: Competent authorities should be satisfied that they are able to perform effective supervisions, particularly when firms outsource critical or important functions that are performed outside the European Union.
Interaction with EBA Guidelines and UK PRA Supervisory Statement
ESMA has stated that in preparing the guidelines, it took into account the EBA Guidelines in order to ensure consistency. The ESMA Guidelines appear to be broadly consistent with the EBA Guidelines although in certain areas contain more detailed expectations, such as due diligence, information security, recordkeeping, and exit strategies. In other areas, such as termination rights in the written agreement, the ESMA Guidelines are less prescriptive.
For firms operating only in the United Kingdom, the ESMA Guidelines will not apply and, instead, the UK Prudential Regulation Authority’s (PRA’s) recent supervisory statement should be the primary source of reference. The supervisory statement implements the EBA Guidelines and so contains commonalities with the ESMA Guidelines, but it does not implement the ESMA Guidelines.