The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

EU Regulator Offers Guidance on Cloud Outsourcing

Share article

ESMA has issued new guidance this month to help financial providers understand their compliance responsibilities when outsourcing functions or investment activities to cloud-based providers.

Published on 3 June in in draft form and currently open to consultation, the proposals are designed to help firms mitigate the risks that they are exposed to when outsourcing to cloud service providers. They set out the governance, documentation, oversight and monitoring mechanisms that firms should have in place; along with the assessment and due diligence which should be undertaken prior to outsourcing, the minimum elements that outsourcing and sub-outsourcing agreements should include, and the exit strategies and the access and audit rights that should to be catered for, as well as outlining the notification requirements and supervision duties for national regulators. Once finalised, they should provide a full suite of regulatory guidance on cloud outsourcing for regulated firms.

“Cloud outsourcing can bring benefits to firms and their customers, for example reduced costs and enhanced operational efficiency and flexibility. It also raises important challenges and risks that need to be properly addressed, particularly in relation to data protection and information security,” warns ESMA Chairman Steven Maijoor.

“Financial markets participants should be careful that they do not become overly reliant on their cloud services providers. They need to closely monitor the performance and the security measures of their cloud service provider and make sure that they are able to exit the cloud outsourcing arrangement as and when necessary.”

The proposed guidelines are consistent with the recommendations on outsourcing to cloud service providers published by the European Banking Authority (EBA) in February 2017 and subsequently incorporated into revised EBA guidelines on outsourcing arrangements in February 2019, and the guidelines on cloud outsourcing published by the European Insurance and Occupational Pensions Authority (EIOPA) in February 2020, and some financial institutions are likely to be subject to both sets of principles. “Those institutions in particular will welcome the fact the draft ESMA guidelines are less detailed and prescriptive that the outsourcing guidance already produced by the EBA and EIOPA, but should nevertheless carefully assess how they will apply to their operations, investment services and activities,” says Luke Scanlon, Head of FinTech Propositions at Pinsent Masons.

The consultation is open until September 1, 2020, and seeks feedback from both national competent authorities and financial market participants that use cloud services provided by third parties. The consultation is also important for cloud service providers, as the draft guidelines aim to ensure that potential risks firms may face from the use of cloud services are properly addressed.

A Final Report on the Guidelines is expected to be published by Q1 2021.

Related content

WEBINAR

Recorded Webinar: Address Emerging Operational Risk and Alleviating Data Blind Spots with AI Powered Risk Management

The digitalisation of financial services is in full flight, as financial institutions strive to offer the same levels of service and improved customer experience that consumer markets have enjoyed for some time. This digitalisation – providing seamless access to appropriate services on demand – requires great emphasis on client data. This changing digital landscape, and...

BLOG

FINRA CAT: What’s Next?

By Andrew Pheifer, CFA, CAIA, Director, EMS Product Management, SS&C Eze. The long-awaited Consolidated Audit Trail (CAT) is now live, ingesting billions of equity transactions daily from U.S. broker-dealers (Industry Members). The go-live has largely been considered a success, with more than 1,000 broker-dealers reporting into the CAT. The CAT’s origins date back to 2012...

EVENT

RegTech Summit Virtual

The RegTech Summit Virtual which took place in June 2020 was a huge success with over 1,100 delegates registered. We are currently working on our plans for 2021 and we hope to be back with an in-person event. Whatever the future holds you can guarantee our 2021 event will be back with an exceptional guest speaker line up of Regtech practitioners, regulators, start-ups and solution providers to collaborate and discuss innovative and effective approaches for building a better regulatory environment. Can't wait until 2021? make sure you sign up to our RegTech Summit Virtual, November 2020. More info...

GUIDE

Regulatory Data Handbook 2020/2021 – Eighth Edition

This eighth edition of A-Team Group’s Regulatory Data Handbook is a ‘must-have’ for capital markets participants during this period of unprecedented change. Available free of charge, it profiles every regulation that impacts capital markets data management practices giving you: A detailed overview of each regulation with key dates, data and data management implications, links to...