{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
On 10 May 2021, the European Securities and Markets Authority ESMA published its final Guidelines on Outsourcing to Cloud Service Providers (“Guidelines”). Cloud services means services provided using cloud computing. The objectives of these Guidelines are to establish consistent, efficient and effective supervisory practices within the European System of Financial Supervision (ESFS) and to ensure the common, uniform and consistent application of the new requirements. The Guidelines aim to help firms and competent authorities identify, address and monitor the risks and challenges arising from cloud outsourcing arrangements, from making the decision to outsource, selecting a cloud service provider, monitoring outsourced activities to providing for exit strategies.
I. Applicability of the Guidelines
The Guidelines apply to EU authorities as well as to the following types of firms:
- Alternative investment fund managers (AIFMs) and depositaries of alternative investment funds (AIFs);
- Undertakings for collective investment in transferable securities (UCITS), management companies and depositaries of UCITS, and investment companies that have not designated a management company authorised pursuant to UCITS Directive;
- Central counterparties (CCPs), including Tier 2 third country CCPs which comply with the relevant EMIR requirements;
- Trade repositories (TRs);
- Investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues;
- Central securities depositories (CSDs),
- Credit rating agencies (CRAs);
- Securitisation repositories (SRs); and
- Administrators of critical benchmarks.
II. Areas covered by the Guidelines
The Guidelines set out nine rules which are to be considered when an outsourcing to a cloud provider takes place. In a nutshell, the Guidelines contain the following content:
- Guideline 1 contains governance, oversight and documentation mechanism that firms should have in place for outsourcing projects.
- Guideline 2 sets out criteria for pre-outsourcing and due diligence of potential cloud providers.
- Guideline 3 lists the key contractual elements for outsourcing arrangements.
- Guideline 4 provides guidance on information security.
- Guideline 5 deals with exit strategies and rights.
- Guideline 6 states specific requirements for access and audit rights that must be in place with respect to a cloud provider.
- Guideline 7 contains general rules for sub-outsourcing
- Guideline 8 provides that the competent national supervisory authority must be notified in a timely manner when an outsourcing project is planned.
- Guideline 9 is addressed to national supervisory authorities and sets out how supervisory authorities should monitor the risks associated with cloud outsourcing arrangements.
The Guidelines on Outsourcing to Cloud Service Providers from ESMA can be found under the following link.
III. Timeline
The Guidelines apply from 31 July 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date.
It follows that affected firms should review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these Guidelines by 31 December 2022 at the latest. Where the review of cloud outsourcing arrangements of critical or important functions is not finalised by 31 December 2022, firms should inform their competent authority of this fact, including the measures planned to complete the review or the possible exit strategy.
RegTech Services
Regulation and technology play a significant role in determining the success of our clients. Find out more about our services.
The Swiss Bankers Association Cloud Guidelines
The Swiss Bankers Association (“SBA”) Cloud Guidelines were last updated in June 2020. They represent non-binding guidelines for practitioners on establishing compliant cloud outsourcing environments. Nonetheless, the Guidelines are a collection of regulatory issues present in, e.g., data privacy law, banking and financial markets law, and FINMA Circulars on Outsourcing. They subsequently provide recommendations for practitioners on the procurement and use of cloud services.
The four main areas covered in the SBA Cloud Guidelines are: Governance, Data Processing, Authorities and Proceedings, and Audit. Most regulations are already applicable. The one major exception is the newly passed Federal Act on Data Protection (“FADP”), which has been aligned with the EU GDPR.
As with most EU regulations, the ESMA Guidance is very detailed. In that regard, ESMA’s required “exit strategies” for leaving cloud outsourcing arrangement, require a high degree of planning and documentation by financial institutions. On the other hand, the Swiss regulatory approach has important legal considerations to keep in mind, concerning bank client secrecy and the changing FADP.
The SBA Cloud Guidelines can be found under the following link.
#social#
Read more insights
Register for personalised updates tailored to your interests.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Contact us
