ESMA Draft Guidelines on Cloud Outsourcing
new requirements for cloud projects for asset managers, investment service providers and other financial services providers
On 3 June 2020, the European Securities and Markets Authority (ESMA) published Draft Guidelines on Outsourcing to Cloud Service Providers (ESMA50-164-3342) (the ‘Draft Guidelines’). With the Draft Guidelines, ESMA is addressing national supervisory authorities and various financial market participants, in particular asset managers and investment service providers, but also, for example, central counterparties (CCPs), central securities depositories (CSDs) and credit rating agencies (CRAs), in order to develop an equally harmonized and effective regulatory framework for outsourcing to cloud providers across the EU.
With its Draft Guidelines, ESMA is building on initiatives taken by other supervisory authorities, which have already responded with various publications to the visible trends towards a greater use of technical service providers and in particular cloud service providers. Examples of these publications are the European Banking Authority’s (EBA) landmark Guidelines on outsourcing arrangements dated 25 February 2019 (EBA/GL/2019/02), into which the EBA’s previously published ‘recommendations on out-sourcing to cloud service providers’ dated 20 December 2017 (EBA/REC/2017/03) have been integrated, and the Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002) published by the European Insurance and Occupational Pensions Authority (EIOPA) on 6 February 2020. At national level in Germany, the financial regulator Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) together with the Deutsche Bundesbank already published a guidance on outsourcing to cloud providers back in November 2018. These developments show that outsourcing to cloud providers is in the focus of regulatory authorities.
The Draft Guidelines are aimed in practical terms at all market participants in the financial sector for which ESMA has a supervisory mandate. This includes asset managers and capital management companies within the meaning of the German Investment Code (KAGB) and investment service undertakings, as well as CCPs, CSDs, depositaries for investment funds, providers of data transmission services, market operators of trading centres, CRAs , benchmark administrators and securitisation repositories (SRs) under Regulation (EU) 2017/2402. This list shows, firstly, that the Draft Guidelines overlap with the scope of the EBA Guidelines on outsourcing because, for example, investment service companies or depositaries often qualify as credit institutions due to their wider range of services. Secondly, it is clear that many market participants will have to adapt to additional requirements as the regulatory framework for outsourcing as already in place currently does not specifically or not to the same extent address outsourcing to cloud providers. The same applies to BaFin’s aforementioned guidance, as the requirements in the Draft Guidelines goes beyond those in the guidance.
General approach and regulatory objectives
The Draft Guidelines take account of the growing importance of digitalisation in the financial sector and the fact that cloud solutions offered on the market are cost-effective tools to take advantage of the opportunities offered by digitalisation. Of course, these opportunities are accompanied by risks that the Draft Guidelines are intended to address. The typical outsourcing risks relate in particular to the area of IT security and data protection. Accordingly, the Draft Guidelines include, for example, authenticity (verifiability), integrity (protection against manipulation), confidentiality (protection against unauthorised access) and availability of outsourced data. However, they go far beyond this by also imposing requirements for the selection of a cloud provider, for specific contractual content when commissioning a cloud provider, and for outsourcing management.
Areas covered by the Draft Guidelines
The Draft Guidelines propose nine guidelines to be taken into account when an outsourcing to cloud providers is contemplated:
- Guideline 1 deals with the control, documentation, supervision and monitoring mechanisms that firms should have in place in the context of outsourcing projects.
- Guideline 2 provides criteria for the assessment and due diligence of potential cloud providers.
- Guideline 3 lists the minimum contractual requirements for outsourcing arrangements. However, the content requirements are therefore not exhaustively covered, as Guideline 7 contains additional requirements for situations in which a cloud provider itself sub-outsources services. Thus the regulatory approach is similar to what is required by the Minimum Requirements for Risk Management(MaRisk) and the Minimum requirements for the risk management of asset management companies (KAMaRisk) for institutions and asset management companies under BaFin’s administrative practice, but in some cases goes further.
- Guideline 4 provides guidance on information security, while Guideline 5 deals with exit strategies and rights.
- Guideline 6 sets out specific requirements for access and audit rights that must exist with respect to a cloud provider. Smaller contractors typically face difficulties in enforcing these when negotiating with large cloud providers.
- Guideline 8 provides that the competent national supervisory authority should be notified in a timely manner when an outsourcing project is planned. In some cases this goes beyond the prudential requirements of German law, since to date, at least in principle, outsourcing projects do not yet need to be reported in advance.
- Guideline 9 is addressed to national supervisory authorities and sets out how supervisory authorities should monitor the risks associated with cloud outsourcing arrangements.
Minimum contractual requirements for cloud contracts
If the guidelines are adopted essentially as in the Draft Guidelines, which is quite likely despite the ongoing consultation, particular attention will need to be paid in practice to the negotiation of cloud contracts. It should be borne in mind that, although Guideline 3 specifies the minimum content, this is also substantiated by other guidelines. This is particularly obvious in the case of the provisions on sub-outsourcing in Guideline 7, but also in the case of the provisions on access and audit rights in Guideline 8. In the case of outsourcing of critical or important functions, the Draft Guidelines provide that the outsourcing contract for cloud services should address in particular:
- Subject of the contract: The Draft Guidelines require a clear contractual description of the outsourced function and financial obligations of the parties. In addition, the agreed service levels are to be clearly defined. Specifically, the services to be provided by the cloud provider (e.g. support services, data availability indicators) are to be specified in quantitative and qualitative terms. The reason for this is to monitor the performance targets to be achieved so that appropriate corrective action can be taken in a timely manner if the agreed service levels are not met.
- Place of performance: The place(s) or countries where relevant data is stored and processed (location of data centres) must be stipulated separately. Provision should also be made in the event that the cloud provider does not comply with this agreement, accompanied by appropriate notification requirements.
- Business continuity: The Draft Guidelines call for contractual arrangements to ensure business continuity. This includes, for example, drawing up contingency plans with regard to company data and the entire cloud system in the event of its failure. To that end, it is also necessary to stipulate whether and under what conditions sub-outsourcing, especially of critical or important functions, is permitted.
- Performance period and exit rights: The Draft Guidelines leave it up to the parties whether the contract should include a start and end date. The stipulation of exit and termination rights is required by the Draft Guidelines for all outsourced functions and not just for critical or important functions.
- Financial and legal hedging: It is necessary to determine the law applicable to the outsourcing contract and the competent court. In addition, compulsory insurance, for example against IT risks, may be considered.
- Data security: Requirements for IT security and the protection of personal data should also be included in the outsourcing contract. These can include appropriate confidentiality, encryption and anonymisation obligations. Consideration should also be given to contractually limiting the group of authorised data users. In addition, the draft Guidelines require contractual provisions to be in place for incident management by the cloud provider, e.g. in the event of data leaks or system failures.
- Monitoring and audit rights: The Draft Guidelines also require comprehensive control and audit rights on the part of the customer and authorities to enable them to properly monitor the cloud provider’s performance.
Timetable: From draft to binding guidelines
Until 1 September 2020, interested market participants may send ESMA their responses to the questions raised in the Draft Guidelines. The Draft Guidelines then provide that the ESMA Guidelines to be adopted subsequently (according to ESMA by the first quarter of 2021 at the latest) will apply to all cloud contracts entered into, renewed or amended starting from 30 June 2021. Existing cloud contracts are to be adapted to the new requirements by 31 December 2022. As has already been done for the EBA Guidelines on outsourcing, BaFin is expected to express its intention to comply with the ESMA Guidelines and to incorporate them into its national supervisory practice.
The Draft Guidelines consistently continue the current trend towards stricter prudential requirements for outsourcing to cloud providers. There are therefore no surprises in terms of their content. This is to be welcomed, as it would be hard to explain why, for example, the use of cloud services by investment service providers should be subject to different standards than their use by credit institutions.Certainly, it may be questioned whether the risks associated with cloud outsourcing justify separate prudential treatment compared to other outsourcings. Insofar, a more comprehensive solution – comparable to the EBA Guidelines on outsourcing – would also be a possible approach. The undertakings concerned are unlikely to regret this restriction as the additional requirements and the related effort to meet them is thereby limited, at least for the time being. As the implementation of the Draft Guidelines seems to be only a matter of time, asset managers and investment service companies as well as other financial market participants within ESMA’s remit should familiarise themselves now with the future requirements and consider whether and how to deal with them in the technical planning and contractual design of cloud projects. This also applies for cloud providers as they will have to prepare to face additional demands of their customers in the financial sector who are legally required to to implement them.
Do you have questions? Please contact: Dr Jens H. Kunz, Dr David Bomhard
Practice Groups: Financial Services Regulation, Banking & Finance, Digital Business