[co-author: Jack McCarthy]
The European Securities and Markets Authority (“ESMA”) Final Report Guidelines on outsourcing to cloud service providers (“the Guidelines”) came into force on 31 July 2021 and apply to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. ESMA expects firms to review and amend any existing cloud outsourcing arrangements by 31 December 2022. If firms are unable to finalise arrangements of critical or important functions by this deadline, they must provide an explanation to their national competent authority and present measures planning to complete the review or possible exit strategy from the outsourcing arrangements. In this Client Alert, we offer some practical considerations for cloud service providers (“CSPs”) and entities subject to EU financial services regulation that outsource to service providers entering into or renewing contracts.
WHO DO THE ESMA GUIDELINES APPLY TO?
The Guidelines apply to the following types of regulated entities acting in the EU:
- Alternative investment fund managers and depositaries of alternative investment funds;
- Central counterparties (“CCPs”), including Tier-2 third-country CCPs which comply with the relevant European Market Infrastructure Regulation requirements;
- Trade repositories;
- Investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues; and
- Central securities depositories.
CRITICAL OR IMPORTANT FUNCTION
The Guidelines introduce a requirement for these regulated entities to maintain an updated register of information on all of their outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements.
The key contractual elements of the Guidelines apply only to situations where a critical or important function has been outsourced. The Guidelines define a “critical or important function” as any function whose defect or failure in its performance would materially impair:
- A regulated entity’s compliance with its obligations under the applicable legislation;
- A regulated entity’s financial performance; or
- The soundness or the continuity of a regulated entity’s main services and activities.
WHAT IS THE REASON FOR PUBLISHING THESE GUIDELINES?
These Guidelines are the latest set to be published by the European Supervisory Authorities (“ESAs”). ESMA seeks to support a convergent approach to the supervision of cloud outsourcing arrangements across the EU as regulated entities are increasingly outsourcing important functions and services to cloud service providers. The Guidelines largely reflect the European Banking Authority’s revised guidelines on outsourcing arrangements that were published on 25 February 2019 (“EBA Guidelines”).
ESMA states that the purpose of the Guidelines is to help regulated entities identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. In practice, CSPs typically provide standardised contracts and, depending on their size and associated bargaining powers, regulated entities may have limited ability to negotiate terms, for instance auditing the books, premises and devices of their CSPs. Therefore, ESMA has ensured that certain rights and obligations are clearly and extensively set out in cloud outsourcing arrangements as mandatory contractual provisions.
PRACTICAL POINTS TO CONSIDER
MANDATORY AUDIT RIGHTS
CSPs must grant a right of access and audit to the regulated entity in order to access and inspect the relevant information, premises, systems and devices of the CSP.
|Regulated entity considerations
|It is sufficient for a regulated entity to rely on third-party certifications and external or internal audit reports made by the CSP, provided that the regulated entity has a contractual right to:
• Request the expansion of the scope of the certifications or audit reports to other relevant systems and controls of the CSP; and
• Perform on-site audits, at the regulated entity’s discretion, with regard to the outsourced function.
|If a CSP wishes to offer its outsourcing services to a regulated entity it must now be prepared for a visit by such entity. Therefore, appropriate plans and procedures must be put in place to accommodate these requests.
In negotiations, a CSP will want to try and provide a time buffer for audits and limit the frequency of these requests so that they are not excessive or cause a detriment to its business operations. However, in doing so, the CSP must be wary that the contract does not limit the regulated entity’s or competent authority’s effective exercise of the audit rights.
The Guidelines state that when performing an on-site audit, regulated entities should give reasonable notice to the CSP. CSPs should be sure to check that the notice provisions include the mandatory obligation for the regulated entity to include the location, purpose of the visit and the personnel that will be participating in the visit. Nevertheless, a regulated entity will not need to provide an early prior notification if it is not possible to do so due to an emergency or crisis situation or would lead to a situation where the audit would be no longer effective.
The Guidelines provide a system for the CSP to object to an audit request where it may create a risk for the environment of the CSP and/or one of its other clients (for example by impacting service levels, confidentiality, integrity and availability of data). In such instances, the CSP will need to provide a clear rationale to the regulated entity as to why this would create a risk and the parties should agree on alternative ways to achieve a similar result.
The outsourcing arrangements must specify whether sub-outsourcing is permitted under the agreement and describe the conditions in which they apply.
|Regulated entity considerations
|The outsourcing arrangement must include an obligation for the CSP to notify the regulated entity of any intended sub-outsourcing, or material changes to the sub-outsourcing, that might affect the ability of the CSP to meet its obligations under the cloud outsourcing arrangement with the regulated entity.
A regulated entity must also have the contractual right to:
• Object to the intended sub-outsourcing, or material changes to the sub-outsourcing, or be given a right of explicit approval before the proposed sub-outsourcing or material changes come into effect; and
• Terminate the cloud outsourcing arrangement with the CSP in case it objects to the proposed sub-outsourcing or material changes to the sub-outsourcing, and in cases of “undue sub-outsourcing” (for example sub-outsourcing without notifying the regulated entity or seriously infringing the conditions of the sub-outsourcing).
Some regulated entities will want the control that comes with a right of explicit approval, although CSPs may find this operationally difficult. A right to object can offer a similar level of protection but the regulated entity will need to ensure any response timeframes reflect the operational requirements of its business and that it has enhanced processes in place to monitor and diligence any proposed sub-outsourcing in a timely manner.
|The notification period for the CSP to propose changes to its sub-outsourcing arrangements should afford the regulated entity “sufficient time” to carry out a risk assessment of the proposed sub-outsourcing or any material changes to the sub-outsourcing. The Guidelines do not define what is “sufficient time” and so there is flexibility for the parties to negotiate an appropriate length of time. Taking this into consideration, the CSP should ensure that there are minimal delays in working with and transferring to new sub-outsourcers.
The objection and approval rights granted to the regulated entity can be tempered, for example, by agreeing a time limit for a regulated entity to raise an objection to any proposed sub-outsourcing and applying a “deemed consent” to the sub-outsourcing if no response is given within the time period.
The Guidelines do not explicitly state that the CSP must enter back-to-back agreements with sub-outsourcers, for instance by granting the same contractual rights of access and audit to the regulated entity, but rather the CSP must ensure that all contractual obligations between it and the regulated entity are continuously met. This will be important for CSPs who themselves sub-outsource to large cloud service providers and may not be able to impose the same contractual terms on their service providers as their regulated customers may seek to impose on them.
INFORMATION SECURITY REQUIREMENTS
The agreement must set out information security requirements and monitor compliance with these requirements on an ongoing basis.
|Regulated entity considerations
|These requirements should be proportionate to the nature, scale and complexity of the function. This monitoring should be risk-based, with a primary focus on the critical or important functions that have been outsourced.
The contract should also include provisions regarding the management of incidents by the CSP, including the obligation for the CSP to report incidents to the regulated entity without undue delay that have affected the operation of the regulated entity’s contracted service.
|The Guidelines are limited in specifying the amount of detail needed in provisions regarding information security requirements. While the Guidelines do provide detailed practical requirements that need to be considered, they are not mandatory provisions that need to be in writing.
In respect of the reporting functions, CSPs may be able to negotiate the time period as to what constitutes “undue delay” in performing their reporting functions. Leaving the concept undefined may avoid debate, but it will create uncertainty, although this may be attractive to some CSPs.
The agreement will need to include provisions to ensure that the data that the CSP processes or stores on behalf of the regulated entity can be accessed, recovered and returned to the regulated entity as needed. Both CSPs and regulated entities will need to consider these obligations in tandem with equivalent data protection obligations relating to personal data under the General Data Protection Regulation.
|Regulated entity considerations
|The regulated entity will need to develop an exit plan and a solution that obligates the CSP to support the orderly transfer of the outsourced function and the related processing of data, from the CSP and any sub-outsourcer to another CSP. This should include, where relevant, the secure deletion of the data from the systems of the CSP and any sub-outsourcer.
||The Guidelines do not specify a time period in which the data should be deleted and therefore this should be agreed among the parties taking into consideration the nature, sensitivity and amount of data stored by the CSP and any sub-outsourcer. The CSP should also consider practically how long it will take to delete the data and technically whether the data is subject to automatic archival or backup processes,
The phrase “orderly transfer” is also ambiguously wide and could remain undefined in the contract to give the CSP more time to arrange for the transfer of the outsourced function to a new sub-processor.
The written agreement should expressly allow the possibility for the regulated entity to terminate it, where necessary.
|Regulated entity considerations
|Aside from termination rights for objecting to proposed sub-outsourcing and material changes to the sub-outsourcing and for “undue sub-outsourcing”, the Guidelines do not prescribe any further specific termination rights for the regulated entity. The agreement will usually include common termination rights for breach and insolvency, but the regulated entity may also wish to seek additional termination rights for specific risks.
|The CSP should be wary of the regulated entity attempting to include additional termination rights beyond the scope of the Guidelines, in particular subjective termination rights or termination rights which are effectively disguised termination for convenience rights.
Where a regulated entity seeks onerous obligations purportedly to meet the Guidelines that the CSP is concerned it potentially cannot comply with (i.e. objections to core sub-outsourcing or imposing excessive security requirements), the CSP may consider accepting such obligations provided if it has an appropriate termination option. However, the CSP will need to consider how such options may impact its accounting of recurring revenue under a contract which is now terminable before the end of its term.
THE UNITED KINGDOM
Following Brexit, the FCA has changed its position on other ESA guidelines, for instance in May 2021, the FCA published an update on its outsourcing page confirming that:
- Regulated entities are not expected to report to the FCA on their progress towards meeting the timeline of 31 December 2021 in the EBA Guidelines regarding legacy outsourcing arrangements; and
- Where arrangements of critical or important outsourcing arrangements have not been finalised by 31 March 2022, regulated entities should inform the FCA.
Further, the FCA confirmed it will not be following the European Insurance and Occupational Pensions Authority’s (“EIOPA”) cloud outsourcing guidelines stating it had notified EIOPA the guidelines are not applicable to regulated activities within the UK’s jurisdiction, as they will enter into force on 1 January 2021, after the EU withdrawal transition period is expected to end.
The FCA has not yet provided any statements or guidance on the application of the ESMA cloud outsourcing guidelines in the UK. In its Brexit Policy Statement (PS19/5), the FCA states that it expects regulated entities to continue to apply the ESA guidelines to the extent that they remain relevant, interpreting them in light of the UK’s withdrawal from the EU and the associated legislative changes that are being made to ensure the regulatory framework operates appropriately.
There is currently no requirement for entities that are only regulated by the FCA to notify it about any outsourcing arrangements that would be applicable under the Guidelines. The new contractual requirements and guidance set out in this Client Alert will not apply to regulated entities that are only regulated by the FCA. These entities should continue to follow the FCA FG16/5 guidance for firms outsourcing to the cloud and other third-party IT services in the UK.