The Proposed Guidelines would apply to a large range of financial institutions and market infrastructures. These include AIFM, UCITS, fund depositories, investment firms, and credit institutions, when these entities act as investment service providers, market operators of trading venues, and central counterparties ("CCPs"), including Tier 2 third-country CCPs, credit rating agencies, central securities depositories, securitization repositories, or administrators of benchmark (together, "institutions").
This new set of guidelines would apply, under subject-matter jurisdiction, to specific provisions listed in each relevant piece of regulation currently applicable to the institutions, when an institution intends to outsource services or functions to cloud service providers ("CSPs"). Should these services or activities qualify as critical or important functions, outsourcing arrangements would be subject to additional obligations.
Some institutions already may be subject to the EBA guidelines for outsourcing arrangements, which include outsourcing arrangements with CSPs ("EBA Guidelines"). However, although part of the Proposed Guidelines replicates what is applicable under the EBA Guidelines, nothing is provided to avoid duplication of compliance with both guidelines for credit institutions acting as investment service providers, for example (similar to CCPs benefiting from a credit institution license).
Governance and Assessment
As in the EBA Guidelines, the Proposed Guidelines would require institutions to maintain a register of all their CSP outsourcing arrangements, with detailed data if relating to critical or important functions. ESMA should be asked in the consultation process to confirm the possibility of holding such register at the group level.
Thorough pre-assessment should be conducted through due diligence to ensure the technical and legal soundness of the envisaged arrangement, including elements external to the CSP, such as the legal and political environment applicable to it.
Contracts and Procedures
ESMA acknowledges that institutions, particularly independent and small ones, may have difficulties negotiating agreements with large CSPs. However, most of the mandatory provisions to be reflected in such agreements would relate only to critical or important functions, and those essentially reflect the mandatory provisions required under the EBA Guidelines. Such provisions are intended to give institutions control over a number of key elements of the outsourcing, such as location of the CSP, applicable service levels, required security arrangements, reporting obligations of the CSP, and definition of continuity and recovery plans.
Access, Audit Rights, and Exit Plan
In addition to establishing proper internal policies and procedures, and to reflecting those in arrangements to the extent necessary, institutions should consider the following when putting in place cloud outsourcing: ensuring access to the outsourced data, ensuring such data are safely and confidentially stored, implementing adequate segregation in the CSP networks, and using encryption technology if needed. Exit strategies should be also planned when relating to critical or important functions. ESMA particularly stresses the high level of technical complexity in the cloud area and the necessity for institutions to have proper resources, or consultants, able to perform the required audits.
Sub-outsourcing of critical or important functions requires that attention and care be taken when establishing the arrangement. Defining the scope of potential sub-outsourcing, ensuring proper supervision of third parties by the CSP, or recognizing the right to object to intended sub-outsourcing plans are key considerations.