ESMA published a consultation paper today on guidelines for outsourcing to cloud service providers.
The consultation, which closes on 1 September, looks at the detail of the proposed guidelines which will provide guidance on the requirements that must be adhered to when firms outsource to cloud service providers.
The proposed guidelines would come into effect on 30 June 2021 which would give applicable firms 18 months in which to update their existing cloud outsourcing arrangement to take account of the guidelines by 21 December 2022.
These deadlines (and the guidelines) would only apply to:
- alternative investment fund managers (AIFMs) and depositaries of alternative investment funds (AIFs);
- undertakings for collective investment in transferable securities (UCITS) management companies and depositaries of UCITS;
- central counterparties (CCPs), including Tier 2 third-country CCPs which comply with the relevant EMIR requirements, (iv) trade repositories (TRs);
- investment firms and credit institutions when carrying out investment services and activities, data reporting services providers and market operators of trading venues;
- central securities depositories (CSDs), (vii) credit rating agencies (CRAs),
- securitisation repositories (SRs); and
- administrators of benchmarks, including, as of 1 January 2022, recognised third-country administrators of benchmarks which comply with the relevant requirements in the Benchmarks Regulation and administrators of critical benchmarks.
The guidelines set out steps that firms should undertake and standards that must be adhered to in each of the following areas:
- governance, oversight and documentation – confirming how firms should manage their outsourced provides (including monitoring and confirming that firms should maintain a register with prescribed details for each cloud outsourcing arrangement);
- pre-outsourcing analysis and due diligence – setting out the standard of investigations that firms should undertake in advance of contracting with a party;
- contractual requirements – providing for the clauses that outsourcing contracts require to include;
- information security – setting out the minimum standards that firms should require;
- exit strategies – ensuring firms can exit arrangements without undue disruption;
- access and audit rights – ensuring that contracts include the specific audit and access rights ESMA requires firms to have;
- sub-outsourcing – detailing what should be included any the outsourcing contract where sub-outsourcing is permitted;
- written notification to competent authorities – setting out what should be notified to the authorities in advance of entering into a new outsourced arrangement; and
- supervision of cloud outsourcing arrangements – confirming how the authorities should approach supervision to ensure that they can assess the effectiveness of a firm’s outsourced activities.
A final report and guidelines is expected in Q4 2020/Q1 2021.