This article was written by Marcus Clayden.
The EIOPA guidelines have been published and apply to all new (or existing but amended) cloud outsourcings from 01 January 2021.
- Status: the guidelines sit below Solvency II and the MiFID II Delegated Directive, providing further detail on the ways in which insurers/reinsurers should approach outsourcing to the cloud – and act as guidance for regulators in enforcing compliance with those regulatory obligations.
- Governance: attention is paid to the way in which insurers/reinsurers should implement their own governance frameworks and policies, to ensure they engage outsourced cloud providers in a risk-appropriate way. This will of course include conducting appropriate pre-contractual DD and a full risk assessment, and also maintaining full internal records and notifying the regulator of outsourced arrangements.
- Contract: the guidelines reiterate the critical importance of having a robust contract in place with the provider, with a particular focus on how audit, security, monitoring, sub-contracting, termination and exit issues will need to be addressed during the negotiations.
ESMA has opened a consultation (which closes on 01 September 2020) on a very similar vein. The intention is that the finalised guidance will apply to all new (or existing but amended) cloud outsourcings from 30 June 2021.
- Status: this guidance applies to a wide variety of financial markets participants and therefore provides further compliance detail in relation to a range of EU legislation – including AiFMD, MiFID II, EMIR and the CRA Regulation.
- Content: unsurprisingly, the ESMA guidelines cover very similar issues to the EIOPA equivalents; governance, DD, record-keeping and contract issues come to the fore.
Points to note: these guidelines go hand in hand with the wider regulatory focus on operational risk and resilience. With these guidelines comes increased consistency across the FS industry as to how these types of delegation / outsourcing arrangements are viewed – and the robust way in which firms will be expected to manage their relationships with vendors. As the drive towards outsourcing continues (encouraged by cost pressures and efficiency savings), fulfilling the regulators’ expectations will be an increasingly time-consuming but unavoidable task.