Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.

The Guidelines apply to a wider range of entities (Covered Entities for the purpose of this article) than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines now apply to all financial institutions that are:

  • Within the scope of the EBA’s mandate, including credit institutions
  • Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
  • Payment institutions
  • Electronic money institutions

As a result, a wider range of companies, such as FinTech companies, will now face the challenge of remaining agile and competitive in fast-moving markets, whilst managing the administrative and practical challenges of maintaining compliance with the Guidelines.

The Guidelines come into force on 30 September 2019. Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines. Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December 2021. For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements – these requirements will continue to apply as they did prior to publication of the Guidelines. An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here.

While “critical and important functions” are subjected to stricter rules, the Guidelines generally apply to all outsourcings by Covered Entities, including intragroup outsourcings, representing a further widening of scope when compared with the CEBS Guidelines. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. Following concerns raised at the Public Consultation, the EBA clarified in the Guidelines that regulators will not consider every outsourcing to a cloud solution as critical or important; rather the same test applies as with other non-cloud service providers, taking into account “cloud specificities”.

Under the Guidelines, the definition of “outsourcing” is based on the Commission Delegated Regulation (EU) 2017/565 and defined as: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

The Guidelines define “critical or important functions” based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565, which includes functions that “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.

To outsource banking and payment services to a third country (i.e., non-EU) service provider, the Guidelines require the competent authorities responsible for supervising each party to have a co-operation agreement in place. Therefore, post-Brexit, the UK’s Financial Conduct Authority will need to agree a co-operation agreement with EU regulators to ensure that cross-border outsourced arrangements can continue between the UK and the EU27.

The EBA’s draft guidelines on outsourcing will impact cloud outsourcing and institutions’ deployment of FinTech.

By Fiona MacleanCharlotte Collins, and Terese Saplys

On 4 September 2018, a wide audience of interested individuals gathered at Canary Wharf for a public hearing (Public Consultation) to listen to what the European Banking Authority (EBA) had to say in relation to its long-awaited Draft Guidelines on Outsourcing (Draft Guidelines). The Draft Guidelines, which review the existing CEBS Guidelines on Outsourcing published in 2006 (CEBS Guidelines), are the EBA’s opportunity to refresh its recommendations on outsourcing to align more closely with the technical, political, and operational landscape banks face today. The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight.

Scope

The extension of scope of the Draft Guidelines, as compared to the scope of the CEBS Guidelines, was a particular area of focus during the Public Consultation.

The Draft Guidelines describe their subject matter as “specify[ing] the internal governance arrangements that institutions … should implement when they outsource functions and in particular with regard to the outsourcing of critical and important functions” (paragraph 5 of the Draft Guidelines). The term “critical and important functions” is consistent with the wording used in MiFID II and includes functions which, if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations. In this regard, the Draft Guidelines align with the CEBS Guidelines which described the requirements for “material outsourcing,” a term defined in a similar manner. However, while the CEBS Guidelines noted that “there should be no restrictions on the outsourcing of non-material activities of an outsourcing institution” (Guideline 5), the Draft Guidelines extend to all outsourcing, unless expressly stated otherwise. Many attendees at the Public Consultation noted that this scope was unduly onerous and would become administratively burdensome for firms to manage.

Notably, the broadening of the addressees of the Draft Guidelines (In-scope Entities), to include payment institutions (subject to the revised Payment Services Directive (PSD2)) and electronic money institutions (subject to the e-money Directive), was not discussed in detail at the Public Consultation. However, an attendee raised a question as to the applicability of the Draft Guidelines to industry utilities. The EBA confirmed they had not yet considered this point and advised that they would reflect and clarify the position in the final guidelines.

By Fiona Maclean, Stuart Davis and Charlotte Collins

Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.

Cloud Regulatory Guidance: Clear Skies?

Current guidance on outsourcing for banks and investment firms is from the Committee of European Banking Supervisors (CEBS) and dates from 2006 (the CEBS Outsourcing Guidelines), so is overdue for review. The European Banking Authority (EBA) has recognised this and, amidst concerns that firms simply may not use cloud service providers because they cannot reconcile how to do this in line with the regulatory requirements, published some new draft guidelines on outsourcing to cloud services (Draft Cloud Guidelines) for consultation on 17 May 2017.

The final guidance resulting from the public consultation (the Final Cloud Guidelines) will supplement, rather than replace, the existing CEBS Outsourcing Guidelines, so both will need to be read in parallel. Essentially, as the CEBS Outsourcing Guidelines are short and principles-based, the new guidelines seek to add more detail as to how a firm’s regulatory obligations may be met in the specific context of outsourcing to a cloud service provider, based upon discussions the EBA has had with firms and their regulators.