ESMA consults on new rules for Cloud arrangements



The CP sets requirements and expectations for alternative investment fund managers (“AIFMs”) and depositaries of alternative investment funds, undertakings for collective investment in transferable securities (“UCITS”), management companies and depositaries of UCITS, investment firms and a number of other types of firm (“firms”) when outsourcing to the cloud.

It follows in the wake of recent final guidelines published by the EBA on outsourcing and a similar consultation from EIOPA on cloud arrangements. Cloud outsourcing is viewed as raising particular oversight challenges, not only in terms of data protection and information security but for wider financial stability, given the potential impact of concentration risk of a limited number of big tech service providers. As such, it is safe to say that regulation of cloud outsourcing is not only viewed by regulators as a priority issue but is seen as going hand in hand with emerging and expanding supervision of operational risk and resilience (see our article on this here).

What is different?

The proposed guidelines build on existing outsourcing requirements in MiFID II and delegation requirements in the AIFMD and UCITS Directives and are consistent with the recommendations in the equivalent EBA guidelines and the EIOPA cloud guidelines, albeit slightly less detailed and prescriptive. They set out a list of minimum contractual requirements to be included in agreements with cloud suppliers, as well as requirements for extensive pre-contract diligence, focusing on cyber risk and security, and on-going supplier management.

Particular areas where the CP would raise the bar against current rules and market practice include the need for detailed exit strategies, access and audit rights and sub-outsourcing.

One key difference is that the definition provided for a “cloud outsourcing arrangement” expressly includes delegation arrangements and extends the application of the guidelines to arrangements between a firm and a third party where the third party is not a cloud service provider itself but relies on a cloud service provider (for example, through a sub-outsourcing chain) to perform a function that would otherwise be undertaken by the firm itself. This means that AIFMs and UCITS man cos that delegate functions to investment managers that in turn rely on cloud service providers to perform those functions, may have to comply with the guidelines. It is not just direct cloud outsourcing arrangements that are caught.

Interestingly, ESMA clearly takes the view that delegations under the AIFMD and UCITS Directives should not be treated any differently to outsourcing, as has often been argued. And this could have wider implications for many contractual arrangements across the industry that will potentially need to be considered through a new lens.

What’s next?

The consultation closes on 1 September 2020 and we encourage all firms to take time to review and understand the proposed guidelines and what they will mean for your business.

ESMA’s final report and guidelines are expected Q4 2020 / Q1 2021 and would apply from 30 June 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. In any event, under the CP proposals, firms would need to review and amend their existing outsourcing arrangements to ensure that they comply with the final guidelines by 31 December 2022.

Closing comment

The investment funds industry already has experience of managing operational risks and coordinating outsourcing arrangements of many types. But the pressure to reduce costs and improve capability continues to drive the trend of increased reliance by firms on third party suppliers, with bundled back and middle office arrangements and outsourced dealing desks. The CP is a clear statement from ESMA that it will require more concentrated efforts to mitigate the resulting risks and manage the challenges of these outsourced business models.