ESMA consults on guidelines on outsourcing to cloud service providers

Maria Nikolova

The guidelines seek to help firms and competent authorities identify and monitor the risks that arise from cloud outsourcing arrangements.

The European Securities and Markets Authority (ESMA) today published a consultation paper on guidelines on outsourcing to cloud service providers.

The document provides guidance on the outsourcing requirements applicable to financial market participants, such as investment firms and data reporting services providers, when they outsource to cloud service providers. In particular, the guidelines aim to help firms and competent authorities identify, address and monitor the risks and challenges that arise from cloud outsourcing arrangements.

Under the guidelines, a firm should have a defined and up to date cloud outsourcing strategy that is consistent with the firm’s relevant strategies, such as information and communication technology strategy, information security strategy, operational risk management strategy, and internal policies and processes. A firm is expected to clearly assign the responsibilities for the documentation, management and control of cloud outsourcing arrangements within its organisation and to establish an outsourcing oversight function or designate a senior staff member who is directly accountable to the management body and responsible for managing and overseeing the risks of cloud outsourcing arrangements.

Also, a firm should maintain an updated register of information on all its cloud outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements.

For the cloud outsourcing arrangements concerning critical or important functions, the register should include information, such as the reference number for each cloud outsourcing arrangement, its start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the CSP and for the firm, as well as a brief description of the outsourced function, including the data that is outsourced and whether this data includes personal data.

Before entering into any cloud outsourcing arrangement, a firm should assess if the cloud outsourcing arrangement concerns a critical or important function, and to assess all relevant risks of the cloud outsourcing arrangement. A firm will have to undertake appropriate due diligence on the prospective CSP and identify any conflict of interest that the outsourcing may cause.

A written agreement with a CSP should expressly allow the possibility for the firm to terminate it, where necessary.

Moreover, a firm should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis, including to protect confidential, personal or otherwise sensitive data.

In case of outsourcing of critical or important functions, a firm should ensure that it is able to exit cloud outsourcing arrangements without undue disruption to its business activities and services to its clients, and without any detriment to its compliance with the applicable legal requirements, as well as the confidentiality, integrity and availability of its data.

A firm should ensure that the cloud outsourcing written agreement does not limit the firm’s effective exercise of the access and audit rights as well as its oversight options on the CSP.

Finally, if sub-outsourcing of critical or important functions (or a part thereof) is permitted, the cloud outsourcing written agreement between the firm and the CSP should specify certain information, such as any part or aspect of the outsourced function that are excluded from potential sub-outsourcing.

These guidelines will apply from June 30, 2021 to all cloud outsourcing arrangements entered into, renewed or amended on or after this date. ESMA instructs firms to review and amend accordingly existing cloud outsourcing arrangements with a view to ensuring that they take into account these guidelines by December 31, 2022.

The consultation is open until September 1, 2020.

Read this next

Digital Assets

Coinbase CEO says Chase UK’s ban on crypto “totally inappropriate”

Coinbase CEO Brian Armstrong criticized Chase UK’s decision to restrict cryptocurrency-related transactions in the UK. He called the move “totally inappropriate” and expressed his disagreement with the bank’s decision to ban its UK customers from conducting debit card or wire transfers related to cryptocurrencies.

Digital Assets

Binance CZ refutes any connection with CommEX

Changpeng “CZ” Zhao, the founder and CEO of Binance, has denied being the owner of CommEX, the company that reportedly acquired Binance’s business in Russia.

Institutional FX

Refinitiv’s spot FX volumes hit 8-month low

Refinitiv, the former Financial and Risk business of Thomson Reuters, today reported that the average daily volumes (ADV) of currency trading were $424 billion last month on the company’s main FX trading services.

Executive Moves

Integral hires industry veteran Paul Arnold as liquidity manager

Integral, a technology provider to the financial markets’ buy-side, has appointed Paul Arnold, a highly experienced FX industry professional, as its liquidity manager, according to information made public on his Linkedin profile.

Digital Assets

Terraform’s Do Kwon challenges US extradition request

Do Kwon, the crypto entrepreneur and former CEO of Terraform Labs, is opposing the U.S. Securities Exchange Commission’s request to question him about the crash of his company’s stablecoins Terra and Luna.

Digital Assets

Coinbase gets nod to offer futures for retail customers

Coinbase International Exchange has received regulatory approval from Bermuda’s financial regulator, the Bermuda Monetary Authority (BMA), to allow eligible non-US retail customers to trade perpetual futures contracts.

Inside View

How brokers can win the trading tech wars: Insights from iFX EXPO 2023

Last week’s iFX EXPO International 2023, held at the City of Dreams Mediterranean Integrated Resort in Limassol, Cyprus, welcomed a series of insightful discussions. A panel that particularly stood out focused on the role and evolution of trading technology.

Crypto Insider

Web3 Transformation: Radix’s Babylon Update Redefines User and Developer Engagement

Radix Publishing leaps forward in the decentralized world with the release of the Babylon mainnet upgrade, bridging the gap between innovative tech and user-friendly DeFi experiences.

Digital Assets Joins Forces with PayPal and Paxos for Enhanced PYUSD Exchange Experience collaborates with PayPal and Paxos to fortify its position as the premier exchange for PYUSD, marking a significant milestone in the global crypto landscape.