ESMA’s Cloud Outsourcing Guidelines Part 3: Sub-outsourcing, National Competent Authorities, and Supervision

 

The European Securities and Markets Authority (ESMA) recently published a consultation paper on outsourcing to cloud service providers, which included a number of proposed guidelines. Coming into force from June 2021, they are likely to apply to all ESMA regulated entities, including AIFMs, UCITS and investment firms.

 

Even if you’ve got an established framework in place already, firms should take time to understand the guidelines. Not only is it important to make sure you’re acting in accordance with the rules, but a robust cloud strategy may also help minimise future risks and headaches in the future. In Part 1, we took a closer look at guidelines 1-3, while in Part 2 we analysed guidelines 4-6. Today, we finish the three-part series by looking at guidelines 7-9 and the issues of sub-outsourcing, reporting to national competent authorities (NCAs), and supervision.

 

Guideline 7: Sub-outsourcing – not all sub-outsourcers are created equal

If sub-outsourcing of critical or important functions (or a part thereof) is permitted, the cloud outsourcing written agreement between the firm and the CSP should indicate the conditions to be complied with in case of sub-outsourcing.The CSP is obliged to oversee those services that it has sub-outsourced to ensure that all contractual obligations between the CSP and the firm are continuously met. This also includes an obligation for the CSP to notify the firm of any changes to sub-outsourcers.Financial firms should approach the area of sub-outsourcing with a degree of caution. Past experience of sub-outsourcing professional service agreements, for example, may have resulted in poorer service or dilution of expertise, and this is a key consideration.This is not the case with sub-outsourcing in CSPs, however. The main sub-outsourcing party for CSPs tends to be the platform that cloud service is hosted on, like Amazon Web Services (AWS). Increasingly we are seeing tier one financial institutions, and the regulators themselves, move legacy platforms to these cloud platforms.These platforms bring military grade information security standards, meaningful scalability, robust disaster recovery and typically independent certification. In AQMetrics, we host our cloud services on AWS, one of the world’s best cloud providers.

 

Guideline 8: Written notification to Competent Authorities – full transparency ahead?

In case of planned outsourcing of critical or important functions, a firm should notify its national competent authority in a timely manner. This includes full details of the outsourcing arrangement, whether deemed critical or non-critical and information on the deployment model.So, are we moving to full market transparency of CSPs? This is perhaps one of the most interesting points of these detailed, comprehensive guidelines. What’s clear is that the regulators will start to build up a picture of CSPs, and the specific arrangements and deployment models within individual firms. It will be interesting to see how the regulators manage and publish this data.In the past, outsourcing arrangements may have been deemed confidential and may have provided a competitive advantage. However, with many CSPs providing non-white labelled, industry standard services, perhaps we will see full transparency of use of CSPs in the market, which can only be good news for all market participants.AQMetrics works with many asset service providers, who provide their customers with access to AQMetrics cloud service, without any white labelling. This transparency ensures that the end users, the investment firms themselves, know that they are using an industry-standard platform.

 

Guideline 9: Supervision of cloud outsourcing arrangements – a new era for CSPs?

Competent authorities should assess the risks arising from firms’ cloud outsourcing arrangements as part of their supervisory process. In particular, this assessment should focus on the arrangements that relate to the outsourcing of critical or important functions. This will also likely place some responsibilities on the CSPs themselves, who will need to make sure that they’re operating in line with the regulator’s expectations.How might this happen in practice? AQMetrics undertook full regulatory authorisation in 2017 to achieve regulatory approval as a Data Reporting Service Provider (DRSP) and now operates an Approved Reporting Mechanism (ARM) under MiFID II, connecting directly into the regulator portals across Europe.This process allowed AQMetrics to focus on refining the programme of operations and the level of operational maturity that is required for regulatory approval.Whilst AQMetrics was the first to receive such approval from our home regulator, the Central Bank of Ireland, it is likely that we won’t be the last.Regulating the RegTechs has been a point of discussion in the FinReg community for some time. From first hand experience, we can say with confidence, that it has brought benefits to our firm, and our customers alike. Our employees are proud to hold responsibilities in a regulated firm and it has brought our firm a step closer to our customers.

 

Final thoughts

With more and more asset managers and ManCos outsourcing to CSP’s, ESMA’s guidelines are a welcome move that should help firms frame their outsourcing arrangements going forward. Partnering with cloud service providers not only helps firms’ reduce costs and enhance operational flexibility and efficiency, but it can also allow firms to tap into the deep experience of specialist firms such as AQMetrics.As a longstanding CSP and regulated entity, we have a deep understanding not only of regulatory and risk matters, but also all aspects of outsourcing and complying with regulator guidelines.