Clarification on Outsourcing Guidance for using Cloud in the Financial Services Sector – which rules apply?
There have been some important announcements by the FCA and European Banking Authority (EBA) clarifying guidance on outsourcing, in particular outsourcing to the cloud and third party IT Services.
This guidance is relevant for firms and the IT services providers providing services to them and also to FinTech providers who have done much to cause financial institutions to innovate and adapt their business models, and accelerate cloud adoption. Firms and outsourcing providers should note in particular new guidance regarding contract termination rights and the importance of full supply chain transparency in particular.
The guidance is issued in the midst of a wide review of operational risk and resilience, notably the Bank of England, FCA and PRA joint discussion paper, which reviews the risk of operational disruption, including risk caused by technology or cyber risk, and encouraging a deeper analysis of the systems and processes underlying business services and ways to measure impact tolerances.
What guidance has been issued and who does it apply to?
The FCA issued guidance to firms in draft in 2016 (FG 16-5). This guidance has just been issued in final form. The guidance expressly does not apply to banks, building societies, designated investment firms or IFPRU investment firms to whom the EBA guidance applies.
In turn, the EBA has issued draft guidelines on outsourcing arrangements (EBA/CP/2018/11) dated 22 June 2018.
This guidance will supersede the recommendation on outsourcing to cloud service providers published in December 2017 as the guidance is integrated into the wider outsourcing guidance.
This overlapping regime will present interpretation issues for cloud service providers, and for investment firms now covered by EBA guidelines instead of FCA guidelines.
The FCA Guidance 16/5 was generally well received and allowed cloud operators to review cloud specific controls against the general FCA outsourcing requirements, found in the systems and controls (SYSC) sections of the FCA handbook for appropriately regulated firms, and also to evaluate consistency with GDPR. The FCA finalised Guidance presents a list of areas that firms should consider in relation to outsourcing by reference to general common sense requirements under the cloud guidance. The guidance expressly acknowledges the importance of the use of international standards in relation to the purchase of cloud computing, and consistency with information security and GDPR data protection obligations.
EBA Cloud guidelines
The EBA Regulations (EBA/REC/2017/03) dated 28 March 2018 (recommendations on outsourcing to cloud service providers) comprised a short set of guidelines which apply from 1st July 2018. The guidelines require a materiality assessment to be conducted for each outsourcing, taking into account all of the following (paragraph 4.1):
- the criticality and inherent risk profile of the activities to be outsourced
- the direct operational impact of outages, and related legal and reputational risks
- the impact that any disruption of the activity might have on the institution’s revenue prospects
- the potential impact that a confidentiality breach or failure of data integrity could have on the institution and its customers.
The advantage of the relatively short form guidance was the clear focus on audit and access rights together with security of data and systems, exit and subcontracting requirements, so-called “chain outsourcing”.
EBA Outsourcing guidelines
The new EBA Guidelines (EBA/CP2018/11) dated 22 June 2018 is currently in consultation phase, with an indicative start date of 30 June 2019. Consultation closed on 24 September 2018. The guidance is in consultation form, and applies more generally to outsourcing arrangements, with specific provisions for cloud outsourcing. This is logical in so far as cloud is a form of outsourcing, but the ability for banks and institutions covered by the EBA Guidelines to negotiate specific provisions could cause friction with the more standardised contract approach to cloud computing compared with more bespoke outsourcings.
The wider approach also gives FinTechs and the outsourcing providers they use further questions to consider in detail around how the guidance will in fact apply to cloud. FinTechs and cloud providers will need to evaluate how the “one to many” standardised services that could be offered. In particular, they will have to consider whether their own responses to tender and tender response packs will in fact provide the right information in the right format for it correctly to be aligned with the obligations on the regulated firm.
The guidance acknowledges (at paragraphs 41 – 43) that concentration risk of using cloud providers will be monitored to avoid single points of failure when many institutions rely on the same providers.
Who does the guidance apply to?
The guidance applies to institutions, payment institutions and electronic money institutions and in particular with regards to the outsourcing of critical or important functions (bearing the meaning in MiFID II).
For this purpose, outsourcing means “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself”. This definition is consistent with existing definitions of outsourcing, but still does not clarify whether certain functions such as HR or CRM, which are common to any regulated or non-regulated business and are common uses for cloud computing, are “outsourcing”.
As such the guidance applies to non-critical or important outsourcings but with a proportionate approach required to compliance.
The guidance will apply to new outsourcings from the implementation date, with existing contracts being reviewed at the next scheduled renewal date following the implementation of the guidance.
Detail of the outsourcing process and supplier evaluation
Each outsourcing requires a detailed pre-outsourcing analysis to be conducted by the firm assessing criticality and appropriate due diligence requirements. Paragraph 48 describes the key requirements:
Title IV – Outsourcing process
9. Pre-outsourcing analysis
48. Before entering into any outsourcing arrangement, institutions and payment institutions should:
- assess whether the planned outsourcing concerns a critical or important function in accordance with Section 9.1
- undertake appropriate due diligence on the prospective service provider in accordance with Section 9.2
- identify and assess all relevant risks of the outsourcing arrangement in accordance with Section 9.3
- identify and assess conflicts of interest that the outsourcing may cause in line with Section 5
- consider the consequences of where the service provider is located (within or outside the EU)
- consider whether the service provider is part of the institutions accounting consolidation group and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2.
Due diligence must establish if the proposed outsourcer has “appropriate and sufficient ability, capacity, resources, organisational structure, and if applicable, required regulatory authorisations to perform the critical or important function in a reliable and professional manner over the duration of the proposed contract”. Detailed risk assessment must be conducted to demonstrate this. This may be a challenge where the uses of start-up FinTechs are engaged. Section 10 of the guidance contains the detailed requirements around contractual requirements. Paragraph 63 contains the detail:
63. The outsourcing agreement should set out at least for all outsourcing arrangements:
- a clear description of the outsourced function
- the start and end dates of the agreement, including notice periods
- the governing law of the outsourcing arrangement
- whether the sub-outsourcing of a critical or important function is permitted and if so, the agreement should ensure that the sub-outsourcing is subject to conditions specified in Section 10.1
- the location(s) where the critical or important function will be provided and/or where relevant data will be kept, including the possible storing locations, and processed and the conditions to be met, including a requirement to notify the institution or the payment institution if the service provider proposes to change the location(s)
- where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as further specified in Section 10.2
- the obligation of the service provider to cooperate with the competent authorities of the institution or the payment institution, including other persons appointed by them, and
- the unrestricted right of institutions, payment institutions and competent authorities to get any information needed with regard to the outsourcing and to access and audit the service provider as further specified in Section 10.3.
There is a clear recognition of national resolution authorities’ powers (especially article 68 and 71) of directive 2014/59/EU under the subscription of the substantive obligations of the contract. Many FinTechs and cloud providers will not be familiar with these requirements, so may need to develop a more detailed understanding of the recovery and resolution agenda.
Sub outsourcing requirements
While this is an area of regulatory focus, the depth to which sub outsourcing information is to be provided in standardised services is already causing regulated firms difficulty in their procurement and will also cause many outsourcing providers, particularly cloud providers relying on hyperscale infrastructure difficulty in meeting the transparency requirements. Of course, transparency on sub outsourcing is necessary to understand the supply chain, but in a one to many service, the ability for providers to change subcontractors is often difficult. The concern that many providers will have is that they will simply not be able to get adequate information from their supply chain in practice, the only bargaining power that the institution may have in discussions on changes of subcontractors is the ability to terminate the service if the subcontractor is not satisfactory, which is theoretically possible but may present practical difficulties where there are only a limited number of substitute services. The inclusion of right to terminate provisions could also affect outsourcers’ revenue recognition.
The guidance specifically requires the service provider to obtain prior approval from an institution before sub-outsourcing data which is subject to GDPR. This will conflict with many GDPR provisions and data policies that have already been painfully negotiated.
There is also an obligation for service provider to inform the institution of any planned sub outsourcing or material changes in particular where these may affect the ability of the service provider to meet its responsibilities under the outsourcing agreement and to give adequate notice to allow the regulated firm to carry out a risk assessment.
The termination rights are widely drawn in paragraph 81. These termination rights may be more common in non-cloud outsourcings, but will require careful risk analysis in each case. Termination rights include events such as (d) where an actual breach may not have occurred.
81. The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate it, in accordance with national law, including in the following situations:
- the provider of outsourced services is in a breach of applicable law, regulation, or contractual provisions
- identified impediments capable to alter the performance of the outsourced service
- there are material changes affecting the outsourcing arrangement or the service provider (such as sub-outsourcings or changes of sub-contractors)
- there are weaknesses regarding the management and security of confidential data, personal data or otherwise sensitive data and information, and
- instructions of the institution or payment institution’s competent authority, e.g. in the case that the competent authority is not in the position to effectively supervise the institution or the payment institution.
The guidance will need to be very carefully scrutinised by both firms and outsourcing providers. In time, the formalisation of the guidance will inevitably trigger a further round of contract amendments which will need to be negotiated, although some care has been taken to allow for review at appropriate renewal points.
Overview on Outsourcing Guidance
The below table is intended as a brief summary of the comparisons between the Financial Conduct Authority (FCA), the Committee of European Banking Supervisors (CEBS) and the European Banking Authority (EBA) Guidelines on outsourcing. To download the full comparison please click the button below the table.
|Comparison of FCA, CEBS and EBA Guidelines on Outsourcing|
|FCA Guidance for firms outsourcing to the "cloud" and other third-party IT services ("FCA Guidelines")||CEBS Guidelines on Outsourcing (“CEBS Guidelines”)||EBA Draft Guidelines on Outsourcing arrangements (“EBA Guidelines”)|
|Application of Guidelines||Firms authorised under FMSA other than: banks, building societies, designated investment firms or IFPRU investment firms.||Credit institutions.||Credit institutions; and now Investment firms (subject to CRD); Payment institutions; and Electronic money institutions.|
|Governance requirements||Firms retain full accountability for discharging all of their responsibilities under the regulatory system and cannot delegate responsibility to the service provider. Importantly, services should be organised in such a way that they do not become a barrier to the resolution or orderly wind-down of a firm, or create additional complexity in a resolution.||Ultimate responsibility lies with senior management.||Ultimate responsibility remains with Senior Management. Additional requirements of Payment and Electronic Money Institutions: to ensure regulatory compliance and designate senior staff member to monitor outsourcing arrangements.|
|Policy and Procedure Requirements|
|Firms should have in place appropriate arrangements to ensure it can continue to function and meet its regulatory requirements in the event of unforeseen interruption of the outsourced serviced. Firms also need to have a comprehensive change management process and exit strategy in place.||Clear policies on approach to outsourcing, including contingency and exit plans. Outsourcing institutions required to conduct business in controlled/ sound manner.||Stronger approach - outsourcing policy to be approved and maintained, and implemented at all levels of the business. Institutions and Payment Institutions to ensure policy covers potential effects on risk profile. Contingency and Exit strategies to be developed separately.|
|Restrictions on outsourcing|
|Authorisation required from supervisory authority, excluding non-material outsourcing.||No authorisation required from supervisory authority. Institutions and Payment Institutions to ensure continuity and contingency arrangements are in place.|
|Contractual and Due Diligence Requirements|
|Before acceptance, Firms should review the contract with the outsource provider to ensure it complies with the FCA requirements, in doing so a Firm may wish to take account of the provider's adherence to international standards. The fundamental principle is that Firms should identify and manage any risks introduced by their outsourcing arrangements.||All outsourcing arrangements subject to a formal & comprehensive contract. Outsourcing institutions also required to have written agreement in place, outlining key responsibilities of both parties.||Institutions and Payment Institutions required to perform pre-contractual due diligence. More detailed written agreement required, meeting minimum standards. Provisions required to be agreed permitting sub-outsourcing. Additional access, information, audit and termination rights. Institutions and Payment Institutions now also required to maintain a register detailing all outsourcing arrangements.|
|Implementation, monitoring and management of outsourcing arrangements|
|Firms should have effective access to data related to the outsourced activities, as well as to the business premises of the service provider.||Outsourcing Institutions should manage the risks with outsourcing arrangements through ongoing assessments.||More stringent requirements in place. Internal audit functions now required to cover minimum standards. Outsourcing Institutions required to report periodically to management function on the performance of ongoing outsourcing arrangements, covering sub-outsourcing and regular pre-contractual risk assessment updates. Additional requirement for Institutions and Payment Institutions to maintain register detailing all outsourcing arrangements and this register to be made available in a common format for review and evaluation process, or upon request from competent authority. Additional activity reporting requirements.|
|Supervisory authorities to consider associated risks and have access to Outsourcing Institution data and premises.||No further requirement for supervisory oversight.|