In a statement published on 8 July 2020, the FCA has confirmed that the recent European Insurance and Occupational Pensions Authority (EIOPA) guidelines on outsourcing to cloud service providers for insurance and reinsurance undertakings will not be applicable to regulated activities within the UK’s jurisdiction, as the guidelines will enter into force on 1 January 2021 after the EU withdrawal transition period is expected to end, and Brexit is finally fully effective.
The FCA has advised it will continue to apply the FCA guidance on firms outsourcing to the cloud (finalised guidance FG16/5 updated September 2019) for insurance firms within the scope of its regulatory supervision.
While the FCA’s approach may result in some reduced obligations for FCA regulated firms that are purely UK based, the notification obviously does not exclude the application of the EIOPA guidelines to businesses operating within Europe, and as such businesses operating in multiple territories, or who will harmonise to global or international standards will still take account of the EIOPA guidelines. On this basis, many firms will consider the application of the EIOPA Guidelines still to be relevant and therefore it is important for such firms to undertake a mapping exercise to understand the areas of overlap as well as any differences between the different guidelines.
The EIOPA guidelines are harmonised with existing regulation for banking and financial services, including the European Banking Association (EBA) guidelines on which the EIOPA guidelines are based.
The PRA which also regulates insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents is also currently consulting on outsourcing, having issued a consultation paper CP30/19 in December 2019, which expressly takes into account the EIOPA guidelines and the EBA guidelines also. Consultation feedback is expected this Autumn, so it will be interesting to see whether the references to EIOPA guidelines are adjusted as a result of the FCA’s now stated position.
This means that insurers will need to do careful analysis of applicable outsourcing guidelines, and decide whether to harmonise systems and processes for cloud services to the EBA benchmark as well as to FCA guidance, or adopt a more limited approach where the existing FCA guidance alone will apply. More generally, cloud and infrastructure providers providing services in the financial services sector, or firms with dual regulation, may have to perform an analysis of the differences between applicable UK and EU guidelines, including the EIOPA guidelines, as well as being mindful of any changes to the draft supervisory statement issued by the PRA once finalised.
Given the international multi tenant nature of the cloud, many insurers and vendors will choose to harmonise to a more general standard. In practice, therefore, the announcement may do little to assist insurers and vendors where standardisation and common procedures are more likely to enable consistent service performance and operational resilience. It is however encouraging that the FCA’s statement provides with regard to its guidance FG16/5 “We will keep this guidance under review and, where appropriate, consult to update this to ensure it remains consistent with relevant international standards.”