Finance & Technology Luxembourg (FTL) in cooperation with the Digital Banking and FinTech Innovation Cluster of the Luxembourg Bankers’ Association (ABBL) organised a joint event in order to attract the attention of financial institutions and professionals of the financial sector (support PFS) to the recent initiatives of European and national competent authorities with regard to the regulation of outsourcing and cloud computing arrangements in the financial sector. The event entitled “Cloud Outsourcing Regulation: Updates and Implications” hosted about 300 participants indicating a high level of interest of bankers and their technological partners to this very important topic.
A diverse composition of speakers representing the ABBL, FTL, KPMG Luxembourg, CSSF and NautaDutilh Avocats Luxembourg provided the members of the two professional associations essential knowledge and insights on what is happening now in the regulation of cloud outsourcing.
According to a recent survey devoted to the adoption of cloud computing services by financial institutions and administered by the ABBL, 34% of banks, credit and payments institutions in Luxembourg currently deploy cloud computing services; 55% of entities plan to do this in the nearest future. Software as a service (79%), private cloud (47%) and subcontracting abroad / group exemption (55%) are the most popular service and deployment models and approaches used by financial institutions. Notifications to the CSSF (including authorisations), management of outsourcing risks, governance, system security and criticality are the top five issues faced by supervised entities in the process of adoption of cloud computing services.
On 25 February 2019, the European Banking Authority (EBA) released its guidelines on outsourcing arrangements introducing a more harmonised regulatory framework providing more detailed and prescriptive requirements. Financial institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. According to the guidelines, outsourcing means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself. EBA guidelines enter into force on 30 September 2019 followed by a 27-month transitional period running until 31 December 2021. The first deadline is set for new, reviewed or amended outsourcing arrangements. Howerver, the transitional period will not apply to Cloud Outsourcing meaning that this kind of arrangements have to comply with EBA guidelines at the date of the entry into force. During the transition period, institutions should review and amend accordingly existing outsourcing arrangements. The guidelines outline several aspects such as proportionality, assessment of outsourcing arrangements, governance framework, outsourcing process and guidelines on outsourcing addressed to competent authorities.
In Luxembourg, Commission de Surveillance du Secteur Financier (CSSF) recently amended the CSSF circular 17/654 “IT outsourcing relying on a cloud computing infrastructure” by CSSF circular 19/714. Major changes are the following:
- Addition of investment fund managers in the scope of application (in line with Circular CSSF 18/698);
- Reminder of the general principle of proportionality; in this context, introduction of optionality for some requirements for non-material activities only;
- Introduction of a register to be maintained by the supervised entities which includes all the cloud computing outsourcing of material as well as non-material activities;
- Cancellation of the necessity to notify the CSSF of a cloud computing outsourcing of non-material activities in favour of maintaining the register;
- Replacement of the “compliance table” by more specific and pragmatic forms;
- Rewording and/or reorganisation of some paragraphs for more clarity (minor changes).
According to the CSSF circular 19/714, the principle of proportionality remains optional (up to the institution), applies to non-material outsourcing only and is limited to several specific cases. The use of the principle of proportionality, its justification and the points concerned can be entered into the register. The register will not be automatically submitted to the CSSF but may be requested at any time by the CSSF. The CSSF has published two documents on this matter: “A guide to assist the entities in qualifying the materiality of the activities” and “FAQ to assist the entities in their analyses and procedures”.
In line with CSSF regulation, an IT outsourcing is considered material if at least one of the following statements is met:
- From a technical point of view, the outsourced IT operational functions, activities or services safeguard the security and continuity of critical parts of the IT infrastructure. A deficiency in these outsourced IT operational functions, activities or services may significantly disrupt the ability of the supervised entity to protect its IT infrastructure and, therefore, the ability of the supervised entity to operate its material activities in a controlled manner.
- From a business point of view, the outsourced IT operational functions, activities or services support a material activity.
The CSSF outlines that a failure or dysfunction of the IT operational functions, activities or services may have several types of impact on the business activity: a financial impact, a potential for business disruption, a potential reputational impact, a regulatory impact and a strategic impact.
Regulatory initiatives by the CSSF and the EBA entail an impact on contractual aspects of cloud outsourcing frameworks. Both set of rules still show differences in terms of the content, yet both regulations must be respected. What concerns intra-group outsourcing, CSSF regulation does not make a distinction, while the EBA guidelines take intra-group specificities into account. Development of a contract is always embedded into a larger interplay of other important aspects such as governance, outsourcing policy, pre-outsourcing analysis, audit monitoring and termination. Outsourcing agreements must reflect the prior risk assessments and vendor due diligences.
The role of a support PFS becomes evident in the case of indirect outsourcing to CSP. The resource operator in this arrangement integrates the cloud services in a wider cloud operation contract and is fully responsible for the cloud service provider’s (CSP) service level quality. An institution supervised by the CSSF consuming cloud computing resources for the purpose of carrying out its activities (ISCR) must verify that the resource operator meets the requirements of the CSSF cloud circular and that the operator has done a due diligence on the CSP covering the cloud circular elements.
To conclude, recent regulatory developments by the EBA and CSSF are important initiatives in providing a framework for making the adoption of cloud outsourcing arrangements possible by financial services firms. The latter must take all necessary steps towards making themselves fully compliant with respective regulations. The CSSF will continue gradual transposition of EBA guidelines into national regulatory environment. As such, a new updated cloud circular should be introduced soon. However, one should remember that, unless the financial institution is directly supervised by the EBA, the entity has to comply with national regulations first, and then consider the EBA guidelines.
by Andrey Martovoy, ABBL