On 10 May 2021, ESMA published Cloud Outsourcing Guidelines (the Guidelines) which apply to the outsourcing of functions to cloud service providers by regulated entities, including UCITS managers and AIFMs (Fund Managers). The Guidelines are applicable to new (including amended or renewed) cloud outsourcing arrangements from 31 July 2021 and Fund Managers have until 31 December 2022 to ensure existing arrangements take account of the Guidelines.
The Guidelines require Fund Managers outsourcing functions to cloud service providers (CSPs) to:
- have in place cloud outsourcing strategies,
- establish a register of cloud outsourcing arrangements; and
- ensure outsourcing agreements with CSPs and sub-outsourcing arrangements comply with the Guidelines.
The Guidelines require regulatory authorities to incorporate assessment of cloud outsourcing arrangements into their supervisory processes and as such, entities in scope of the Guidelines can expect regulatory oversight of compliance with the Guidelines to form part of future Central Bank supervisory engagements with relevant Fund Managers.
Arrangements in scope of the Guidelines include delegation or any other arrangements through which a CSP is appointed to perform functions that would otherwise be undertaken by the Fund Manager and/or arrangements with a non-CSP third party which relies significantly on a CSP to perform the outsourced function.
Outsourcing of Critical or Important Operational Functions or Activities
While the Guidelines are applicable to all cloud outsourcing arrangements, the outsourcing of critical or important functions to CSPs are subject to more onerous requirements under the Guidelines. Critical functions are defined as those which, if not performed or performed defectively, would materially impair a Fund Manager’s compliance with its legal obligations, its performance or the soundness/continuity of its main services or activities. Fund Managers must report to the Central Bank on any review of critical-function cloud outsourcing arrangements which is not finalised by 31 December 2022 and provide measures planned to complete the review or the possible exit strategy.
Guidelines for Fund Managers’ cloud outsourcing arrangements are summarised below:
Governance, oversight and documentation
Fund Managers should have a defined and up-to-date cloud outsourcing strategy which clearly assigns responsibilities for, and allocates sufficient resources to compliance with, the Guidelines. Taking account of the nature, scale and complexity of activities, Funds Managers should establish a cloud outsourcing oversight function or at least, in the case of smaller, less complex firms, ensure a clear division of tasks and responsibilities for management and oversight of arrangements. Risk-based monitoring of CSPs must be carried out, with a focus on critical functions. Fund Managers should establish and maintain a register of cloud outsourcing arrangements that distinguishes between critical and non-critical outsourced functions and records the basis on which such distinctions are made. The register must include specified details of critical outsourced functions including in respect of the CSP agreement, risk assessment/audit of the CSP, any sub-outsourcing and the estimated annual budget cost of the cloud outsourcing arrangement.
Pre-outsourcing analysis and due diligence
In advance of any CSP appointment, Fund Managers should carry out pre-outsourcing analysis and due diligence of the CSP, on a proportionate basis having regard to the function outsourced. Due diligence should include at least an assessment of the potential impact of the cloud outsourcing arrangement on the Fund Manager’s operational, legal, compliance, and reputational risks. Additional risk assessments and due diligence on the suitability of the CSP are required if outsourcing critical functions.
Key contractual elements
The outsourcing arrangement with a CSP must be governed by a written agreement which should expressly allow the Fund Manager to terminate the agreement, where necessary. If outsourcing critical functions, the CSP agreement must address specified terms as set out in the Guidelines, including terms as to the parties obligations, any sub-outsourcing permissions, where the outsourced function will be provided and where data will be processed and stored, security and protection of personal data, agreed service levels including quantitative and qualitative KPIs and data access rights.
Having regard to the nature, scale and complexity of the outsourced function, Fund Managers should adopt information security requirements including to protect confidential, personal or otherwise sensitive data. In the case of outsourced critical functions, the application of a risk-based approach should at least ensure a clear allocation of roles and responsibilities between the CSP and the Fund Manager, strong access controls, the use of encryption technologies, appropriate levels of network security, security of application programming interfaces, effective business continuity and disaster recovery controls, and compliance by the CSP with internationally recognised information security standards.
In advance of outsourcing of critical functions, Fund Managers should develop and maintain comprehensive, documented and sufficiently tested exit plans identifying alternative solutions and transition plans for termination of, and the removal of data from, the CSP. To that end, CSP agreements should include an obligation on the CSP to support the orderly transfer of the outsourced function.
Access and Audit Rights
CSP agreements must not limit a Fund Manager’s data access rights, audit rights and oversight of a CSP. To support the efficient use of audit resources, Fund Managers’ oversight of CSPs may rely on third party certifications, external or internal audit reports of the CSP or pooled audits performed jointly with other clients of the CSP, subject to compliance with specified reliance conditions applicable to the outsourcing of critical functions.
Sub-outsourcing of critical functions should be subject to prior notice by the CSP of its intention to sub-outsource functions under the CSP agreement which should reflect that the CSP remains accountable and is responsible for overseeing compliance of such sub-outsourced functions.
Written notification to competent authorities
Fund Managers should notify the Central Bank (or relevant competent authority) in a timely manner of planned cloud outsourcing arrangements relating to critical or important functions or of any re-classification as critical of a non-critical function. The regulatory notification should include the start date of the CSP agreement, the next contract renewal date, the end date and/or termination notice periods, a description of the outsourced function, reasons for outsourcing, details of the CSP risk assessment performed by the Fund Manager and its CSP approval process along with any applicable sub-outsourcing of critical functions.
The Guidelines provide for competent authorities’ risk-based assessment of cloud outsourcing arrangements, and, in particular, those relating to critical functions being performed outside the EU. Fund Managers should begin assessing any existing cloud outsourcing arrangements for compliance with the Guidelines and be aware that ESMA has mandated supervisory reviews by competent authorities to focus on ensuring that entities in scope of the Guidelines have in place “the relevant governance, resources and operational processes to appropriately and effectively enter into, implement, and oversee cloud outsourcing arrangements and identify and manage all relevant risks related to such outsourcing.”
The Guidelines are applicable to any new or newly amended arrangements from 31 July 2021 with existing arrangements required to be amended, where necessary to take account of the Guidelines, by 31 December 2022. Fund Managers should also take note of the obligation under the Guidelines to notify the Central Bank of any outsourcing of critical functions to CSPs.
Contributed by Shannon O’Neill