Regulatory focus on outsourcing to the cloud

Regulators have recently voiced concerns over the increase in firms utilising the opportunities afforded by outsourcing services to cloud based providers. The European Securities and Market Authority (ESMA) published a report in April 2018 on the Risks and Vulnerabilities in the EU Financial System, in which ESMA flags ICT risks as one of four main areas of concern. Similarly, the Financial Conduct Authority (FCA) has listed data security, resilience and outsourcing as one of its focus areas for the coming year in their most recent business plan.

As an illustration of the increase in the use of outsourcing to the cloud, a report released in April by research firm Aite Group, states that 41% of buy-side firms already outsource at least some of their portfolio management requirements to a cloud provider, with a further 39% considering it. With advantages including the scalability of infrastructure, operational efficiencies and cost-effectiveness, it is unlikely that this trend will slow or reverse in the near-term.

While ESMA acknowledge these benefits, it views outsourcing to the cloud as more risky than traditional IT outsourcing. Indeed, the risk of outsourcing to the cloud is seen to be magnified by both ESMA and the FCA where the cloud provider services many customers. In these situations, technical problems or solvency issues could lead to widespread disruption to the provision of the services covered by cloud providers.

In the Aite report, it suggested that this concentration is largely a result of mergers and acquisitions in the sector. Further, while there is potential for new entrants in the market as a result of MiFID II rules, these new providers are themselves likely to be targets of large outsourcing firms, which will only increase the concentration further.

As a consequence, regulators are looking to increase oversight of outsourcing to the cloud. ESMA, for example, is launching a supervisory project on cloud computing. It states that the project’s main objective will be to “explore the compliance risk of cloud computing outsourcing, with a view to formulating a clearer supervisory response and strategy.” It is proposed that any supervisory requirements will be based on the European Banking Authority’s (EBA) Recommendations for the use of cloud service providers by financial institutions published in October 2017. ESMA is considering developing future general guidance on outsourcing to cloud computing service providers for market participants. Simmons & Simmons will continue to monitor publications from ESMA and the EBA and provide updates with regard to any details of such supervision.

In the UK, with data security being a focus, the FCA has stated that over the course of 2018/19, it will increase its understanding of both outsourced services and core infrastructure provision across different sectors through several pieces of thematic and firm-specific work. As part of this, it suggests that it will be conducting investigations over the course of 2018/19 to establish the extent to which outsourcing to the cloud threatens customer data and the functioning of the financial system.

Firms who are either already outsourcing to the cloud or are looking at this as a possibility for the future should be aware of the increased scrutiny that the regulators are going to be directing towards outsourcing and cloud technology over the coming months and years. The FCA has said that in monitoring the potential risk of harm to consumers, its focus will be on “firms’ resilience and their ability to keep systems running in the event of major operational problems.” It will be looking to reduce any impact on customers caused by IT issues and cyber-attacks.

Under SYSC, regulated firms should already have appropriate oversight and controls in place with regard to third-party providers, and be taking responsibility for the service they provide. However, firms should consider reviewing both their controls, to ensure they are robust enough, and also whether any third-party outsourcing arrangements are cyber secure.

It is worth noting that both the FCA and ESMA also reference the General Data Protection Regulation (GDPR), and working with data protection regulators as a means of improving oversight of outsourcing to the cloud and data security more generally. A key part of the GDPR relates to the secure processing of data, by means of “appropriate technical and organisational measures”: this overlaps with the aims of the financial regulators are clear. For more information on GDPR, you can visit our microsite.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.