UK will not adopt EIOPA cloud outsourcing guidance for insurers

The regulator announced on Wednesday that guidelines on outsourcing to cloud service providers, finalised earlier this year by the European Insurance and Occupational Pension Authority (EIOPA), will not apply to "regulated activities within the UK’s jurisdiction". Instead, UK-regulated activities will remain subject to the FCA's own cloud outsourcing guidelines, which have been in force since 2016 and were most recently updated in September last year. Some institutions may also be subject to guidelines on outsourcing being developed currently by the Prudential Regulation Authority (PRA).

The FCA said: "The FCA has notified EIOPA that the guidelines are not applicable to regulated activities within the UK’s jurisdiction, as they will enter into force on 1 January 2021, after the EU withdrawal transition period is expected to end."

"We will continue to apply the FCA guidance for firms outsourcing to the cloud and other third-party IT services in the UK... We will keep this guidance under review and, where appropriate, consult to update this to ensure it remains consistent with relevant international standards," it said.

The EIOPA guidance will apply to all new cloud outsourcing arrangements entered into or amended on or after 1 January 2021 by insurance and reinsurance providers. The guidelines expand on legislative requirements contained in the EU's so-called 'Solvency II' framework. Insurers will have until the end of 2022 to bring cloud outsourcing contracts entered into prior to that date into line with the new requirements.

Yvonne Dunn, an expert in technology outsourcing contracts in financial services at Pinsent Masons, the law firm behind Out-Law, said: "The FCA has led the way in seeking to break down the barriers financial institutions face in adopting cloud-based services. Its guidelines expressly recognise the 'cost efficiencies, increased security, and more flexible infrastructure capacity' that cloud solutions offer the sector."

"The FCA's announcement means insurers in particular will have to factor in two sets of guidelines where they have cross-border operations spanning the UK and EU member states. There are associated additional compliance burdens for the industry, and potential implications for a future UK-EU trade arrangement on which recognition of equivalent regulatory standards might be based," Dunn said.

Luke Scanlon, also of Pinsent Masons, said the FCA's announcement suggests that the same approach will be taken in the UK to ESMA's cloud outsourcing guidelines when they are finalised.

"The FCA's announcement centres on the fact that European supervisory authority guidelines and recommendations are not considered to be 'retained EU law' after Brexit exit day," Scanlon said. "While there is an expectation that UK regulated entities will continue to apply EU guidelines that came into force before the Brexit exit day earlier this year – in this specific context of outsourcing that means the EBA's outsourcing guidelines – the UK status of EU guidelines coming into force after the Brexit implementation period ends is currently unclear, and are free to choose not to adopt EU guidelines that will take effect from 2021 onwards – such as the EIOPA guidelines as the FCA has clarified here. We expect a similar approach to be taken towards the ESMA guidelines."

"However, the FCA has repeatedly indicated that it will continue to have regard to regulatory guidelines and standards developed outside of the UK post-Brexit. The issue of divergence from EU standards is a sensitive one that is exercising negotiators on both sides of the proposed EU-UK future trade agreement, and so it is perhaps unlikely, at least in the short-term, that we will see UK outsourcing regulatory expectations differ greatly from those imposed by the EU supervisory authorities. Institutions should consider a mapping exercise to understand the overlap across the various guidelines to best future-proof their policies and procedures," he said.