ESMA needs to change its draft cloud guidance

In a formal response to ESMA's consultation on the draft guidance it published earlier this year, Pinsent Masons, the law firm behind Out-Law, identified a range of changes the supervisory authority could make to reduce the cost and complexity of compliance for investment banks and the cloud computing service providers they use.

Improvements could be made to ESMA's proposed requirements around the due diligence regulated investment firms need to conduct before using cloud-based solutions, the information they need to document when using cloud providers, as well as to the terms they need to provide for in their contracts with cloud service providers, according to Pinsent Masons.

ESMA should also reconsider the scope of its guidelines, Pinsent Masons said, which, as currently worded, would apply to indirect cloud sub-outsourcings.

ESMA's draft guidelines set out a series of risk assessments regulated investment firms would need to carry out before determining whether to outsource functions of their operations to cloud service providers. Pinsent Masons said it is not practical to expect those firms, as ESMA has proposed, to monitor concentration risk across the sector. Concentration risk is a term used to describe the risk of dependency on a single or limited number of suppliers. ESMA's plans to require firms to consider personal data processing requirements "over and above" those applicable under the General Data Protection Regulation (GDPR) should also be rethought, Pinsent Masons said.

Pinsent Masons said: "We suggest that ESMA clarify that it does not intend to impose any rules relating to the processing of data which are in excess of those required under GDPR and by data protection supervisory authorities. If a regulated entity has taken all necessary steps to comply with the data protection regulatory framework, the ESMA guidelines should not be viewed as further restricting transfers of data where the transfer would otherwise be permissible but for the ESMA guideline."

"A clear statement that it is not the intention of ESMA to restrict the compliance options regulated entities have at their disposal under the data protection regulatory framework will lead to more certainty and a reduction of cost for regulated entities in addressing data protection issues," it said.

On ESMA's proposed documentation requirements, Pinsent Masons said that while it is reasonable to expect regulated investment firms to keep a record of where data is stored when outsourced to the cloud, the supervisory authority should remove the proposed requirement that they document the countries in which data may be processed by their cloud providers. It further called on it to remove the requirement, which ESMA intends to apply in the case of the outsourcing of critical or important functions, that regulated investment firms ensure the location of data processing is listed in their cloud outsourcing agreements.

On information security requirements, Pinsent Masons urged ESMA to remove reference to specific security practices that firms subject to its guidelines could implement. This would help avoid "the unintended consequence of technical security teams within regulated entities and CSPs building solutions to meet the specific words of regulatory guidance even if to do so would not be best practice from a security risk perspective", it said.

Pinsent Masons also called on ESMA to bring its requirements around 'sufficient' testing of exit plans into line with those set by the EBA and EIOPA and to clarify the circumstances in which the CSP must notify the customer of a material change in its sub-outsourcing arrangements.

Regulated investment firms should also not be obliged by ESMA to "obtain a right to expand the scope of third party certifications" in their outsourcing contracts, Pinsent Masons said. Firms can secure contractual rights to third party certifications to help meet obligations around audit and access rights when using CSPs.

Pinsent Masons said: "Third party certifications by their nature need to be set to specific standards and therefore cannot be changed to accommodate the bespoke needs of individual organisations. The benefit of the certification is that the high (though generalised) standard maintained is suitable and reached by the CSP. It would be inconsistent to suggest that on the one hand both parties can gain comfort from a certification that is performed against accepted international standards, and on the other, require that those certifications move away from the set international standard to meet the needs of each customer of the CSP which relies on the certification."

In July the UK's Financial Conduct Authority confirmed that guidelines on outsourcing to cloud service providers, finalised earlier this year by the European Insurance and Occupational Pension Authority (EIOPA), will not apply to "regulated activities within the UK’s jurisdiction". Instead, UK-regulated activities will remain subject to the FCA's own cloud outsourcing guidelines, which have been in force since 2016 and were most recently updated in September last year. 

The EIOPA guidelines enter into force on 1 January 2021, after the Brexit transition period is expected to end. The FCA has yet to confirm what approach it intends to adopt in relation to the ESMA guidelines, though Luke Scanlon of Pinsent Masons previously suggested that it is likely that they will not have effect in the UK since they will not apply until after the Brexit transition period expires either.