UK will not adopt EIOPA cloud outsourcing guidance for insurers

Out-Law News | 10 Jul 2020 | 8:28 am | 3 min. read

Insurers operating across Europe will have to consider two sets of regulatory guidelines on cloud outsourcing from 2021 in light of a new announcement by the UK's Financial Conduct Authority (FCA).

The regulator announced on Wednesday that guidelines on outsourcing to cloud service providers, finalised earlier this year by the European Insurance and Occupational Pension Authority (EIOPA), will not apply to "regulated activities within the UK’s jurisdiction". Instead, UK-regulated activities will remain subject to the FCA's own cloud outsourcing guidelines, which have been in force since 2016 and were most recently updated in September last year. Some institutions may also be subject to guidelines on outsourcing being developed currently by the Prudential Regulation Authority (PRA).

Dunn Yvonne_April 2020

Yvonne Dunn

Partner

Insurers in particular will have to factor in two sets of guidelines where they have cross-border operations spanning the UK and EU member states. There are associated additional compliance burdens for the industry, and potential implications for a future UK-EU trade arrangement on which recognition of equivalent regulatory standards might be based

The FCA said: "The FCA has notified EIOPA that the guidelines are not applicable to regulated activities within the UK’s jurisdiction, as they will enter into force on 1 January 2021, after the EU withdrawal transition period is expected to end."

"We will continue to apply the FCA guidance for firms outsourcing to the cloud and other third-party IT services in the UK... We will keep this guidance under review and, where appropriate, consult to update this to ensure it remains consistent with relevant international standards," it said.

The EIOPA guidance will apply to all new cloud outsourcing arrangements entered into or amended on or after 1 January 2021 by insurance and reinsurance providers. The guidelines expand on legislative requirements contained in the EU's so-called 'Solvency II' framework. Insurers will have until the end of 2022 to bring cloud outsourcing contracts entered into prior to that date into line with the new requirements.

Yvonne Dunn, an expert in technology outsourcing contracts in financial services at Pinsent Masons, the law firm behind Out-Law, said: "The FCA has led the way in seeking to break down the barriers financial institutions face in adopting cloud-based services. Its guidelines expressly recognise the 'cost efficiencies, increased security, and more flexible infrastructure capacity' that cloud solutions offer the sector."

"The EU's supervisory authorities – prompted by the European Commission – have followed the FCA's lead and developed their own new or refreshed guidelines to promote cloud adoption in financial services across the wider EU market. The European Banking Authority's (EBA's) revised outsourcing guidelines are already in force and EIOPA's guidelines are due to take effect from the beginning of next year. Further cloud outsourcing guidelines relevant to regulated businesses in the investment market are being consulted on by the European Securities and Markets Authority (ESMA) currently," she said.

"Throughout the development of the various guidelines we have consistently called for EU supervisory authorities to ensure their guidelines are not only pragmatic but as closely aligned to one another as possible, as this offers the advantage to financial services institutions with a mix of banking, insurance and investment arms scope to apply standardised risk management processes across their operations to ensure their outsourcing arrangements are compliant with the regulatory requirements," Dunn said.

"The FCA's announcement means insurers in particular will have to factor in two sets of guidelines where they have cross-border operations spanning the UK and EU member states. There are associated additional compliance burdens for the industry, and potential implications for a future UK-EU trade arrangement on which recognition of equivalent regulatory standards might be based," Dunn said.

Luke Scanlon, also of Pinsent Masons, said the FCA's announcement suggests that the same approach will be taken in the UK to ESMA's cloud outsourcing guidelines when they are finalised.

"The FCA's announcement centres on the fact that European supervisory authority guidelines and recommendations are not considered to be 'retained EU law' after Brexit exit day," Scanlon said. "While there is an expectation that UK regulated entities will continue to apply EU guidelines that came into force before the Brexit exit day earlier this year – in this specific context of outsourcing that means the EBA's outsourcing guidelines – the UK status of EU guidelines coming into force after the Brexit implementation period ends is currently unclear, and are free to choose not to adopt EU guidelines that will take effect from 2021 onwards – such as the EIOPA guidelines as the FCA has clarified here. We expect a similar approach to be taken towards the ESMA guidelines."

"However, the FCA has repeatedly indicated that it will continue to have regard to regulatory guidelines and standards developed outside of the UK post-Brexit. The issue of divergence from EU standards is a sensitive one that is exercising negotiators on both sides of the proposed EU-UK future trade agreement, and so it is perhaps unlikely, at least in the short-term, that we will see UK outsourcing regulatory expectations differ greatly from those imposed by the EU supervisory authorities. Institutions should consider a mapping exercise to understand the overlap across the various guidelines to best future-proof their policies and procedures," he said.