Over the last few years, there's been a whirlwind of new legislation, guidance and updates to guidance released at national and European level in relation to outsourcing in the financial services sector and the application of the outsourcing rules to cloud outsourcing. To the uninitiated it can appear daunting!
Here's a quick summary of the key resources, how they fit together and their application to firms regulated by the FCA and dual-regulated firms (regulated by the FCA and the PRA).
General outsourcing guidelines and rules
- The CEBS Guidelines 2006 (published by the European Banking Authority's (the "EBA") predecessor) set out 12 guidelines for authorised firms outsourcing.
- It applies to credit institutions (e.g. deposit taking businesses like banks).
- They were drafted in a way to be consistent with the relevant outsourcing rules in MiFID (2004/39/EC) (implemented in the UK via the SYSC 8 chapter of the FCA Handbook ("SYSC 8 Rules").
- Since its publication the regulatory landscape has shifted: MiFID has been replaced with the MiFID II Directive (2014/65/EU) and the Delegated Regulation (EU) 2017/565 supplementing the MiFID II Directive (the "MiFID II Delegated Regulation") has been introduced which is directly applicable to common platform firms and contains requirements on outsourcing. In addition, the SYSC 8 Rules have been amended so x`that most of the rules apply as guidance (see paragraph below, "SYSC 8 Rules" for more information) and the EBA is discussing replacing the CEBS Guidelines – as mentioned in the June 2018 EBA Consultation Paper: EBA Draft Guidelines on Outsourcing arrangements.
- It sets out recommendations for credit institutions, MiFID investment firms subject to CRD, payment institutions and electronic money institutions.
- It is relevant to firms outsourcing (whether or not the outsource is material).
- The final version will apply from 30 June 2019 (indicative date) and takes account of relevant European legislation, including the MiFID II Directive and the Delegated Regulation.
- For more detailed information on the Draft Guidelines see our article at: https://www.twobirds.com/en/news/articles/2018/global/eba-consults-on-guidelines-on-outsourcing.
SYSC 8 Rules
- This was one of the key resources for lawyers looking at outsourcing in the FS sector. It set out rules for common platform firms undertaking material outsourcings and best practice guidance for common platform firms or non-common platform firms undertaking non material outsourcings.
- Following the implementation of the MiFID II Directive:
- most SYSC 8 Rules apply as guidance to authorised firms (whether or not they are common platform firms). See further SYSC 1, Annex 1, Table A for a summary of what SYSC 8 Rules apply as guidance or rules depending on the type of firm outsourcing; and
- the MiFID II Delegated Regulation sets out the majority of the outsourcing rules for common platform firms – see below.
Delegated Regulation (EU) 2017/565
- Articles 30-32 (inclusive) set out rules for common platform firms undertaking material outsourcings.
- The rules are similar to the SYSC 8 Rules and are directly applicable to common platform firms.
- They also apply to credit institutions as indicated in Article 1(2) of the Delegated Regulation.
- The "Outsourcing" part of the PRA Rulebook sets out some rules for dual-regulated firms authorised under CRD to comply with when outsourcing, including a requirement to comply with the rules of Articles 30 and 31 of the MiFID II Delegated Regulation.
- The Payment Services Regulations 2017 transposes PSD2 into UK law.
- It contains specific rules on outsourcing by authorised payment institutions under regulation 25.
Electronic money regulation
- The Electronic Money Regulations 2017 transposes the Electronic Money Directive 2009/110/EC into UK law.
- It contains specific rules on outsourcing by authorised electronic money institutions under regulation 26.
Guidance on outsourcing rules application to cloud outsourcings
The FCA and the EBA have recognised the need to provide additional guidance when it comes to authorised firms outsourcing to cloud service providers (as opposed to traditional outsourcings to non-cloud service providers).
This has been partly triggered to provide much-needed clarity to firms that have expressed uncertainty as to how to interpret the existing outsourcing rules in the context of cloud services which risks creating a barrier to such firms adopting cloud outsourcing which can help facilitate innovation and offer a number of benefits, including increase competition, cost reduction and increased security for firms, all of which will ultimately benefit consumers.
FG 16/5 Guidance for firms outsourcing to the "cloud" and other third-party IT services (July 2018)
- This sets out non-binding guidance to firms seeking to outsource to cloud service providers.
- The guidance is designed to provide illustrations on how firms can comply with the relevant FCA outsourcing requirements.
- The guidance has recently been updated so that it does not apply to banks, building societies, designated investment firms or IFPRU investment firms.
EBA recommendations on outsourcing to cloud service providers
- This sets out recommendations for credit institutions providing investment services and MiFID investment firms (i.e. common platform firms). It is referred to as "additional guidance" relevant to outsourcing to cloud service providers.
- There is a lot of overlap between the EBA's cloud recommendations and the FCA's guidance as described above.
- Key areas of focus for cloud outsourcing include: access and audit rights to cloud service provider business premises, the approach to "chain" outsourcing (subcontracting by cloud service providers) and contingency plans and exit strategies to ensure an orderly migration of the outsourced function from the cloud service provider to a replacement provider or back in-house.
- (Note: the EBA recommendation on outsourcing to cloud service providers predates the recent Draft Guidelines. The Draft Guidelines take account of the EBA's cloud recommendations and the intention is that the EBA's cloud recommendations will be repealed when the Draft Guidelines come into force.)
A high-level summary of where to look
Type of firm
(defined in Article 4(1) of Regulation (EU) No 575/2013)
Authorised under CRD IV (Directive 2013/36/EU)
| || |
Common platform firms (e.g. some credit institutions like banks and building societies and MiFID investment firms)
| || |
If you're a credit institution providing investment services you have to look at both rows 1 and 2.
PRA authorised firms excluding insurers (banks, building societies and designated investment firms)
| || |
Authorised firms (excluding credit institutions and MiFID investment firms, insurers and firms authorised under the PSRs or the EMRs)
Payment institutions as authorised under 2015/2366/EU (PSD2), implemented in UK law by the PSRs.
| || |
Electronic money institutions as authorised under 2009/110/EC (e-money Directive), implemented into UK law by the EMRs
| || |
| || |