The European Association of CCP Clearing Houses (EACH) welcomes the opportunity to provide feedback to the ESMA Consultation Paper 'Draft Guidelines on Outsourcing to Cloud Service Providers'.
Some of the highlights of the EACH response include:
Some general remarks that EACH would like to express regarding the outsourcing to Cloud Service Providers (CSPs) are the following:
Need for a harmonized set of rules for cloud outsourcing - Different sets of national measures on outsourcing hinder the usage of this technology and the respective services. Developing an EU-wide harmonized set of rules would therefore be relevant not for the financial sector, but also for the economy as a whole.
Clear guidance based on existing rules - For companies, a clear guidance based on existing rules would be beneficial. Further, there is a clear need for EU rules covering cloud outsourcing, which on the one hand promote the uptake of the technology to make the financial industry more competitive and on the other hand incorporate existing standards which are already used by the industry.
Additionally, EACH believes that ESMA should explicitly recognize the qualitative differences between a firm outsourcing tasks to an unaffiliated third party and tasks being performed in connection with shared services among affiliates. When tasks are performed as shared service, there is an alignment of the interest from the firm’s side in meeting its responsibilities and those performing tasks because the ultimate shareholders are the same. By contrast, when a third party performs tasks on behalf of a firm there is no such alignment of interests. Importantly, the firm retains full responsibility, legal liability and accountability to the regulator for all tasks.
Problems/risks of the current cloud market - Asymmetry of power of negotiation between customer and CSPs - i.e. high efforts and time are required to agree regulatory compliant contracts with CSPs in the financial sector - are detrimental for the current cloud market. Therefore, EACH actively supports the EU work designing “Voluntary Standard Contract Clauses” to facilitate future negotiations. Also, EACH believes it is very difficult to procure/adopt new and innovative cloud solutions, as it takes a long time to ensure that these new services are compliant with the regulations. Therefore, in order to be competitive at global level and attract investments, independent EU cloud structures should be created where possible.
Despite market concentration, cloud use must continue to be possible - The dangers of a strong market concentration with a few non-EU cloud providers ("data sovereignty" ...), must be actively countered not only on the company side, but primarily on the regulatory one. However, mandatory and prescribed measures to reduce the risk of concentration (e.g. cyclical changes of provider) are not appropriate, as they do not address the underlying problem. Instead, Europe-wide standards for cloud technology should be established (e.g. in the areas of outsourcing, data protection or access rights), based on European values and serving as a guideline for third-country providers.
Proportionality - EACH welcomes the intention of ESMA to take into account proportionality when drafting these guidelines by e.g. differentiating between critical or important functions and non-critical or important functions, with the objective of taking into account the risk underlying the outsourcing of those functions.