Category: MiFid

Final ESMA Guidelines on cloud outsourcing

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the end of December 2020, the European Securities and Markets Authority (ESMA) published its final report on its guidelines on outsourcing to cloud service providers (CSP). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. Since the main risks associated with cloud outsourcing are similar across financial sectors, ESMA has considered the European Banking Authority (EBA) Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud services providers and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. This ensures consistency between the three sets of guidelines. The ESMA Guidelines on cloud outscoring apply to MiFID II firms such as investment firms and other financial services providers indirectly but they describe the market standard and set the supervisory framework for the National Competent Authorities (NCAs) in Europe such as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).

For the German jurisdiction, BaFin published guidance on outsourcing to cloud providers back in 2018. Please note that the amended MaRisk include outsourcing requirements for investment firms and other financial services providers and already reflect the EBA Guidelines on outsourcing, including cloud outsourcing. For more information on the MaRisk amendment, please see our previous Blogpost.

The guidelines in more detail

The following gives a brief overview of the main content of the ESMA cloud outsourcing guidelines.

  • Guideline 1: Governance, oversight and documentation

Firms should have a defined and up-to date cloud outsourcing strategy which should include, inter alia, a clear assignment of the responsibility for the documentation, management and control of cloud outsourcing arrangements, sufficient resources to ensure compliance with all legal requirements applicable to the firm’s outsourcing arrangements, a cloud outsourcing oversight function directly accountable to the management body and responsible for managing and overseeing the risk of cloud outsourcing arrangements, a (re)assessment of whether the cloud outsourcing arrangements concern critical or important functions as well as an updated register of information on all cloud outsourcing arrangements. For the outsourcing of critical or important functions, the ESMA guidelines include a detailed list of information which should be included in the register.

  • Guideline 2: Pre-outsourcing analysis and due diligence

ESMA provides information on what is required for the pre-outsourcing analysis (e.g. an assessment if the cloud outsourcing concerns a critical or important function). In the case of outsourcing of critical or important function, firms should conduct a comprehensive risk analysis and take into account benefits and costs of the cloud outsourcing and perform an evaluation of the suitability of the CSP.

  • Guideline 3: Key contractual elements

The guidelines provide a detailed list of what a written cloud outsourcing agreement should include in case of outsourcing of critical or important functions. Such agreements should include, inter alia, provisions regarding data protection, agreed service levels incident management, business continuity plans, termination rights and access and audit rights for the firm and its competent supervisory authority.

  • Guideline 4: Information security

Firms should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis. In case of outsourcing of critical or important functions, additional requirements apply regarding information security organization, identity and access management, encryption and key management, operations and network security, application programming interfaces, business continuity and data location.

  • Guideline 5: Exit strategies

In case of outsourcing of critical or important functions, firms should develop and maintain exit strategies that ensure that the firm is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its client. Exit strategies should include comprehensive and documented exit plans, the identification of alternative solutions and provisions in the written outsourcing agreements that oblige the CSP to support orderly transfer of the outsourced function from the CSP to another CSP.

  • Guideline 6: Access and audit rights

Firms should ensure that the cloud outsourcing written agreement does not limit the firm´s and competent authority´s effective exercise of the access and audit rights on the CSP (see also Guideline 3). However, the Guideline also includes provisions aimed at reducing the organizational burden on the CSP and its clients when exercising access and audit rights: firm may use e.g. third-party certifications and external or internal audit reports made available by the CSP. However, in case of outsourcing of critical or important functions, the guidelines stipulate additional requirements that must be met in order to be able to rely on third party certifications or assessments.

  • Guideline 7: Sub-outsourcing

In case of sub-outsourcing, the firm should ensure that the CSP appropriately oversees the sub-outsourcer. In addition, ESMA provides information on the provisions that should be included in the written outsourcing agreement between the firm and the CSP in the case of sub-outsourcing critical or important function. This includes the remaining accountability of the CSP, a notification requirement for the CSP in case of any intended sub-outsourcing allowing the firm sufficient time to carry out a risk assessment of the proposed sub-outsourcer, the firm´s right to object to the intended sub-outsourcing and termination rights in case of such objection.

  • Guideline 8: Written notification to competent authorities

Firms should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangement that concern critical or important functions. The notification should include, inter alia, a description of the outsourced functions, a brief summary of the reasons why the outsourced function is considered critical or important and the individual or decision-making body in the firm that approved the cloud outsourcing arrangement.

What´s next?

In a next step, the guidelines will be translated in the official EU languages and published on the ESMA´s website. The publication of the translation will trigger a two-month period during which the national competent authorities must notify ESMA whether they comply or intend to comply with the guidelines (comply or explain mechanism). For the German jurisdiction, it is to be expected that BaFin will comply with the ESMA guidelines.

Brexit update on cross-border services: MiFID II requirements vs. reverse solicitation

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

The European Securities and Markets Authority (ESMA) has recently issued a public statement to remind firms of the MiFID II requirements on the provision of investment services to retail or professional clients by third-country firms. With the end of the UK transition period on December 2020, UK firms now qualify as third-country firms under the MiFID II regime. The third country status of the UK as of 2021 was explicitly confirmed by the German regulator BaFin in a recent publication.

Pursuant to MiFID II, EU Member States may require that a third-country firm intending to provide investment services to retail or to professional clients in its territory have to establish a branch in that Member State or may conduct business requiring a license on a cross-border basis, without having a presence in Germany (so-called notification procedure/EU Passport). However, according to MiFID II, where a retail or professional client established or situated in the EU initiates at its own exclusive initiative the provision of an investment service or activity by a third-country firm, the third country firm is not subject to the MiFID II requirement to establish a branch and to obtain a license (so-called reverse solicitation).

With the end of the UK transition period on December 2020, ESMA notes that some “questionable” practices by firms around reverse solicitation have emerged. For example, ESMA states that some firms appear to be trying to circumvent MiFID II requirements by including general clauses in their Terms of Business or by using online pop-up boxes whereby clients state that any transactions are executed in the exclusive initiative of the client.

With its public statement, ESMA aims to remind firms that pursuant to MiFID II, where a third-country firm solicits (potential) clients in the EU or promotes or advertises investment services in the EU, the investment service is not provided at the initiative of the client and, therefore, MiFID II requirements apply. Every communication means used (press release, advertising on internet, brochures, phone calls etc.) should be considered to determine if the client has been subject to any solicitation, promotion or advertising in the EU on the firm´s investment service or activities. Reverse solicitation only applies if the client actually initiates the provision of an investment service or activity, it does not apply if the investment firm “disguises” its own initiative as one of the client.

However, despite this seemingly rather strict approach of ESMA, reverse solicitation is generally still applicable if a (UK) third-country firm

  • only offers services at the sole initiative of the client,
  • (only) continues an already existing client relationship or
  • continues to inform its clients about its range of products within the scope of existing business relationships (which is often agreed upon in the client´s contract).

It is argued that, for example, in the case of an existing account or deposit or an existing loan agreement that a UK third country firm continues to provide to an EU client after Brexit, no direct marketing or solicitation of the client in the EU takes place. In this case, the third country firm would not have solicited the client.

In a nutshell: What UK firms should consider

The provision of investment services in the EU is subject to license requirements and can include the requirement to establish a branch or a subsidiary in the relevant EU member state. The provision of investment services without proper authorization exposes investment firms to administrative or criminal proceedings. Where a client established in the EU initiates at its own exclusive initiative the provision of an investment service by a third-country firm, such firm is not subject to the requirement to establish a branch or to obtain a license (reverse solicitation). Generally, reverse solicitation also applies when existing client relationships are continued (which have been legitimately established), as the investment firm would not solicit a client in this case.

ESMA updated AIFMD and UCITS Q&As

Published on by Dr. Verena Ritter-Döring

On June 4, 2019 ESMA published updates questions and answers on the application of the AIFM Directive (available here) and the UCITs Directive (available here). ESMA’s intention of publishing und regularly updating the Q&A documents ensures common supervisory approaches and practices in relation to both the AIFM Directive and the UCITS Directive and their implementing measures.

The latest update refers to the depositories and the possibilities to delegate the safekeeping of assets of the funds. ESMA clarifies that supporting tasks that are linked to depositary tasks such as administrative or technical functions performed as part of the depositary tasks could be entrusted to third parties where all of the following conditions are met:

  1. the execution of the tasks does not involve any discretionary judgement or interpretation by the third party in relation to the depositary functions;
  2. the execution of the tasks does not require specific expertise in regard to the depositary function; and
  3. the tasks are standardised and pre-defined.

Where depositaries entrust tasks to third parties and give them the ability to transfer assets belonging to AIFs or UCITS without requiring the intervention of the depositary, these arrangements are subject to the delegation requirements, in Germany subject to Para. 36 KAGB.

Another question relates to the supervision of branches of depositories. The AIFM Directive, the UCITS Directive, the CRD and the MiFID II do not grant any passporting rights for depositary activities in relation to safekeeping assets for AIFs or UCITS. Branches of depositories located in the home Member State of the AIF or UCITS that is not the home Member State of the depositary’s head office may also be subject to local authorisation in order to perform depositaries activities in relation to AIFs or UCITS. In this case, the competent authority for supervising the activities in relation to AIFs or UCITS is the one located in the Member State of the depository’s branch.

The guidance provided by ESMA in the Q&A documents for AIFs and UCITS regarding the depository function do not contain any surprising elements but further strengthen the harmonized interpretation and application of the AIFM and UCITS Directives in Europe.

ESMA Supervisory briefing on the supervision of non-EU branches of EU firms providing investment services and activities

Published on by Charlotte Dreisigacker-Sartor

With Brexit coming up, many companies, especially those in the financial sector, have taken precautions and relocated their EU head offices to one of the 27 remaining EU member state to ensure that, whatever the outcome of the Brexit negotiations, they will have access to the European single market.  Offices in the UK, which will qualify as a third country after Brexit, will often be operated as branches.

On February 6, 2019, ESMA published its MIFID II Supervisory briefing on the supervision of non-EU branches of EU firms providing investment services and activities. Through its new Supervisory briefing, ESMA aims to ensure effective oversight of the non-EU branches by the competent authority of the firm´s home member state.

This article provides an overview of the measures proposed by ESMA to national regulatory authorities, divided into three areas: (i) ESMA´s supervisory expectations in relation to the authorisation of investment firms; (ii) the supervision of ongoing activities of non-EU branches by the competent authority; and (iii) ESMA´s proposed supervisory activity of the competent authority.

Supervisory expectations in relation to the authorisation of investment firms

The relocation of a company to the EU means that an authorisation covering the respective business model must be applied for in the respective EU member state. The authorisation procedure must, inter alia, include a description of the company’s organisational structure, including its non-EU branches. The competent authority should be satisfied that the use of the non-EU branch is based on objective reasons linked to the services provided in the non-EU jurisdiction and does not result in situations where such non-EU branches perform material functions or provide services back into the EU, while the office relocated to the EU is only used as a letter box entity. To this end, the competent authority should make its judgement on the substance of the business activity, the organisation, the governance and the risk management arrangements of the applicant in relation to the establishment and the use of branches in non-EU jurisdictions. Therefore, the firm´s program of operations should explain how the relocated EU head office will be able to monitor and manage any non-EU branch, clarify the role of the non-EU branch and provide detailed information, such as:

  • an overview of how the non-EU branch will contribute to the investment firm´s strategy;
  • the activities and functions that will be performed by the non-EU branch;
  • a description of how the firm will ensure that any local requirements in the non-EU jurisdiction do not interfere with the compliance by the EU firm with legal requirements applicable to it in accordance with EU law.

Supervision of ongoing activities of non-EU branches

In order to allow the competent authority to appropriately monitor firms providing investment services or activities on an ongoing basis, firms should provide the competent authority of its home member state with relevant information on any new non-EU branch that they plan to establish or on any material change in the activities of non-EU branches already established. Therefore, the competent authority should, taking into account the importance of non-EU branches for the relevant firm, request on an ad hoc or a periodic basis, information on, inter alia:

  • the number and the geographical distribution of clients served by the non-EU branches;
  • the activities and the functions provided by the non-EU branch to the EU head office.

Supervisory activity of the competent authority

The competent authority should put in place internal criteria and arrangements to supervise comprehensively and in sufficient depth the activities that branches of EU firms under their supervision perform outside of the EU. For that purpose, the competent authority should prepare plans for the supervision of non-EU branches of EU firms and identify resources dedicated to this activity. These resources should be capable of performing a critical screening of the firms under their supervision that have established non-EU branches, including, information received or requested in relation to these branches.

Upshot

As the Supervisory briefing shows, EU supervisors are urged by ESMA to ensure that companies relocating to the EU as a result of Brexit are not just used as mere letter box entities to gain access to the European single market and the actual investment services are provided via the non-EU branch. Therefore, the competent authorities should take a closer look at the firm´s non-EU branches, to ensure that the branch has the function of a branch not only on paper but also in practice. Investment firms should be prepared for this supervisory practice.