Tag: ESMA

Final ESMA Guidelines on cloud outsourcing

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

At the end of December 2020, the European Securities and Markets Authority (ESMA) published its final report on its guidelines on outsourcing to cloud service providers (CSP). The purpose of the guidelines is to help firms identify, address and monitor the risks that may arise from their cloud outsourcing arrangements. Since the main risks associated with cloud outsourcing are similar across financial sectors, ESMA has considered the European Banking Authority (EBA) Guidelines on outsourcing arrangements, which have incorporated the EBA Recommendations on outsourcing to cloud services providers and the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines on outsourcing to cloud service providers. This ensures consistency between the three sets of guidelines. The ESMA Guidelines on cloud outscoring apply to MiFID II firms such as investment firms and other financial services providers indirectly but they describe the market standard and set the supervisory framework for the National Competent Authorities (NCAs) in Europe such as the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin).

For the German jurisdiction, BaFin published guidance on outsourcing to cloud providers back in 2018. Please note that the amended MaRisk include outsourcing requirements for investment firms and other financial services providers and already reflect the EBA Guidelines on outsourcing, including cloud outsourcing. For more information on the MaRisk amendment, please see our previous Blogpost.

The guidelines in more detail

The following gives a brief overview of the main content of the ESMA cloud outsourcing guidelines.

  • Guideline 1: Governance, oversight and documentation

Firms should have a defined and up-to date cloud outsourcing strategy which should include, inter alia, a clear assignment of the responsibility for the documentation, management and control of cloud outsourcing arrangements, sufficient resources to ensure compliance with all legal requirements applicable to the firm’s outsourcing arrangements, a cloud outsourcing oversight function directly accountable to the management body and responsible for managing and overseeing the risk of cloud outsourcing arrangements, a (re)assessment of whether the cloud outsourcing arrangements concern critical or important functions as well as an updated register of information on all cloud outsourcing arrangements. For the outsourcing of critical or important functions, the ESMA guidelines include a detailed list of information which should be included in the register.

  • Guideline 2: Pre-outsourcing analysis and due diligence

ESMA provides information on what is required for the pre-outsourcing analysis (e.g. an assessment if the cloud outsourcing concerns a critical or important function). In the case of outsourcing of critical or important function, firms should conduct a comprehensive risk analysis and take into account benefits and costs of the cloud outsourcing and perform an evaluation of the suitability of the CSP.

  • Guideline 3: Key contractual elements

The guidelines provide a detailed list of what a written cloud outsourcing agreement should include in case of outsourcing of critical or important functions. Such agreements should include, inter alia, provisions regarding data protection, agreed service levels incident management, business continuity plans, termination rights and access and audit rights for the firm and its competent supervisory authority.

  • Guideline 4: Information security

Firms should set information security requirements in its internal policies and procedures and within the cloud outsourcing written agreement and monitor compliance with these requirements on an ongoing basis. In case of outsourcing of critical or important functions, additional requirements apply regarding information security organization, identity and access management, encryption and key management, operations and network security, application programming interfaces, business continuity and data location.

  • Guideline 5: Exit strategies

In case of outsourcing of critical or important functions, firms should develop and maintain exit strategies that ensure that the firm is able to exit the cloud outsourcing arrangement without undue disruption to its business activities and services to its client. Exit strategies should include comprehensive and documented exit plans, the identification of alternative solutions and provisions in the written outsourcing agreements that oblige the CSP to support orderly transfer of the outsourced function from the CSP to another CSP.

  • Guideline 6: Access and audit rights

Firms should ensure that the cloud outsourcing written agreement does not limit the firm´s and competent authority´s effective exercise of the access and audit rights on the CSP (see also Guideline 3). However, the Guideline also includes provisions aimed at reducing the organizational burden on the CSP and its clients when exercising access and audit rights: firm may use e.g. third-party certifications and external or internal audit reports made available by the CSP. However, in case of outsourcing of critical or important functions, the guidelines stipulate additional requirements that must be met in order to be able to rely on third party certifications or assessments.

  • Guideline 7: Sub-outsourcing

In case of sub-outsourcing, the firm should ensure that the CSP appropriately oversees the sub-outsourcer. In addition, ESMA provides information on the provisions that should be included in the written outsourcing agreement between the firm and the CSP in the case of sub-outsourcing critical or important function. This includes the remaining accountability of the CSP, a notification requirement for the CSP in case of any intended sub-outsourcing allowing the firm sufficient time to carry out a risk assessment of the proposed sub-outsourcer, the firm´s right to object to the intended sub-outsourcing and termination rights in case of such objection.

  • Guideline 8: Written notification to competent authorities

Firms should notify in writing its competent authority in a timely manner of planned cloud outsourcing arrangement that concern critical or important functions. The notification should include, inter alia, a description of the outsourced functions, a brief summary of the reasons why the outsourced function is considered critical or important and the individual or decision-making body in the firm that approved the cloud outsourcing arrangement.

What´s next?

In a next step, the guidelines will be translated in the official EU languages and published on the ESMA´s website. The publication of the translation will trigger a two-month period during which the national competent authorities must notify ESMA whether they comply or intend to comply with the guidelines (comply or explain mechanism). For the German jurisdiction, it is to be expected that BaFin will comply with the ESMA guidelines.

ESMA updated AIFMD and UCITS Q&As

Published on by Dr. Verena Ritter-Döring

On June 4, 2019 ESMA published updates questions and answers on the application of the AIFM Directive (available here) and the UCITs Directive (available here). ESMA’s intention of publishing und regularly updating the Q&A documents ensures common supervisory approaches and practices in relation to both the AIFM Directive and the UCITS Directive and their implementing measures.

The latest update refers to the depositories and the possibilities to delegate the safekeeping of assets of the funds. ESMA clarifies that supporting tasks that are linked to depositary tasks such as administrative or technical functions performed as part of the depositary tasks could be entrusted to third parties where all of the following conditions are met:

  1. the execution of the tasks does not involve any discretionary judgement or interpretation by the third party in relation to the depositary functions;
  2. the execution of the tasks does not require specific expertise in regard to the depositary function; and
  3. the tasks are standardised and pre-defined.

Where depositaries entrust tasks to third parties and give them the ability to transfer assets belonging to AIFs or UCITS without requiring the intervention of the depositary, these arrangements are subject to the delegation requirements, in Germany subject to Para. 36 KAGB.

Another question relates to the supervision of branches of depositories. The AIFM Directive, the UCITS Directive, the CRD and the MiFID II do not grant any passporting rights for depositary activities in relation to safekeeping assets for AIFs or UCITS. Branches of depositories located in the home Member State of the AIF or UCITS that is not the home Member State of the depositary’s head office may also be subject to local authorisation in order to perform depositaries activities in relation to AIFs or UCITS. In this case, the competent authority for supervising the activities in relation to AIFs or UCITS is the one located in the Member State of the depository’s branch.

The guidance provided by ESMA in the Q&A documents for AIFs and UCITS regarding the depository function do not contain any surprising elements but further strengthen the harmonized interpretation and application of the AIFM and UCITS Directives in Europe.

Benchmarks Regulation: Updated ESMA Q&A bring more clarity about input data used for regulated-data benchmarks

Published on by Charlotte Dreisigacker-Sartor

To provide benchmarks, administrators rely on input data from contributors. If the contributors are regulated, the benchmarks created with their data qualify as regulated-data benchmarks. The updated Question and Answers (Q&A) of January 30, 2019 from the European Securities and Markets authority (ESMA) provide, inter alia, answers to three questions regarding input data used for regulated-data benchmarks which have been raised frequently in the market (Q&A available here). This blogpost will present these questions as well as ESMA´s answers. Beforehand, it gives a short overview of the Benchmarks Regulation´s regulatory background and explains what input data means.

Regulatory background of the Benchmarks Regulation

Regulation (EU) 2016/1011 concerning indices used as a reference value or as a measure of the performance of an investment fund for financial instruments and financial contracts (Benchmarks Regulation – BMR) sets out the regulatory requirements for administrators, contributors and users of an index as a reference value for a financial product with respect to both the production and use of the indices and the data transmitted in relation thereto. It is the EU’s response to the manipulation of LIBOR and EURIBOR. The BMR aims to ensure that indices produced in the EU and used as a reference value cannot be subject to such manipulation again. In previous blogposts on the BMR, we have already dealt with the requirements for contingency plans and non-significant benchmarks (ESMA publishes Final Report on Guidelines on non-significant benchmarks- Part 1 and Part 2.)

Input data

For a benchmark to be created, the administrator, i.e. the person/entity who has control over the provision of the reference value, relies on data he receives from contributors. These data used by an administrator to determine a benchmark in relation to the value of one ore more underlying asset or prices qualify as input data under the BMR.

With this in mind, what are the market-relevant questions regarding input data that are answered in the updated Q&A by ESMA? 

  • Can a benchmark qualify as a regulated-data benchmark if a third party is involved in the process of obtaining the data?

Under the rules of the BMR, a benchmark only qualifies as a regulated-data benchmark if the input data is entirely and directly submitted by contributors who are themselves regulated (e.g. trading venues). Since the input data come exclusively from entities that are themselves subject to regulation, the BMR sets fewer requirements for the provision of benchmarks from regulated data than for other benchmarks. This precludes, in principle, the involvement of any third party in the data collection process. The data should be sourced entirely and directly from regulated entities without the involvement of third parties, even if these third parties function as a pass-through and do not modify the raw data.

However, if an administrator obtains regulated data through a third party service provider (such as data vendor) and has in place arrangements with such service provider that meet the outsourcing requirements of the BMR, the administrator´s benchmark still qualifies as regulated-data benchmark. The third party being subject to the BMR´s outsourcing requirements ensures a quality of the input data contributed by this third party comparable to the quality of the input data contributed by a regulated entity.

  • Can NAV of investment funds qualify as benchmark?

The net asset value (NAV) of an investment fund is its value per share or unit on a given date or a given time. It is calculated by subtracting the fund´s liabilities from its assets, the result of which is divided by the number of units to arrive at the per share value. It is most widely used determinant of the fund´s market value and very often it is published on any trading day.

But, according to the BMR stipulations, the NAVs of investment funds are data that, if used solely or in conjunction with regulated data as a basis to calculate a benchmark, qualify the resulting benchmark as a regulated-data benchmark. The BMR therefore treats NAVs as a form of input data that is regulated and, consequently, should not be qualified as indices.

  • Can the methodology of a benchmark include factors that are not input data?

The methodology of a benchmark can include factors that are not input data. These factors should not measure the underlying market or economic reality that the benchmark intends to measure, but should instead be elements that improve the reliability and representativeness of the benchmark. This should be, according to ESMA, considered as the essential distinction between the factors embedded in the methodology and input data.

For instance, the methodology of an equity benchmark may include, together with the values of the underlying shares, a number of other elements, such as the free-float quotas, dividends, volatility of the underlying shares etc. These factors are included in the methodology to adjust the formula in order to get a more precise quantification of the equity market that the benchmark intends to measure, but they do net represent the price of the shares part of the equity benchmark.

Upshot

The updated ESMA Q&A provide more clarity for market participants on the understanding of input data and its use for regulated-data benchmarks. ESMA´s input will facilitate dealing with the regulatory requirements of the BMR, at least with regard to input data.

ESMA Supervisory briefing on the supervision of non-EU branches of EU firms providing investment services and activities

Published on by Charlotte Dreisigacker-Sartor

With Brexit coming up, many companies, especially those in the financial sector, have taken precautions and relocated their EU head offices to one of the 27 remaining EU member state to ensure that, whatever the outcome of the Brexit negotiations, they will have access to the European single market.  Offices in the UK, which will qualify as a third country after Brexit, will often be operated as branches.

On February 6, 2019, ESMA published its MIFID II Supervisory briefing on the supervision of non-EU branches of EU firms providing investment services and activities. Through its new Supervisory briefing, ESMA aims to ensure effective oversight of the non-EU branches by the competent authority of the firm´s home member state.

This article provides an overview of the measures proposed by ESMA to national regulatory authorities, divided into three areas: (i) ESMA´s supervisory expectations in relation to the authorisation of investment firms; (ii) the supervision of ongoing activities of non-EU branches by the competent authority; and (iii) ESMA´s proposed supervisory activity of the competent authority.

Supervisory expectations in relation to the authorisation of investment firms

The relocation of a company to the EU means that an authorisation covering the respective business model must be applied for in the respective EU member state. The authorisation procedure must, inter alia, include a description of the company’s organisational structure, including its non-EU branches. The competent authority should be satisfied that the use of the non-EU branch is based on objective reasons linked to the services provided in the non-EU jurisdiction and does not result in situations where such non-EU branches perform material functions or provide services back into the EU, while the office relocated to the EU is only used as a letter box entity. To this end, the competent authority should make its judgement on the substance of the business activity, the organisation, the governance and the risk management arrangements of the applicant in relation to the establishment and the use of branches in non-EU jurisdictions. Therefore, the firm´s program of operations should explain how the relocated EU head office will be able to monitor and manage any non-EU branch, clarify the role of the non-EU branch and provide detailed information, such as:

  • an overview of how the non-EU branch will contribute to the investment firm´s strategy;
  • the activities and functions that will be performed by the non-EU branch;
  • a description of how the firm will ensure that any local requirements in the non-EU jurisdiction do not interfere with the compliance by the EU firm with legal requirements applicable to it in accordance with EU law.

Supervision of ongoing activities of non-EU branches

In order to allow the competent authority to appropriately monitor firms providing investment services or activities on an ongoing basis, firms should provide the competent authority of its home member state with relevant information on any new non-EU branch that they plan to establish or on any material change in the activities of non-EU branches already established. Therefore, the competent authority should, taking into account the importance of non-EU branches for the relevant firm, request on an ad hoc or a periodic basis, information on, inter alia:

  • the number and the geographical distribution of clients served by the non-EU branches;
  • the activities and the functions provided by the non-EU branch to the EU head office.

Supervisory activity of the competent authority

The competent authority should put in place internal criteria and arrangements to supervise comprehensively and in sufficient depth the activities that branches of EU firms under their supervision perform outside of the EU. For that purpose, the competent authority should prepare plans for the supervision of non-EU branches of EU firms and identify resources dedicated to this activity. These resources should be capable of performing a critical screening of the firms under their supervision that have established non-EU branches, including, information received or requested in relation to these branches.

Upshot

As the Supervisory briefing shows, EU supervisors are urged by ESMA to ensure that companies relocating to the EU as a result of Brexit are not just used as mere letter box entities to gain access to the European single market and the actual investment services are provided via the non-EU branch. Therefore, the competent authorities should take a closer look at the firm´s non-EU branches, to ensure that the branch has the function of a branch not only on paper but also in practice. Investment firms should be prepared for this supervisory practice.

ESMA publishes Final Report on Guidelines on non-significant benchmarks – Part 2

Published on by Dr. Verena Ritter-Döring and Charlotte Dreisigacker-Sartor

On December 20, 2018 ESMA published its Final Report on the Guidelines on non-significant benchmarks. These represent ESMA´s administrative practice and fill the broad regulations of the Benchmark Regulation (BMR) with more details, which makes their implementation considerably easier for the obligated parties. The guidelines have no direct effect in the EU member states but are generally to be adopted one-by-one by the national supervisory authorities, so that they will be applied as the administrative practice of the respective national authority.

In Part 1 we looked at the definition of a non-significant benchmark (NSB) and the Guidelines on the oversight function and on input data. Part 2 will highlight the new requirements on the transparency of methodology and governance set out in the Guidelines.

Guidelines on transparency of methodology (Article 13 BMR)

Article 13 BMR states transparency requirements regarding the development, use and management of the benchmark by the administrator. To this end, Article 13 sets out standards with regard to the methodology for determining the benchmark. The Guidelines contain three sections: (i) on the key elements of the methodology; (ii) the elements of the internal review of the methodology; and (iii) on the information to be provided in case of a proposed material change to an administrator´s methodology.

The key elements of the methodology used to determine the benchmark should include, inter alia, a definition and description of the NSB and the market it is intended to measure, the types of input data used to determine the NSB, minimum requirements of the quality of the input data, the compositions of any panel of contributors and the criteria to determine eligibility for panel membership.

The information to be provided by an administrator of a NSB in compliance with the requirements regarding the internal review of the methodology should include at least a description of the policies and procedures relating to the internal review and approval of the methodology. In case of material changes of the methodology the information to be provided by an administrator should include at least the disclosure of the key elements of the methodology that would, in its view, be affected by the proposed material change.

Guidelines on governance and control requirements for supervised contributors (Article 16 BMR)

Article 16 BMR provides requirements for the governance and control of a supervised contributor. To this end, Article 16 sets out specific but broad requirements for the management of a contributor’s company and its systems, which serve to preserve the integrity and reliability of its input data. In addition, the Guidelines set out, inter alia, provisions on the control framework, control of submitters, the management of conflicts of interest and record-keeping requirements. All these elements are mentioned in Art. 16 BMR to ensure proper governance and control by the contributor but outlined in more detail in the Guidelines.

According to the Guidelines, the contributor´s control framework for example should include at least an effective oversight mechanism for overseeing the process for contributing input data, a policy on whistle-blowing and a procedure for detecting breaches of BMR. The measures for the management of conflicts of interest should include, inter alia, a register of material conflicts of interests. Additionally, the records to be kept with regard to the provision of input data should include, e.g., the names of the submitters.

Applicability of the Guidelines

As already mentioned in Part 1, NSB have less impact on markets than critical or significant benchmarks. Therefore, the BMR provides options for administrators of non-significant benchmarks not to apply some BMR provisions (Article 4 to 7, 11 and 13 to 15 BMR). However, an incentive to apply the provisions nonetheless may exist, for instance, the administrator does not have to maintain different internal structures and processes for its benchmarks if he administers mainly significant benchmarks.

Since some of the Guidelines concern regulations whose applicability the administrator can exclude, the Guidelines do not apply if the administrator has decided in a permissible manner not to apply the corresponding regulations. However, if the Guidelines concern regulations from which the administrator may not deviate or if he has decided not to make use of the simplifications, the Guidelines shall apply.

Who is Who? European Supervisory Authorities – How they Cooperate and Interact

Published on by Dr. Verena Ritter-Döring

If you are looking for guidance from national and European supervisory authorities, it is not easy to see at first glance how they work together and whose guidance is most relevant. We want to shed some light on the ‘Who is Who?’ of German and European regulators.

Financial market supervision in Germany

The first go-to regulator in Germany is the Federal Financial Supervisory Authority (BaFin), which is entrusted with the tasks of banking, insurance and securities supervision and acts as a universal financial supervisory authority. BaFin is also responsible for ensuring that financial services, banking and insurance transactions are not conducted without a license and can also sanction any violations against the regulatory regime – and does so regularly. One of the newest additions to the list of tasks of BaFin is supervising compliance with consumer protection rules within the financial market. This primarily concerns cases in which regulated institutions violate regulatory provisions that protect consumers. If these infringements go beyond individual cases, they are pursued in the public interest by BaFin. BaFin, together with criminal enforcement authorities, is also responsible for pursuing money laundering and terrorist financing and supervising compliance with AML requirements. BaFin’s banking and insurance supervisory office is based in Bonn, the office responsible for securities supervision, asset management and bank resolution is based in Frankfurt am Main.

In Germany, the task of banking supervision is shared by BaFin and the German Central Bank (Deutsche Bundesbank). BaFin and Deutsche Bundesbank, e.g., oversee whether the banks have sufficient financial resources and whether business operations are properly organised. BaFin and Bundesbank receive the necessary information from the banks themselves or obtain it through on-site audits. The Bundesbank is responsible for the majority of operational banking supervision, namely the reporting and evaluation of audit reports submitted by the institutions and the performance of special audits. Guidelines for ongoing supervision and interpretation of legal requirements are mainly issued by BaFin.

The supervision of insurance policies by BaFin is intended to ensure that the insurance companies are capable of providing the benefits to which they are obliged. To this end, BaFin checks, for e.g., whether the insurance companies have sufficient financial resources and assess risks correctly.

BaFin’s supervision of securities serves the purpose of ensuring the availability of sufficient information and transparency for all market participants by monitoring the proper publication of relevant information. BaFin also monitors insider trading and price manipulation.

European financial market supervisory regime

BaFin and Deutsche Bundesbank are not the only regulators you have to keep up with when you are a regulated institution. At the European level, the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) have their say and the European Central Bank (ECB) is also responsible for financial market supervision within the Eurozone.

The Single Supervisory Mechanism (SSM) has entrusted the ECB with the direct supervision of significant financial institutions in the Eurozone. These are about 120 banks and banking groups. To fall within the ECB’s responsibility, a bank must either have a balance sheet total of more than €30 billion or more than 20% of its home country’s GDP. If these thresholds are not met, the ECB monitors the 3 largest banks in each of the countries participating in the SSM (which are 19 countries in the Eurozone). All other banks will continue to be supervised by the national supervisory authorities.

If the ECB is in charge, the ECB cooperates with the national supervisory authorities of the banks’ home countries. Joint Supervisory Teams (JSTs) are set up by the ECB for coordination. These are composed of staff from the ECB and the national supervisory authorities. In Germany JSTs consist of members of the ECB, BaFin and Deutsche Bundesbank. A consistent supervisory practice can be established through the JSTs, taking into account national standards and a uniform standard within the Eurozone.

In contrast to the day-to-day supervision of the national regulators and the ECB, the European supervisory authorities EBA, ESMA and EIOPA (together ESAs) generally do not act directly vis-à-vis individual financial institutions, but ensure uniform standards within the EU. They also monitor the application of EU law by national supervisory authorities and the market. For this purpose, they use convergence instruments such as guidelines and Q&As (Questions and Answers), which aim at a consistent application of EU law by the national supervisory authorities. In practice, however, European directives are not always implemented equally in each Member State since the directives also leave a scope of interpretation for the national legislator on certain aspects of regulatory law.

The guidelines issued by EBA, ESMA and EIOPA are binding for the national regulators in Europe. They are not directly binding for the institutions but become directly binding when adopted by the national regulators. BaFin publishes on its homepage whenever it adopts guidelines, and also when guidelines are specifically not integrated within the German administrative practice. The advantage of the ESA’s approach of having a single rulebook and consistent rules throughout the EU for the market is that the provision of cross-border services becomes easier if just one set of rules apply.

EBA, ESMA and EIOPA are also actively involved in the European legislative process by supporting the European Commission in drafting legislative proposals based on their knowledge of the European financial market and its supervisory mechanisms.

Although the ESAs do not act directly vis-à-vis the majority of the regulated institutions, it is worth monitoring their publications to get an early grip on regulatory developments. The European administrative practice is essentially formed through the ESAs. It is also worth noting that the ESAs usually publish drafts of their envisaged guidelines for consultation purposes. For lobbying purposes it is essential to participate in such consultations.