On 27 March 2019, the European Insurance and Occupational Pensions Authority (EIOPA) published a report that looks at outsourcing to the cloud by (re)insurers.
The report was issued in response to the European Commission’s request (through its FinTech Action Plan published on 3 March 2018) that the European Supervisory Authorities – EIOPA, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) – explore the need for guidelines on outsourcing by regulated entities to cloud service providers. As adoption of cloud computing in the financial sector increases, the Commission has concerns about the uncertainties of its interpretation by supervisory authorities within the scope of existing outsourcing requirements.
While all three of the European Supervisory Authorities launched initiatives to answer the Commission, the EBA lead the charge. It issued detailed Recommendations on outsourcing to cloud service providers (EBA Recommendations) that have applied to credit institutions and investment firms since 1 July 2018. The EIOPA report announces EIOPA’s intention to publish guidelines on cloud for the (re)insurance sector in the course of 2019. The report notes that EMSA is currently considering whether to issue any guidelines, although ESMA’s 2018 Annual Report and 2019 Work Programme summarises the work that it has already done as part of its supervisory project on cloud computing.
In addition to outlining EIOPA’s plans to provide guidance for (re)insurers that outsource to cloud service providers, the EIOPA report provides an overview of cloud computing and market practices in the EU, drawing on feedback from National Supervisory Authorities (NSAs).
Amongst the key takeaways outlined in the EIOPA report are that:
- cloud services are not yet extensively used by (re)insurance undertakings in the EU, but that the level of use by (re)insurance companies differs between EU jurisdictions and the cloud services used are aligned to those used by the banking sector
- cloud computing is used mainly by newcomers, by a niche of the market and by larger undertakings mainly for non-critical functions, but many large European (re)insurers are expanding their use of cloud as part of their wider digital transformation strategies
- the impact of cloud computing on the (re)insurance market is assessed differently among jurisdictions, due to its complexity and level of technicality.
Cloud computing regulation
Under both banking and (re)insurance regulation, an outsourcing to a cloud service provider is covered by the same provisions that would apply to any other outsourcing for regulatory purposes.
For (re)insurers in the EU, this means compliance with the measures on outsourcing within the Solvency II framework. However, the report notes that the current level of national guidance on cloud outsourcing for the (re)insurance sector is not standardised across EU countries and is not being applied consistently.
For example, while certain regulators have already issued or are planning to issue national guidance on cloud outsourcing (e.g. the UK, France, Germany and Poland), other regulators rely on broader national standards to support the management of specific critical areas of cloud outsourcing (e.g. in Spain, Italy and the Netherlands) and others have no specific plans (e.g. Portugal and Ireland). The report also notes that NSAs take different views as to whether cloud computing is always outsourcing, and some NSAs have adopted a specific definition for cloud computing.
Despite this divergence, the EIOPA report finds that “most NSAs (banking and (re)insurance supervisors at the same time) declare that they are considering the EBA Recommendations as a reference for the management of cloud outsourcing”.
In determining whether separate guidance was needed for the (re)insurance sector, EIOPA carried out a gap analysis between the existing Solvency II regulations and the EBA Recommendations, and its findings are set out in the EIOPA report. EIOPA has concluded that:
- the current Solvency II recommendations are sound to discipline outsourcing to cloud service providers and already cover most of the contents of the EBA Recommendations, which just appear to be more specific about certain areas
- despite this, EIOPA should issue guidance on cloud outsourcing in order to provide legal transparency to regulated undertakings and service providers in the market and “to avoid potential regulatory arbitrage”. This guidance will be aligned with the EBA Recommendations and, where applicable, the EBA’s new Guidelines on outsourcing arrangements (as these incorporate and will repeal the EBA Recommendations when the Guidelines come into effect on 30 September 2019).
EIOPA believes that, due to the rapidly-developing nature of cloud computing, cloud outsourcing regulation should not attempt to regulate all (re)insurance-related aspects, but should instead be principles-based. This suggests that EIOPA’s guidance will not be as prescriptive as aspects of the EBA Recommendations and Guidelines, but it will be interesting to see:
- if EIOPA adopts a similar approach to the monitoring of such outsourcings, e.g. the requirement to keep a register of cloud outsourcings containing prescribed minimum information, and to make this available to regulators
- if EIOPA deems all cloud services to be ‘an outsourcing’ and subject to its guidance. The report suggests this might be the case, with the executive summary containing statements such as “the purchase of cloud computing services falls within the broader scope of outsourcing” and “as to applicable regulation, cloud computing is considered as an outsourcing”. Concerns about this approach were raised in feedback to the EBA’s consultation on its draft Guidelines (which now incorporate the EBA Recommendations), in response to which the EBA highlighted that its Guidelines do not say that all cloud services are also outsourcing arrangements.
EIOPA’s current plan is to draft its own guidelines on cloud outsourcing during the first half of 2019, with those being issued for consultation and finalised by the end of 2019.
There will also be a public roundtable on the use of cloud computing by (re)insurance undertakings, where representatives from the (re)insurance industry, cloud service providers and the supervisory community can discuss their views on cloud outsourcing in a Solvency II and post-EBA Recommendations environment.
EIOPA, the EBA and ESMA have also agreed to start a joint market monitoring activity in the second half of 2019. This is aimed at developing policy views on how cloud outsourcing in the finance sector should be treated in the future. The group will consider the increasing use of cloud technology, and the potential for large cloud service providers to be a single point of failure.
Please contact us if you have any questions on the EIOPA report or to find out how we can help you with your cloud outsourcing issues.