Ahead of the European Securities and Markets Authority’s (Esma’s) upcoming rules on cloud outsourcing, questions surrounding two issues—testing exit strategies and managing concentration risk—are stifling firms’ preparations. While Esma is set to publish its final guidelines on cloud usage early next year, some industry firms are urging the EU regulator to provide further clarification on how to comply with the rules and prepare their tech stacks.  

In responses to the Esma consultation, seen by WatersTechnology, but yet to be published, several industry firms have highlighted key operational concerns. In one submission, a European market structure firm writes that cloud exit strategies could amount to significant technical spending that require extensive code rewrites and retesting of operations moved to the cloud.

The response adds that testing exit strategies in some cases may not even be possible due to the efforts required to migrate data and applications from one location to another—for instance, from a cloud service provider (CSP) to on-premise or to another CSP.

“It’s not simply a copy and paste exercise,” says a senior executive for regulatory policy at an investment bank, echoing the market structure firm’s concern regarding exit strategies. “It depends on the type of cloud service we’re using, and it can be much more [work], especially, when we’re not just talking about data storage, but co-innovation, [co-development] or microservices like API-as-a-service.”

The Esma consultation outlines that firms “should develop and implement exit plans that are comprehensive, documented, and sufficiently tested.” According to the draft, regulated institutions could be expected to develop transition plans that include “trigger events” that would activate an exit strategy and test them using a risk-based approach.

In a second response to the consultation paper, another market structure firm calls for clearer guidelines on what the testing requirements entail. In its submission, it writes that rather than physically testing systems, a firm’s exit plan can be tested by reviewing documentation on areas such as co-dependencies, alternative service providers, the CSP’s contractual obligations to support the strategy, and the firm’s resources for executing it.

When it comes to cloud setups, there is no one-size-fits-all. Each firm manages its data differently. The same applies to testing cloud arrangements, says Douglas Wilbert, managing director of risk and compliance at Protiviti.

“The concept of an exit strategy and testing is something that is on the organization and how they set up their cloud strategy,” he says. “And if they cannot test an exit strategy [when there is] a failure, they are probably going to be in trouble.”

Testing cloud arrangements will not only involve the firm’s CSPs and on-premise locations, but their third-party solutions that operate on the cloud. Therefore, financial firms need to review their vendor’s cloud concentration and how that impacts their operational resiliency.

“‘The testing is not just, ‘Who are my service providers, and did they fail?’ It might also be, ‘Who is my critical third-party vendor and what if their CSP fails?’” Wilbert says.

The Esma consultation on cloud outsourcing is one of several regulatory guidelines being published or proposed. On September 24, 2020, the European Commission released its guidelines on digital operational resilience for the EU financial services sector (DORA) and is awaiting feedback on whether to amend the rules.

The European Banking Authority’s revised guidelines on outsourcing were published in 2019 and the UK regulators have also released a series of consultation papers at the end of 2019 on operational resiliency and third-party risk management. In all of the responses to the Esma guidelines that were seen by WatersTechnology, firms have sought further harmonization of global outsourcing and third-party rules.

Tackling Concentration Risk

In financial services, there are two types of concentration risk: the firm’s individual concentration risk and sectoral concentration risk. In the first response to the Esma guidelines, the market structure firm outlines that the latter risk should be primarily countered by the regulator, rather than individual firms, as firms do not have the oversight or the authority to influence their competitors on what CSP they should use. 

“The other thing is that, in order to identify where there is concentration risk, a lot of the underlying data that will be required is simply not available to us. So it’s not just that a financial institution is not able to tell another institution what to do or not to do, it’s that we simply wouldn’t even know which CSP is contracting with which of our competitors,” the senior bank executive says.

Similarly, in feedback submitted by the World Federation of Exchanges, the global trade association for exchanges and clearing houses, the group said, “It is not clear how in practical terms such a firm/group could ascertain how many of its peers are also using the same CSP,” and, “CSPs are typically restricted by contract from the disclosure of other firms’ use of the services.”

In terms of the role of regulators, there have been some steps to establish a direct oversight framework for critical ICT third-party service providers with regulations like DORA. This could mean critical third parties, including CSPs, will be directly subject to audits from supervisory authorities, says the bank executive, which could be useful in managing industry concentration, so as long as it avoids doubling up on work.

“This might help under the condition that financial institutions are able to rely on those direct supervisory results or actions, and not making this [an] additional [round of] testing or auditing,” says the executive.

To avoid individual concentration risk on one CSP, some regulators have endorsed the adoption of hybrid or multi-cloud strategies. The counter to this view, is that one of the drivers for firms to move to the cloud is to simplify their technology stack and offload complex legacy systems, but if they are mandated to use multiple providers—such as Amazon Web Services, Microsoft Azure, Google Cloud, and IBM Cloud—this could offset the original objective.

“It would increase the number of vendors you have, and it would increase the complexity of your contractual framework, and landscape. So, it would potentially not achieve the overarching goal, and I think this approach neglects—to a certain extent—the fact that we are already used to dealing with concentration risk and already have risk management practices in place,” the bank executive says.

In the event that concentration risk is identified, it is still unclear from the Esma consultation paper how this would be dealt with. For instance, could a company be prohibited from outsourcing its services, or could it be a matter of “first come, first served” when using a CSP, causing an outcome that could contradict competition laws? Wilbert says managing concentration risk will be based on the services the firm provides. In other words, regulators would clamp down on cloud concentration risks associated with systemically-important functions, over lesser-critical operations.

“If bank A can no longer trade equities, everybody will go to bank B, C, or D. But what happens if two large custodians fail? That might be 50% of market clearing, and it can take months, maybe even a year, to move custodians. So that industry is much more systemic to the financial sector,” Wilbert says.