International law firm Pinsent Masons has seen a number of its recommendations enacted following its response to EIOPA’s consultation on cloud guidance, making it easier for insurers to comply with their regulatory requirements.
The guidance, which sets to place strict regulatory demands on insurers in respect of both the contents of their contracts with cloud providers and their governance of those contracts, has been under review since June 2019, with the final guidelines now being issued.
In its response to the consultation, the firm raised a number of concerns about both the wording of and rationale for some areas of EIOPA’s draft guidance. Those concerns addressed fundamental matters such as the scope of the guidance and potentially confusing concepts and terminology. They also focused on the requirements around the content of insurers’ cloud contracts, their exit planning, the extent of information that insurers would have to document about their contractual requirements, and the location of data in the cloud.
Pinsent Masons’ recommendations have led to the re-drafting of certain definitions, the removal of unclear language and greater clarity and alignment with the European Banking Authority (EBA).
Some of the changes included the removal of references to ‘material outsourcing’ to describe the concept of a ‘critical or important operational function’. EIOPA also agreed to drop plans that require insurers to assume that their purchase of goods or services from, or entry into arrangements with, cloud providers constitute outsourcing arrangements that are subject to its guidance in cases where the matter is unclear. They also deleted wording around having ‘directly measurable’ service levels specified in contracts after the firm said it was it was unclear how insurers could comply with that obligation.
Commenting on the guidelines, head of Fintech propositions at Pinsent Masons, Luke Scanlon said: “When regulators bring out guidance and impose rules which vary slightly from other requirements for regulated entities, this can lead to unintended consequences and cost for financial institutions. Ultimately, this cost is borne by the customer and therefore it is positive to see that EIOPA has taken the views of the sector into account and made some adjustments to its final guidance.
“In our response to the consultation we put forward the views of our clients impacted by this guidance to ensure that the final guidelines are fit for purpose. This is particularly important following recent data from the Bank of England which shows that insurers are falling behind with regards to the adoption of cloud based technology in comparison to banks. We hope that these changes will now facilitate far greater adoption across the sector.”
All new cloud outsourcing arrangements entered into or amended on or after 1 January 2021 will be subject to the guidelines, while insurers will have until the end of 2022 to bring cloud outsourcing contracts entered into prior to that date into line with the new requirements.