An FCA report evaluates the chequered implementation of technology change and identifies risks and best practices to help firms better navigate this change.

By Andrew C. Moyle, Alain Traill, and Jagveen S. Tyndall

Of the nearly 1,000 “material incidents” reported to the UK’s Financial Conduct Authority (FCA) in 2019, 17% were caused by change-related activity. It was against this backdrop that, on 5 February 2021, the FCA set out the findings of its review entitled Implementing Technology Change regarding the execution of technology change within the financial services sector (the Report). While the Report focuses on the UK, its findings apply equally to financial services organisations implementing technology change across all geographies.

The final guidelines create new obligations for insurers that will impact cloud outsourcing arrangements.

By Fiona M. Maclean, Andrew C. Moyle, and Victoria Sander

On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its final guidelines on outsourcing to cloud service providers (CSPs) (the Guidelines). The Guidelines have been finalised following public consultation on the draft guidelines launched on 1 July 2019, and closely follow the European Banking Authority’s (EBA’s) final guidelines on outsourcing arrangements, published early last year (the EBA Guidelines). (See What EBA’s Outsourcing Guidelines Mean for Financial Institutions.)

As the agency pursues and prevents offerings of tokens it deems unregistered securities, further issues emerge.

By John J. Sikora Jr., Stephen P. Wink, Douglas K. Yatter, Cameron R. Kates, Shaun Musuka, and Deric Behar

The recent wave of US Securities and Exchange Commission (SEC) enforcement actions relating to initial coin offerings (ICOs) continues with two orders and a judicial complaint issued against digital asset firms for conducting unregistered securities offerings. The actions against Block.one, Nebulous, and Telegram are each notable for the facts and circumstances under which they were issued, but also as counterpoints to each other and previous ICO-related enforcement actions. This blog post offers a brief synopsis of these actions and discusses their impact on the evolving regulatory and enforcement landscape.

Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services.

By Fiona Maclean, Stuart Davis, and Alistair Wye

In a bid to keep pace with rapid advances in cloud adoption across financial services, regulators have published a raft of new guidance in the past year. Most recently, the European Insurance and Occupational Pensions Authority launched guidelines for insurers and reinsurers on outsourcing to cloud providers in July 2019, while the European Banking Authority (EBA) published updated guidance on outsourcing that came into effect on 30 September 2019, covering both cloud and other outsourcings.

We discussed some of the challenges facing financial institutions in the evolving area of cloud compliance at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services. One key issue highlighted in the discussion is that the new EBA guidelines do not contain an overarching split between cloud and non-cloud arrangements, and there are no general exclusions or exceptions for new entrants or FinTech providers. Entities subject to the EBA guidelines will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition.

The FSB is reviewing cloud provider concentration risk in the latest example of regulator concern over reliance on leading cloud providers by financial services institutions.

By Alan W. Avery, Nicola Higgs, and Fiona Maclean

The Financial Stability Board (FSB), an international body of G-20 central banks and supervisors, continues to scrutinize the use of cloud services by financial services institutions. The FSB previously noted its concerns about the concentration risk of cloud services in the financial markets in a report of February this year. In that report, the FSB encouraged regulators worldwide to review their national regulatory frameworks to ensure appropriate oversight of cloud providers.

US lawmakers urge FSOC to designate cloud-based storage systems used by major banks as systemically important financial market utilities.

By Alan W. Avery, Victoria McGrath, and Pia Naib

In an August 22, 2019, letter addressed to Treasury Secretary Steven Mnuchin, in his capacity as chair of the Financial Stability Oversight Council (FSOC), Congresswoman Katie Porter and Congresswoman Nydia Velazquez urged Secretary Mnuchin to designate the three leading cloud-based storage systems used by major banks — Amazon Web Services, Microsoft Azure, and Google Cloud — as systemically important financial market utilities (SIFMUs). This designation would subject such cloud-based storage systems to supervision and regulation by the Board of Governors of the Federal Reserve System (Federal Reserve). Citing Title VIII of the Dodd-Frank Act, which was enacted to promote stability in the financial system, the Congresswomen highlighted the dependence on cloud services by banks and financial institutions for their data needs and the subsequent risks such services pose to the safety and stability of the financial system.

The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.