The final guidelines create new obligations for insurers that will impact cloud outsourcing arrangements.
By Fiona M. Maclean, Andrew C. Moyle, and Victoria Sander
On 6 February 2020, the European Insurance and Occupational Pensions Authority (EIOPA) published its final guidelines on outsourcing to cloud service providers (CSPs) (the Guidelines). The Guidelines have been finalised following public consultation on the draft guidelines launched on 1 July 2019, and closely follow the European Banking Authority’s (EBA’s) final guidelines on outsourcing arrangements, published early last year (the EBA Guidelines). (See What EBA’s Outsourcing Guidelines Mean for Financial Institutions.)
The Financial Stability Board (FSB), an international body of G-20 central banks and supervisors, continues to scrutinize the use of cloud services by financial services institutions. The FSB previously noted its concerns about the concentration risk of cloud services in the financial markets in a 
In an August 22, 2019, letter addressed to Treasury Secretary Steven Mnuchin, in his capacity as chair of the Financial Stability Oversight Council (FSOC), Congresswoman Katie Porter and Congresswoman Nydia Velazquez urged Secretary Mnuchin to designate the three leading cloud-based storage systems used by major banks — Amazon Web Services, Microsoft Azure, and Google Cloud — as systemically important financial market utilities (SIFMUs). This designation would subject such cloud-based storage systems to supervision and regulation by the Board of Governors of the Federal Reserve System (Federal Reserve). Citing Title VIII of the Dodd-Frank Act, which was enacted to promote stability in the financial system, the Congresswomen highlighted the dependence on cloud services by banks and financial institutions for their data needs and the subsequent risks such services pose to the safety and stability of the financial system.