Bank of England sets out supervisory expectations for FMIs in relation to material outsourcing to the public cloud

The Bank of England has published three 'Dear CEO' letters (dated 17 September 2021) setting out its supervisory expectations in relation to material outsourcing to the public cloud.

The letters have been sent to central counterparties (CCPs), recognised payment system operators and specified service providers (RPSOs and SSPs), and central securities depositories (CSDs).

The BoE is concerned about the increasing risk to financial stability of increasing reliance on third parties, in particular through outsourcing arrangements, by CCPs, RPSOs, SSPs and CSDs (collectively financial market infrastructures (FMIs)).

The letters state that:

• FMIs must have regard to existing regulatory requirements relating to outsourcing. FMIs should also have due regard to the BoE's policy on operational resilience and consider any relevant international standards.
  
  
• FMIs should notify the BoE before entering into, or significantly changing, any material outsourcing, or sub-outsourcing arrangements, including arrangements with CSPs and, if so, discuss the information that the Bank of England will require to provide its approval in each case.
  
  
• FMIs must notify the BoE, and seek the BoE's non-objection, of any substantive changes that could affect the compliance with the conditions for authorisation.
  
  
• RPSOs and SSPs must notify the BoE, and seek the BoE's non-objection, when there could be a material change in their risk profile and that of the payments eco-system as a result of participants considering outsourcing their connectivity gateway or security solutions that are used to access their services to the public cloud.

The BoE intends to consult on its proposed expectations and policies for FMIs on outsourcing in due course, with specific reference to the use of cloud.

The letter to CCPs is available here.

The letter to RPSOs and SSPs is available here.

The letter to CSDs is available here.