Over the last few years, there's been a whirlwind of new legislation, guidance and updates to guidance released at national and European level in relation to outsourcing in the financial services sector and the application of the outsourcing rules to cloud outsourcing. To the uninitiated it can appear daunting!

Here's a quick summary of the key resources, how they fit together and their application to firms regulated by the FCA and dual-regulated firms (regulated by the FCA and the PRA).

General outsourcing guidelines and rules

CEBS Guidelines

The CEBS Guidelines 2006 (published by the European Banking Authority's (the "EBA") predecessor) set out 12 guidelines for authorised firms outsourcing.
It applies to credit institutions (e.g. deposit taking businesses like banks).
They were drafted in a way to be consistent with the relevant outsourcing rules in MiFID (2004/39/EC) (implemented in the UK via the SYSC 8 chapter of the FCA Handbook ("SYSC 8 Rules").
Since its publication the regulatory landscape has shifted: MiFID has been replaced with the MiFID II Directive (2014/65/EU) and the Delegated Regulation (EU) 2017/565 supplementing the MiFID II Directive (the "MiFID II Delegated Regulation") has been introduced which is directly applicable to common platform firms and contains requirements on outsourcing. In addition, the SYSC 8 Rules have been amended so x`that most of the rules apply as guidance (see paragraph below, "SYSC 8 Rules" for more information) and the EBA is discussing replacing the CEBS Guidelines – as mentioned in the June 2018 EBA Consultation Paper: EBA Draft Guidelines on Outsourcing arrangements.

EBA Draft Guidelines on Outsourcing arrangements (the "Draft Guidelines")

It sets out recommendations for credit institutions, MiFID investment firms subject to CRD, payment institutions and electronic money institutions.
It is relevant to firms outsourcing (whether or not the outsource is material).
The final version will apply from 30 June 2019 (indicative date) and takes account of relevant European legislation, including the MiFID II Directive and the Delegated Regulation.
For more detailed information on the Draft Guidelines see our article at: https://www.twobirds.com/en/news/articles/2018/global/eba-consults-on-guidelines-on-outsourcing.

SYSC 8 Rules

This was one of the key resources for lawyers looking at outsourcing in the FS sector. It set out rules for common platform firms undertaking material outsourcings and best practice guidance for common platform firms or non-common platform firms undertaking non material outsourcings.
Following the implementation of the MiFID II Directive:
- most SYSC 8 Rules apply as guidance to authorised firms (whether or not they are common platform firms). See further SYSC 1, Annex 1, Table A for a summary of what SYSC 8 Rules apply as guidance or rules depending on the type of firm outsourcing; and
- the MiFID II Delegated Regulation sets out the majority of the outsourcing rules for common platform firms – see below.

Delegated Regulation (EU) 2017/565

Articles 30-32 (inclusive) set out rules for common platform firms undertaking material outsourcings.
The rules are similar to the SYSC 8 Rules and are directly applicable to common platform firms.
They also apply to credit institutions as indicated in Article 1(2) of the Delegated Regulation.

PRA rulebook (Outsourcing)

The "Outsourcing" part of the PRA Rulebook sets out some rules for dual-regulated firms authorised under CRD to comply with when outsourcing, including a requirement to comply with the rules of Articles 30 and 31 of the MiFID II Delegated Regulation.

PSD2

The Payment Services Regulations 2017 transposes PSD2 into UK law.
It contains specific rules on outsourcing by authorised payment institutions under regulation 25.

Electronic money regulation

The Electronic Money Regulations 2017 transposes the Electronic Money Directive 2009/110/EC into UK law.
It contains specific rules on outsourcing by authorised electronic money institutions under regulation 26.

Guidance on outsourcing rules application to cloud outsourcings

The FCA and the EBA have recognised the need to provide additional guidance when it comes to authorised firms outsourcing to cloud service providers (as opposed to traditional outsourcings to non-cloud service providers).

This has been partly triggered to provide much-needed clarity to firms that have expressed uncertainty as to how to interpret the existing outsourcing rules in the context of cloud services which risks creating a barrier to such firms adopting cloud outsourcing which can help facilitate innovation and offer a number of benefits, including increase competition, cost reduction and increased security for firms, all of which will ultimately benefit consumers.

FG 16/5 Guidance for firms outsourcing to the "cloud" and other third-party IT services (July 2018)

This sets out non-binding guidance to firms seeking to outsource to cloud service providers.
The guidance is designed to provide illustrations on how firms can comply with the relevant FCA outsourcing requirements.
The guidance has recently been updated so that it does not apply to banks, building societies, designated investment firms or IFPRU investment firms.

EBA recommendations on outsourcing to cloud service providers

This sets out recommendations for credit institutions providing investment services and MiFID investment firms (i.e. common platform firms). It is referred to as "additional guidance" relevant to outsourcing to cloud service providers.
There is a lot of overlap between the EBA's cloud recommendations and the FCA's guidance as described above.
Key areas of focus for cloud outsourcing include: access and audit rights to cloud service provider business premises, the approach to "chain" outsourcing (subcontracting by cloud service providers) and contingency plans and exit strategies to ensure an orderly migration of the outsourced function from the cloud service provider to a replacement provider or back in-house.
(Note: the EBA recommendation on outsourcing to cloud service providers predates the recent Draft Guidelines. The Draft Guidelines take account of the EBA's cloud recommendations and the intention is that the EBA's cloud recommendations will be repealed when the Draft Guidelines come into force.)

A high-level summary of where to look

Row ref	Type of firm	Source	Comment
1.	Credit institutions (defined in Article 4(1) of Regulation (EU) No 575/2013) (e.g. banks) Authorised under CRD IV (Directive 2013/36/EU)	CEBS Guidelines Articles 30-31 of Delegated Regulation (Article 1(2) states it applies to credit institutions)	Some guidelines relate to all outsourcings and others relate to outsourcing "material activities" Recognises the need to adopt a risk-based and proportionate approach depending on nature and complexity of services being outsourced etc. The Draft Guidelines on Outsourcing arrangements plan to update the CEBS Guidelines.The updated guidelines will apply to all financial institutions within the scope of the EBA's mandate: credit institutions, MiFID investment firms subject to CRD, payment institutions, electronic money institutions.
2.	Common platform firms (e.g. some credit institutions like banks and building societies and MiFID investment firms)	Certain parts of SYSC 8 Rules Articles 30-31 of Delegated Regulation (directly applicable to most common platform firms, see SYSC 1, Annex 1, 3.2G)	If you're a credit institution providing investment services you have to look at both rows 1 and 2.
3.	PRA authorised firms excluding insurers (banks, building societies and designated investment firms)	see rows above depending on nature of regulated activities carried out by firm see Outsourcing Part of PRA Rulebook Article 30 and 31 of Delegated Regulation apply to PRA authorised firms not carrying out investment services (see 2.1A of PRA rule on outsourcing)	A UK credit institution under row 1 will also be a PRA authorised firm under this row.
4.	Authorised firms (excluding credit institutions and MiFID investment firms, insurers and firms authorised under the PSRs or the EMRs)	SYSC 8 – see further SYSC 1, Annex 1, Table A for what authorised firms SYSC 8 is relevant to.
5.	Payment institutions as authorised under 2015/2366/EU (PSD2), implemented in UK law by the PSRs.	Regulation 25, Payment Services Regulation 2017 (PSRs)	The final version of the EBA Draft Guidelines on Outsourcing will also apply to payment institutions.
6.	Electronic money institutions as authorised under 2009/110/EC (e-money Directive), implemented into UK law by the EMRs	Regulation 26, Electronic Money Regulation 2011 (EMRs)	The final version of the EBA Draft Guidelines on Outsourcing will also apply to electronic money institutions.
7.	Insurers	SYSC 13 and 14 of FCA Handbook Articles 41-49, Solvency II Directive European Commission Delegated Regulation (EU) 2015/35 supplementing Solvency II Directive, Article 274 EIOPA Guidelines of System of Governance (relevant parts relating to outsourcing)	Outsourcing Part of PRA Rulebook doesn't apply to insurers – it only applies to PRA authorised firms authorised under CRD.