Financial Authority (AMF) and Prudential Authority (ACPR) France
About the AMF and ACPR
The Financial Authority (Autorité des Marchés Financiers, AMF) and the Prudential Authority (Autorité de Contrôle Prudentiel et de Résolution, ACPR) are the primary financial regulators in France. In its capacity as the stock market regulator, the AMF is responsible for the supervision of financial markets and investment firms. The ACPR, an independent administrative authority under the central bank, the Banque de France, supervises the banking and insurance sectors.
The AMF and ACPR act in concert with the European Banking Authority (EBA), 'an independent EU authority, which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.' To that end, the EBA has outlined a comprehensive approach to the use of cloud computing by financial institutions in the EU, Recommendations on outsourcing to cloud services providers.
There are several requirements and guidelines that financial institutions in France should be aware of when moving operational functions to the cloud:
- The AMF General Regulation (French and English) sets rules and procedures to enforce financial legislation. In particular, Article 313-75 sets forth conditions that must be reflected in contracts that financial institutions enter into with cloud service providers.
- ACPR published The risks associated with cloud computing (French and English), which encourages organizations under ACPR supervision to take suitable measures to manage risk when they outsource business functions to the cloud. In addition, Article 239 in the ACPR Order of 3 November 2014 on the internal control of companies (French) under ACPR supervision also specifies mandatory terms to be included in contracts with cloud service providers.
- In certain cases, regulated institutions must notify the AMF and ACPR regarding material outsourcing arrangements, particularly if they have the potential to significantly impact their business operations.
- In its role as the data protection authority for France, the CNIL (Commission Nationale de l'Informatique et des Libertés) has issued many cloud computing guidelines, including Recommendations for companies planning to use cloud computing services (French and English).
Microsoft and the AMF and ACPR
To help guide financial institutions in France considering outsourcing business functions to the cloud, Microsoft has published Navigating your way to the cloud: a checklist for financial institutions in France. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they're complying with applicable regulatory requirements.
When financial institutions in France outsource business activities to the cloud, they must comply with the requirements of the Financial Authority (AMF) and Prudential Authority (ACPR) of France within the broad policy framework of the European Banking Authority (EBA). In particular, they must be aware of Article 313-75 of the AMF General Regulation, and the ACPR guidelines on cloud computing risks and its mandatory requirements for contracts with cloud service providers.
The Microsoft checklist helps French financial firms conducting due-diligence assessments of Microsoft business cloud services and includes:
- An overview of the regulatory landscape for context.
- A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.
Microsoft in-scope cloud platforms & services
How to implement
- Compliance checklist: France: Financial firms can get help conducting risk assessments of Microsoft business cloud services.
- Risk Assessment & Compliance Guide: Create a governance model for risk assessment of Microsoft cloud services, and regulator notification.
- Financial use cases: Use-case overviews, tutorials, and other resources to build Azure solutions for financial services.
Frequently asked questions
Is regulatory approval required?
The EBA publication, [Recommendations on outsourcing to cloud services providers](https://eba.europa.eu/sites/default/documents/files/documents/10180/1848359/c1005743-567e-40fc-a995-d05fb93df5d1/Draft%20Recommendation%20on%20outsourcing%20to%20Cloud%20Service%20%20%28EBA-CP-2017-06%29.pdf /5fa5cdde-3219-4e95-946d-0c0d05494362), outlines a comprehensive approach to material outsourcing by financial institutions in the EU. Also, in certain instances, financial firms must notify the AMF or ACPR of their outsourcing arrangements, as described on pages 8 and 9 of the checklist. While it's unlikely these circumstances would apply to the use of Microsoft cloud services, financial services should verify their applicability by reviewing the checklist.
Are there any mandatory terms that must be included in the contract with the cloud services provider?
Yes. Article 239 of the ACPR Order of 3 November 2014 and Article 313-75 of the AMF General Regulation set forth conditions that must be reflected in contracts that financial institutions enter into with cloud service providers. Part 2 of the Microsoft checklist (page 62) maps these against the sections in Microsoft contractual documents where they're addressed.