Following consultation in the second half of 2018, the European Banking Authority (“EBA“) published its Final Report on Draft Guidelines on Outsourcing Arrangements (the “Guidelines“) on 25 February 2019.
Most provisions of the Guidelines will enter into force on 30 September 2019. At the same time, the Guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (“CEBS“), in 2006 and will also incorporate the EBA’s 2017 Recommendation on Outsourcing to Cloud Service Providers which came into effect on 1 July 2018.
The Guidelines are intended to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate. The Guidelines apply to credit institutions and investment firms which are subject to the Capital Requirements Directive (“CRD“) as well as payment and electronic money institutions.
The Guidelines are issued under Article 16 of Regulation (EU) No. 1093/2010, the Regulation establishing the EBA. Member States’ competent authorities and financial institutions “must make every effort to comply” with the Guidelines. However, the EBA has acknowledged the need for proportionality within the text of the Guidelines, so that a firm and its competent authority(ies) should have regard to the nature, scale and complexity of the firm’s activities when complying with (or in the case of competent authorities, monitoring compliance with) the Guidelines.
The Guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. Institutions should review and amend their existing outsourcing arrangements for compliance accordingly. Where an institution has not completed a review of an outsourcing arrangement which relates to critical or important functions by 31 December 2021, this should be notified to the relevant competent authority, along with an explanation of the measures which the institution proposes to take to either complete the review or exit the arrangement.
For many firms, the finalisation of the Guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Cross-functional working will be essential, as various control and business functions will have an interest in the use of third party suppliers. Programmes are likely to bring together legal, operational risk, regulatory, compliance, procurement, and audit expertise, while oversight within the three lines of defence approach will need to be allocated not only to business functions but also to appropriate senior management, risk committee and board level to provide good governance of the processes and to ensure that decisions are aligned with business strategy and risk appetite.