The European Banking Authority (“EBA”) has published its revised guidelines on outsourcing arrangements (“New Outsourcing Guidelines”). The New Outsourcing Guidelines are now awaiting to be officially translated into member state languages and will enter into force on 30 September 2019. Once in force, the New Outsourcing Guidelines will repeal the current outsourcing guidelines issued in December 2006 by the Committee of European Banking Supervisors (the predecessor to the EBA) (“2006 Guidelines”) and the recommendations on cloud outsourcing published in March 2018 by the EBA (“2018 Recommendations”).
Currently, as the 2006 Guidelines apply only to credit institutions (essentially banks and building societies) and the 2018 Recommendations apply to credit institutions and MiFID investment firms, no detailed guidelines or guidance apply to payment institutions and electronic money institutions in this respect. This will be changed by the New Outsourcing Guidelines which will apply to payment institutions and e-money institutions as well as credit institutions and MiFID investment firms. The general aim of the New Outsourcing Guidelines is to create a level playing field and harmonise the outsourcing requirements which are set out in separate EU legislation for different types of firms (credit institutions under CRD IV, investment firms under MiFID II, payment institutions and electronic money institutions under PSD2).
This article considers the implications for payment institutions and electronic money institutions. Consistent with the New Outsourcing Guidelines, this article uses “payment institutions” to refer to both payment institutions and electronic money institutions.
Article 19 of the Payment Services Directive (EU) 2015/2366 (“PSD2”) sets out the general principles that must be complied with where a payment institution outsources “important operational functions”. These are, in brief summary: such outsourcing must not materially impair the quality of the payment institution’s internal controls, must not delegate senior management’s responsibility and must not undermine any condition under which the payment institution is authorised. The same requirements apply to electronic money institutions. Note that these general requirements are essentially the same as those under the previous Payment Services Directive 2007/64/EC (“PSD1”). The New Outsourcing Guidelines supplement these general principles and set out much more detailed requirements.
While the New Outsourcing Guidelines focus on outsourcing of a “critical or important function”, there are also requirements for all outsourcing. In relation to payment institutions, the term “critical or important function” (which is used in MiFID II) is meant to cover an “important operational function” used in PSD2. An “important operational function” is defined in PSD2 as a function where “a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its authorisation…, its other obligations under [PSD2], its financial performance, or the soundness or the continuity of its payment services” (emphasis added).
The scope of “critical or important function” here is wider than “important operational function” under PSD2. “Function” (which is not defined in PSD2 for these purposes) is defined to mean any processes, services or activities. There are three limbs in the definition of “critical or important function” under the New Outsourcing Guidelines. The first limb covers the important operational function as defined in PSD2 in almost identical wording (i.e. there is a materiality test). The second limb covers any internal control function (note the broad meaning of “function”) which would essentially be presumed to be “critical or important” unless the payment institution’s assessment establishes that non-performance of the function would not have “an adverse impact” on the effectiveness of that function. Note that there is no materiality requirement in this particular limb (i.e. it turns on “an adverse impact”). The third limb covers any function the performance of which would require the service provider to be authorised (essentially, the service provider would be providing a regulated payment service under the outsourcing arrangement).
This article focuses on the second limb.
There is no definition nor guidance on what “control function” here means. From the EBA feedback on the relevant responses to the consultation paper, it seems to refer to functions that are “key elements of institutions’ internal control framework”. Since the EBA uses “institutions” in the New Outsourcing Guidelines to refer to credit institutions and MiFID investment firms, it is not entirely clear how the term should be applied to payment institutions. However, given the aim of the guidelines is to ensure a level playing field, it seems reasonable that the same interpretation should be adopted for payment institutions as well. On that basis, certain support functions or administrative functions should not be caught within this limb; but this is not without uncertainty.
Such uncertainty may not be as significant as it appears, given that the New Outsourcing Guidelines contain detailed requirements on how a payment institutions should assess critical or important functions for these purposes. There is a non-exhaustive list of 10 factors that should be considered when assessing whether or not a function is critical or important. As this list is not exhaustive, it means that payment institutions may also take other factors into consideration that are relevant to their individual circumstances. Also relevant is that there is a general principle of proportionality which aims to ensure compliance with the guidelines is consistent with the individual risk profile, the nature and business model of the payment institution and the scale and complexity of their activities.
Payment institutions should have a firm-wide risk management framework under which the payment institution identifies and manages all their risk including risks relating to outsourcing. As part of this firm-wide risk management framework, payment institutions should establish an outsourcing function or designate a senior officer who is directly accountable to the management body with respect to outsourcing. For small and less complex payment institutions, they may assign the outsourcing function to a member of their management body.
Certain specific requirements such as adequate risk management and appropriate flow of information from the service providers apply to all outsourcing arrangements. With respect to outsourcing of critical or important functions, there are additional requirements which include ensuring the payment institution’s ability to transfer the outsourced function to an alternative service provider, to reintegrate the function in-house or to discontinue the businesses that are dependent on the function.
PSD2 has various requirements on risk management such as having risk management procedures as part of the authorisation requirements under Article 5 and risk management relating to security and operational risks under Article 95. So payment institutions should already have the relevant framework/procedures in place and some of the risk management requirements in the New Outsourcing Guidelines may be already reflected in the existing policies/procedures. However, these existing documents would need to be reviewed and amended to include the specific requirements under the New Outsourcing Guidelines.
Payment institutions should have a written outsourcing policy and keep it regularly reviewed and updated. The New Outsourcing Guidelines set out the minimum content that such an outsourcing policy should contain. They also should have in place appropriate business continuity plans with regard to outsourced critical or important functions and have them tested periodically. Again, either as a matter of good practice or to ensure compliance with other general regulatory obligations (e.g. sound management), payment institutions that have existing outsourcing arrangements may already have relevant policies/procedures to manage such existing arrangements. However, given the specific content requirements, such existing policies/procedures will need to be reviewed and amended.
Further, payment institution should also have a documented exit strategy when outsourcing critical or important functions. They should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their regulatory compliance and without any detriment to the continuity and quality of their services to customers. There are a number of specified factors that should be taken into account when designing the exit strategy. As noted above, this may already be reflected in a payment institution’s internal control document and thus it may just be a matter of reviewing/updating the existing document to comply with the specific requirements.
In addition, the New Outsourcing Guidelines provide that payment institutions should maintain a register of information on all outsourcing arrangements. This covers all outsourcing arrangements including those for critical or important functions. There are specific information that should be included in the register such as the start date, end date, name of the service provider, country of the service provider and location of the data. For outsourcing of critical or important functions, additional information should be included in the register such as the date of the most recent risk assessment and a summary thereof, the governing law of the agreement, identification of alternative service providers and the names of any sub-contractors (if applicable) as well as the annual budget cost.
This register in whole or in part should be made available to the payment institution’s regulator (which, for the UK, would be the Financial Conduct Authority) upon request.
This is a new requirement, so payment institutions would not have taken it into consideration in designing/establishing their internal procedures. However, payment institutions are already subject to the relevant record keeping obligations (e.g. Article 21 PSD2) and this register seems largely a record keeping exercise. So the establishment and maintenance of this register may not be as challenging as it appears. However, given the specific content requirements for the register, it may nonetheless take time and effort to establish such a register.
The New Outsourcing Guidelines provide that there should be a written outsourcing agreement between the outsourcing payment institution and the service provider. Where the agreement relates to outsourcing of critical or important functions, the New Outsourcing Guidelines set out minimum content that the agreement should contain, which includes, in summary:
- the governing law;
- the parties’ financial obligations;
- the locations where the function will be performed and/or where the data will be kept and processed;
- the reporting obligations of the service provider to the payment institution;
- the obligation on the service provider to cooperate with the payment institution’s regulator;
- the unrestricted right of the payment institution and its regulator to inspect and audit the service provider.
Where the agreement permits sub-outsourcing, then additional provisions should be included e.g. conditions to be complied with for sub-outsourcing.
Payment institution are already required to provide outsourcing agreements in the authorisation process under PSD2. A well-drafted outsourcing agreement should already cover most of the minimum content such as the governing law, cooperation with regulators and condition on sub-outsourcing (if applicable). However, some items may not, such as the location where the data will be kept. So existing outsourcing agreements may need to be reviewed/amended. Consideration should also be given to whether or not the exiting agreement allows the payment institution to amend the agreement unilaterally for regulatory reasons and how any re-negotiation with the service provider should be conducted.
Payment institutions should monitor on an on-going basis the performance of the service providers in accordance with a risk-based approach and should apply due skill, care and diligence when monitoring and managing outsourcing arrangements.
Payment institutions may already be conducting the relevant monitoring and oversight of their service providers, e.g. in order to comply with other regulatory requirements (such as ensuring sound management). However, the relevant monitoring and oversight procedures should now be formalised (if not already) and meet the specific requirements under the New Outsourcing Guidelines.
The New Outsourcing Guidelines will apply from 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after that date. With respect to existing outsourcing arrangements, the New Outsourcing Guidelines provide that payment institutions should review and amend them to ensure that these are compliant with the new requirements. There is a transition period of two years to 31 December 2021 during which period payment institutions should complete the relevant documentation of all existing outsourcing arrangements (such as risk assessment, outsourcing policy, outsourcing register and exit strategy).
As discussed, some of the requirements may not be too difficult for payment institutions to implement such as having a written outsourcing agreement. It may just be a matter of reviewing/updating the existing internal documents/procedures and adding specific content in relation to outsourcing. However, other requirements may need time and efforts to implement such as the outsourcing register.
While there is a two-year transition period, depending on the circumstances of each firm, the time and effort needed to implement the New Outsourcing Guidelines may not be insignificant. Therefore, it would be in the interest of payment institutions (including electronic money institutions) that have existing outsourcing arrangements or plan to enter into them, to start preparing for these new requirements sooner rather than later. This is particularly so if any existing outsourcing arrangement needs to be renewed or amended on or after 30 September 2019. It may also be worth bearing in mind the wider payment-related regulatory environment which is seeing a flux of new developments such as: the General Principles for Business in the FCA Handbook which are to apply to payment institutions and electronic money institutions from August 2019; the PSD2 open banking requirements which will apply from September 2019; and the industry voluntary code for authorised push payment scams which is scheduled to apply on 28 May 2019 (albeit this is a voluntary code).