New EU outsourcing guidelines expected to have positive impact in Bulgaria

The European Banking Authority (EBA) has issued new Guidelines on Outsourcing, which harmonise rules for credit institutions, payment institutions and cloud service providers and is expected to have a positive impact on the Bulgarian economy given the sophistication of its IT and FinTech sectors.

The new Guidelines entered into force on 30 September 2019.

Outsourcing arrangements

One of the chief aims of the new Guidelines is to bolster the effectiveness and efficiency of credit and payment institutions concerning their outsourcing arrangements. TheGuidelines clearly define the risks involved in the functions of outsourcing and sub-outsourcing (as defined in Article 30 of MiFID II), the outsourcing of these functions to third countries, and multiple outsourcings to the same service provider. Furthermore, according to the Guidelines, intra-group outsourcing activities are not seen as carrying less risk.

By strictly following the Guidelines, credit and payment institutions can strengthen oversight and better manage outsourcing contracts so long as these measures do not impact stakeholders in a harmful manner or violate the EU's fundamental freedoms and human rights.

To achieve this end, credit and payment institutions need to properly identify all possible risks by describing and outlining the mutual obligations emerging from a contract and investigating the third party they are entering into an outsourcing relationship with.

IT, FinTech and cloud service providers

Information technology (IT), financial technology (FinTech), and cloud service providers have become a vital part of everyday business for credit and payment institutions. Since the security risks surrounding outsourcing arrangements with these bodies have become increasingly apparent, the Guidelines now state that these relationships should now fall under the control of the management bodies. In all cases, business continuity and data protection must be maintained to ensure that outsourcing relations with outsourcing parties are durable and reliable.

Sub-outsourcing is also regulated in the Guidelines and since it conveys further risks for credit and payment institutions, the new rules require ex ante or prior notification and a description of all changes vis-a-vis the original outsourcing contract.

Supervision by competent authorities

Outsourcing by credit and payment institutions can affect the efficiency of a nation's financial bodies. As a result, the competent authorities in each member state must also ensure the stability of its financial systems by monitoring and supervising this outsourcing. The authorities should conduct an overview of all outsourcing arrangements, which must be thoroughly documented by the institutions. Supervision is of particular importance for many types of IT outsourcing since there could be providers dominating the market or the high-risk situation of numerous institutions employing the same service provider.

In any case, however, the main responsibility for meeting the Guidelines lies with the institutions themselves and not with the authorities conducting the supervision.

FinTech in Bulgaria

According to the Global Innovation Index, Bulgaria is a leader in innovation, efficiency and achievement in South Eastern Europe (SEE) with as many as 65 FinTech companies operating in the country, according to the Bulgarian FinTech Association's Annual Comprehensive Report on the State of the Fintech Sector in Bulgaria. As a result, theGuidelines are expected to have a measurable impact not only on Bulgaria's credit and payment institutions, but also on FinTech companies operating in the region and throughout the EU.

The Guidelines must be implemented in the respective outsourcing arrangements by 31 December 2021. If an institution is unable to meet this deadline, it must notify the authorities and provide information on when this implementation will take place.