1. Introduction

The National Bank of Belgium (NBB) has issued a new Circular on outsourcing arrangements (Circular NBB_2019_19) (the Circular) that applies to credit institutions, stockbroking firms, payment institutions, e-money institutions, and Belgian branch offices of non-EER credit institutions and investment firms (the Institutions).

2. Timing

The new Circular applies from 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date. A grandfather clause is provided for existing outsourcing arrangements. Institutions should review and amend accordingly existing outsourcing arrangements with a view to ensuring that these are compliant with the Circular by no later than 31 December 2021. Circulars PPB_2004/5 and NBB_2018_20, Communication NBB_2012_11 and the Communication of the CBFA of 5 November 2007 are repealed with effect from 31 December 2021.

3. Key takeaways

3.1 EBA Guidelines

With the Circular, the NBB fully integrates the EBA Guidelines on outsourcing arrangements of 25 February 2019 (EBA/GL/2019/02) (the EBA Guidelines) in its supervisory practices.

The EBA Guidelines set out which arrangements with third parties, including cloud service providers, are to be considered as outsourcing and provide criteria for the identification of critical or important functions that have a strong impact on the Institution’s risk profile or on its internal control framework. If such critical or important functions are outsourced, stricter requirements apply to these outsourcing arrangements than to other outsourcing arrangements.

The EBA Guidelines further specify the internal governance arrangements, including sound risk management, that Institutions should implement when they outsource functions, in particular with regard to the outsourcing of critical or important functions.

Specific provisions are set out with regards to the process to be followed for entering into outsourcing arrangements, including the risk assessment, due diligence, the contractual phase, oversight and exit.

The EBA Guidelines take into account and are consistent with the current requirements under CRD, MiFID II, PSD2, the E-Money directive and BRRD, and the respective delegated regulations. In addition, international developments in this area, such as the revised corporate governance principles for banks and the guidelines on step-in risk published by the Basel Committee on Banking Supervision (BCBS), have been taken into account

3.2 Reporting requirements

The EBA Guidelines impose various reporting requirements on Institutions. The Circular clarifies the NBB's approach in relation to these reporting requirements for the Institutions that fall under its direct supervision1 (hereinafter the Relevant Institutions).

Outsourcing register

As part of their risk management framework, Institutions should maintain an updated register of information on all outsourcing arrangements. Institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof.

Relevant Institutions may expect that the register will be requested by the NBB upon the occurrence of the following occasions:

i. in the first half of 2022, following 31 December 2021 when the documentation should be completed;

ii. at least every 3 years, for less significant institutions and non-EEA branch within the framework of the Prudential Review and Evaluation Procedure (SREP);

iii. in the event that the competent authority explicitly requests this information in relation to the outsourcing of a critical or important function or if an outsourced function has become critical or important.

Relevant Institutions should use the template provided by the NBB (Annex 1 to the Circular).

Notification of planned outsourcing arrangements and material changes

Institutions should adequately inform the competent authority in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important. The NBB clarifies that a period of 2 months prior to the outsourcing can be considered as 'timely' (indicatively).

Institutions should also inform the competent authority in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the Institutions' business activities.

Relevant Institutions should use the template provided by the NBB for these notification requirements (Annex 3 to the Circular).