On 22 June 2018, the European Banking Authority (EBA) launched a public consultation on its draft Guidelines on outsourcing. The aim of these Guidelines is to harmonise the framework for outsourcing arrangements of all financial institutions in the scope of the EBA's action.
With these Guidelines, the EBA is updating the CEBS guidelines on outsourcing issued in 2006 that applied only to credit institutions. The Guidelines will now apply to credit institutions and investment firms (jointly "institutions"), as well as payment institutions and electronic money institutions (jointly "payment institutions").
The Guidelines set out specific provisions for these financial institutions’ governance framework with regard to their outsourcing arrangements, and the respective supervisory expectations and processes. The Recommendation on outsourcing to cloud service providers, published in December 2017, has also been integrated into the Guidelines.
The Guidelines take into account and are consistent with the current requirements under the Capital Requirements Directive (CRD), MiFID, E-money directive, PSD2 and the Bank Recovery and Resolution Directive (BRRD), as well as the respective delegated Regulations.
The Guidelines provide comprehensive and detailed requirements relating to outsourcing, covering both the internal governance duties for institutions and payment institutions using external providers, contractual arrangements with an insourcer (outsourcee), and supervision over the outsourced functions, not only by the institutions and payment institutions themselves, but also by relevant supervisory authorities.
Below we summarise the key points of the Guidelines.
- The Guidelines provide a clear definition on outsourcing (that is in line with the related Commission delegated regulation (EU) 2017/565 supplementing MiFID II).
- The Guidelines specify the criteria to assess whether an outsourced activity, service, process or function (or part of it) is critical or important. The Guidelines provide criteria to ensure a more harmonised assessment of the criticality or importance of functions.
- Institutions and payment institutions should have sound internal governance arrangements which include a clear organisational structure. The Guidelines include requirements which aim at ensuring that:
- there is effective day-to-day management by the management body;
- there is effective oversight by the management body;
- there is sound outsourcing policy and outsourcing processes;
- institutions and payment institutions have an effective and efficient internal control framework, including with regard to their outsourced functions;
- all the risks associated with the outsourcing of critical or important functions are identified, assessed, monitored, managed, and reported and as appropriate mitigated;
- there are appropriate plans for exit from outsourcing arrangements of critical or important functions, e.g. by migrating to another service provider or by reintegration of the critical or important outsourced function; and
- competent authorities remain able to effectively supervise institutions and payment institutions, including the functions that have been outsourced.
Here you can read the Guidelines.