New Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) ("Guidelines") have been issued by the European Banking Authority ("EBA") and came into force on September 30, 2019. Within these Guidelines, the EBA aims to contribute to a harmonized framework for outsourcing on a European level. At the same time, the EBA acknowledges the increased interest of financial institutions in the outsourcing of their business activities as a way to get relatively easy access to new technologies and to achieve economies of scale.
Despite a transitional period until the end of 2021 and the exemption to comply with the new Guidelines for existing cloud service agreements, many institutions and companies in the financial sector are affected and will need to take action to comply.
This Alert will explain in detail the applicability, definition and rules of Outsourcing Arrangements as defined by the EBA, and provides financial institutions with an overview of to what extent they will have to adapt their internal processes to the new requirements.
The Guidelines were published by the EBA on February 25, 2019 and came into force on September 30, 2019. Subject to a statement of the competent authorities on whether or not they intend to comply with the instructions set out in the EBA Guidelines (compare Article 16(3) of Regulation (EU) No 1093/2010), outsourcing agreements concluded after September 30, 2019 are required to comply with the new requirements. A transitional period until December 31, 2021 applies to existing outsourcing agreements with the exception of existing cloud service agreements, which are exempted from the requirement to comply with the Guidelines.
The Guidelines replace the previous CEBS Guidelines of 2006, as well as the EBA recommendations on outsourcing to cloud service providers of 2017. Specific provisions for outsourcing, such as in the Second Payment Services Directive (EU) No. 2015/2366, Directive 2014/65/EU on markets in financial instruments (MiFID II), as well as in the EBA recommendations for outsourcing to the cloud (EBA/Rec/2017/03) are transferred into the Guidelines. This means that financial institutions will now only need to consult one set of outsourcing guidelines.
The European Central Bank will apply the Guidelines to financial institutions that are under its direct supervision ("significant entities") without any amendments or restrictions. For other financial institutions that are not directly under the European Central Bank's supervision, the Guidelines will go into effect once they are implemented in the national banking supervision authorities' instructions.
The Guidelines are applicable to a wider range of entities within the financial sector than its predecessor. They apply to credit institutions, payment institutions and electronic money institutions (in the following all together "Financial Institution(s)") and hence also affect FinTech companies.
As per the definition in the Guidelines, "outsourcing" refers to "an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself." The Guidelines also define clearly what is not considered as outsourcing.
Hence, the definition contains two criteria: the performance of a function by a third party and that the outsourced function should otherwise be undertaken by the institution or payment institution itself. With regard to the second criterion, it appears that the EBA defines it rather broadly: In the "Summary of responses to the consultation and of the EBA's analysis" (starting on page 71 in the Guidelines), the EBA analyzes "When a function is normally performed by institutions in general and is provided by a service provider, the arrangement should usually be qualified as outsourcing, even if the individual institution has not performed it itself or would also not be able to perform it." From that analysis it appears that one should ask what would be common practice with regard to the function in question. However, it remains to be seen how the authorities will apply and interpret the revised definition.
Moreover, this revised definition also applies to intragroup outsourcings as such outsourcings would not necessarily be less risky than outsourcing to an entity outside the group. From now on, Financial Institutions are also required to take into account conflicts of interest that may be caused by intragroup outsourcing arrangements.
Broader Requirements under the New Guidelines
Critical or Important Functions
Specific requirements (in particular with regard to risk management) apply to the outsourcing of critical or important functions, the regime for outsourcing critical or important functions being stricter than the regime for other outsourcing regimes.
The definition of the term "critical or important functions" under the Guideline is new and is based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II. Under this new definition, Financial Institutions should consider a function as critical or important if, for example, the outsourced function is subject to an authorization process or, if the function is part of an internal control function. A function which would materially impair the Financial Institution's performance, should such function have a failure in its performance, should be considered critical or important. Functions that also belong to core business lines should be considered critical or important.
The Guidelines provide an additional list of factors that should be taken into account when conducting the assessment of whether an outsourcing agreement relates to a function that is critical or important. Apart from a general mandatory risk assessment (see below) to be conducted under the Guidelines, this list includes the question whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorized.
The risks that are associated with the transfers of services into countries outside the EU and EEA (Third Countries) are not only part of the general mandatory risk assessment under the Guidelines, but the Guidelines also set out specific rules for the transfer of services into Third Countries. Financial Institutions may only engage a service provider in Third Countries if certain conditions are met, including that an appropriate cooperation agreement between the competent authorities responsible for the supervision of the Financial Institutions and the supervisory authorities responsible for the supervision of the service provider is put in place. The cooperation agreement is to ensure that the supervisory authorities can effectively carry out their supervisory rights under European Union law.
Further, Financial Institutions are to implement a written outsourcing policy which shall be updated as applicable on a regular basis and which must be in line with the actual negotiated outsourcing agreement with the service provider. The outsourcing policy at least shall cover the responsibilities of the Financial Institution's management body, including:
- its involvement in the decision-making on outsourcing of critical or important functions;
- the involvement of the various business lines, internal control functions and other individuals within the Financial Institution in respect of outsourcing arrangements;
- the overall planning of outsourcing arrangements; the implementation, monitoring and management of outsourcing arrangements; and
- the documentation of the outsourcing process and exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced.
The Guidelines require Financial Institutions to conduct comprehensive risk analysis before entering into an outsourcing arrangement, which is to consider the many risk factors, in particular operational risks, related to the function being outsourced. A comprehensive list of additional risks that should be taken into account is provided in the Guidelines. For example, the Financial Institution is requested to examine carefully whether the service provider is suitable. If critical and important functions are to be outsourced, the due diligence should examine whether the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organizational structure and, if applicable, the required regulatory authorization(s) or registration(s) to perform the critical or important function in a reliable and professional manner over the duration of the cooperation.
The Guidelines also define comprehensive regulation points, which the actual outsourcing agreements are to include and govern.
The Guidelines require further documentation tasks from Financial Institutions to maintain a comprehensive register of information on all outsourcing agreements. The specific information that is to be provided with the register is listed in the Guidelines and must be consistent with both the actual agreed outsourcing agreements and the outsourcing policy. Such a register will also help the competent supervisory authority to understand and assess the specific concentration risk posed by multiple outsourcings to the same service provider and/or the concentration risk posed by outsourcing critical or important functions to a limited number of service providers.
According to the Guidelines, such an assessment of concentration risks is particularly relevant for the competent supervisory authorities when supervising the impact of outsourcing on the stability of the financial market. As a consequence, the authorities' assessment of possible concentration risks will also impact the Financial Institutions' selection process of suitable service providers.
The Guidelines also set out detailed requirements with regard to audit rights. Competent authorities are to have full and unrestricted audit rights. In case of the outsourcing of critical or important functions, Financial Institutions are to contractually ensure that the service provider grants the Financial Institution and the competent authority full audit rights that include full access to all relevant business premises, which are to be unrestricted rights of inspection and auditing. A risk-based approach applies to the determination of suitable auditing rights for functions that are not critical or important.
Finally, Financial Institutions are to inform competent authorities of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the Financial Institution's business activities.
To be compliant with the new Guidelines, Financial Institutions should be ready to answer key questions such as:
1. Do the outsourcing guidelines apply to my company? The Guidelines apply to financial institutions, credit institutions, payment institutions and electronic money institutions, both for external and internal (intragroup) outsourcing arrangements.
2. How does the EBA define outsourcing? The EBA provides a new definition of outsourcing which should be carefully applied.
3. What criteria should be applied to assess if an outsourced function is critical or important? The Guidelines provide a catalogue of criteria for such an assessment. Among other criteria, Financial Institutions should pay attention if, for example, the outsourced function is subject to an authorization process, is part of an internal control function or if the function would materially impair the Financial Institution's performance should such a function have failure in its performance.
4. What are the key requirements in the pre-outsourcing phase? Financial Institutions will have to make sure to:
- identify whether the outsourcing agreement includes a critical and important function, as special requirements will apply and risks will need to be analyzed and monitored;
- notify the competent authority in advance in the event of the outsourcing of a critical or important function, as well as in the event of significant changes to such an outsourcing;
- add the planned outsourcing function into a detailed outsourcing register;
- undertake appropriate due diligence on the prospective service provider;
- conduct comprehensive risk analysis before entering into an outsourcing arrangement; also, conflicts of interest in connection with an outsourcing function must be identified and appropriately taken into account in such risk analysis;
- ensure that the contractual agreement with the service provider meets the requirements which are set out in the Guidelines for outsourcing agreements.
5. What are the requirements post-outsourcing? Financial Institutions are required to:
- monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk based approach;
- regularly update their risk analyses;
- ensure, on an ongoing basis, that their outsourcing arrangements meet appropriate performance and quality standards in line with their policies;
- take appropriate measures if they identify shortcomings in the provision of the outsourced function.
6. What about outsourcing agreements outside of the EU?
One major requirement is that Financial Institutions will have to ensure that an appropriate cooperation agreement between the competent authorities responsible for the supervision of the Financial Institution and the supervisory authorities responsible for the supervision of the service provider is put in place.