In recent years, financial institutions have increasingly outsourced various business activities to reduce costs and offer more flexible services to their clients. The digitalization of processes and the entry into the market of new financial technology providers (FinTech) increasingly require the adaptation of financial institutions’ business models, including the use / integration of outsourcers in the processes.
As of 30 September 2019, banks, investment firms, payment institutions and electronic money institutions (“institutions”) must comply with the European Banking Authority’s outsourcing guidelines (EBA/GL/2019/02)(https://eba.europa.eu/documents/10180/2551996/EBA+revised+Guidelines+on+outsourcing+arrangements). The guidelines lay down rules for internal management, risk assessment and monitoring by the institutions with regard to outsourcing of processes, services or activities that the institutions would otherwise perform on their own. The guidelines indicate which agreements with third parties are considered outsourcing activities and provide criteria for determining what critical or important functions are. If such critical or important functions are outsourced, more stringent requirements regarding the selection, arrangement and control of that service provider apply. The guidelines apply also to the outsourcing of functions between institutions when they act as service providers.
Institutions should make/prepare:
1. Evaluation of outsourced activities – whether they fall under the Guidelines (e.g. statutory audit, global network infrastructure services such as Visa, MasterCard, legal services, etc. do not fall), incl. whether important or critical functions have been assigned (e.g., cloud services are likely to fall because an error or problem with this service would significantly affect the reliability and continuity of the institution’s operations).
2. Update their internal documents and provide a framework for the reliable identification and management of risks arising from third parties and a framework for the reliable management and outsourcing of activities to service providers.
3. Designate a person responsible for outsourcing activities or assign this function to a senior staff member (e.g. a key function holder of a control function). For smaller and less complex institutions, this function may also be entrusted to a member of the management body.
4. A written outsourcing policy with a detailed process for outsourcing (analysis, risk assessment, selection, due diligence, contract phase, etc.), as well as exit strategies in case of assigning important or critical functions.
5. Update the business continuity plan for outsourced critical or important functions.
6. Keep an up-to-date registry with information on outsourced functions.
7. Review and modify contracts with service provider – it is important that contracts are well balanced and specific, because the ultimate responsibility is always with the institution.
If the review of outsourcing agreements for critical or important functions is not completed by 31 December 2021, the institutions should inform their supervisory authority, including the planned completion of the review or exit strategy; the guidelines also provide for changes to the already concluded agreements with the possible exclusion of cloud service providers. All new (including revised and amended) contracts concluded on or after 30 September 2019 must fully comply with the guidelines.
The guidelines also pay particular attention to the need for compliance with the General Data Protection Regulation (GDPR) by service providers, the conditions for subcontracting, and compliance with international human rights standards, environmental protection and appropriate working conditions (including the prohibition of child labor) by service providers and their subcontractors.
The guidelines repeal the previous ones as of 16 December 2006, as well as the European Banking Authority’s recommendations for outsourcing to the cloud.