Banks, certain investment firms as well as payment and e-money institutions will need to review their outsourcing arrangements to ensure that they comply with the EBA’s Guidelines on Outsourcing Arrangements (the “Guidelines”) by 30 September 2019.
Currently, credit institutions must comply with the Guidelines on outsourcing published by the Committee of European Banking Supervisors in 2006 (the “CEBS Guidelines”). On 22 June 2018, the EBA launched a public consultation with a view to updating the CEBS Guidelines in order to provide a more harmonised framework for all financial institutions supervised by the EBA, including not only credit institutions, but investment firms falling with the scope of Directive 2013/36 (CRD IV), as well as payment and e-money institutions (“Institutions”). See our related briefing here.
The final Guidelines, which were published in draft form on 25 February 2019, set out specific provisions for financial institutions’ governance frameworks regarding their outsourcing arrangements and related supervisory expectations and processes. In doing so, they address a number of issues, including: the assessment of outsourcing arrangements, the governance framework and the outsourcing process. The Guidelines are generally more presriptive than the CEBS Guidelines, including stricter requirements for critical or important functions. They apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019.
An Institution’s compliance with the Guidelines is subject to the principle of proportionality. In other words, an Institution’s governance arrangements for its outsourced activities should be consistent with its risk profile, the nature of its business, its business model and the scale and complexity of its activities.
The CEBS Guidelines will be repealed on 30 September 2019. The Guidelines also repeal the EBA’s recommendations on outsourcing to cloud service providers from that date, as this recommendation is incorporated into the Guidelines.
You may access the Guidelines here.
The increase in the number and scope of outsourcing arrangements is drawing the attention of regulators. Financial services firms can expect outsourcing to continue to be an area of supervisory focus over the coming years. The EBA’s Guidelines form part of this increased supervisory focus and will likely be considered as best practice for all financial institutions.
On the home front, outsourcing is also an area of concern for the Central Bank of Ireland, which, in November 2018, published a Discussion Paper on outsourcing activities in financial service providers (the “Paper”) (see our related briefing here).
The Paper states that an increasing number of regulated firms are relying on outsourced service providers to provide activities and services that are central to the successful delivery of a regulated firm’s strategic objectives. Moreover, the Central Bank expects outsourcing to grow rapidly over the coming years in certain areas, namely, the use of cloud service providers and partnerships with fintech and regtech firms.
According to the Paper, in view of the increasing reliance of many regulated firms on outsourced service providers, the Central Bank has “significantly increased its focus on outsourcing and the management by regulated firms of risks presented by outsourcing arrangements through specific, targeted onsite inspections and wider thematic reviews on outsourcing”.