On 15 November 2019, the Danish Financial Supervisory Authorities (Danish FSA) published a consultation of a new bill with the aim of aligning the outsourcing regulation for financial institutions, including e-money and payment institutions, and shared data centres etc., with EU regulation, including the European Banking Authorities' (EBA) guidelines on outsourcing.
The regulatory framework
The overall aim of the proposed bill is to align the Danish outsourcing rules for financial institutions, including e-money and payment institutions, and shared data centres etc., including executive order no. 1304 on outsourcing significant areas of activity of 25 November 2010 (Outsourcing Order), with EU regulation on outsourcing.
On 30 September 2019, the EBA's guidelines on outsourcing agreements (EBA Guidelines) replaced the Committee of European Banking Supervisor's guidelines on outsourcing (CEBS Guidelines) issued in 2006 and the EBA's recommendation on outsourcing to cloud service providers published in December 2017.
The proposed bill suggests a revision of outsourcing rules as set out in various Danish acts applicable to the financial sector in order to comply with the EBA Guidelines. According to the remarks to the proposed bill, the Outsourcing Order will also be revised, however, such revision is not currently part of the proposed bill.
New definition of "outsourcing"
"Outsourcing" is currently defined in Article 5, no. 27 of the Danish Financial Business Act (DFBA) as: "Delegation by an undertaking of significant areas of activity, which are subject to supervision by the Danish FSA, to a supplier."
The outsourcing definition in the DFBA is based on the CEBS Guidelines. The scope of the outsourcing definition is, however, narrower than the outsourcing definition in the CEBS Guidelines as only activities "which are subject to supervision by the Danish FSA" are within the scope of the current outsourcing definition. The proposed bill introduces a revised outsourcing definition in Article 5, no. 27 of the DFBA in line with the EBA Guidelines and Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II:
"An arrangement of any form between an institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution. For insurance companies outsourcing is an arrangement of any form between an insurance company and a service provider, where the service provider either directly or through sub-outsourcing performs a process, a service of an activity that would otherwise be undertaken by the insurance company.'"
The accompanying comments to the proposed bill state – in line with the EBA Guidelines - that as part of the assessment of whether a process, service or activity is considered outsourcing, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions themselves, even if the institution has not performed this function in the past itself.
Further, where an arrangement with a service provider covers multiple functions, institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. It is emphasized that institutions shall maintain, at all times, sufficient substance and not become ‘empty shells’ or ‘letter-box entities’ and shall not, for example, outsource the management body's responsibility.
With the proposed revision of the outsourcing regulation, the substantive rules will apply to any outsourcing - in line with the EBA Guidelines - and not only outsourcing of "significant areas" as currency is the case.
Critical or important functions
The EBA Guidelines distinguish between outsourcing of "critical or important functions" and outsourcing in general. Guidance as what should be considered "critical or important functions" is set out in Title 4 of the EBA Guidelines. The comments to the proposed bill state that "critical or important functions" will be defined through the Danish FSA's practice.
The requirements to outsourcing of "critical or important functions" are more comprehensive than outsourcing of non-critical or non-important functions. For example do the requirements to outsourcing contracts in Title 13 of the EBA Guidelines only apply to outsourcing of "critical or important functions". We expect the revised Outsourcing Order to reflect the same.
Use of cloud services
Use of cloud services in the financial services sector is challenging for various reasons, due to some of the requirements in the Outsourcing Order. According to the remarks to the proposal, the regulation of outsourcing and cloud services should be clarified to ensure that the regulation supports financial institution's use of cloud services and to ensure that outsourcing companies are operated in a way ensuring customers that funds and data are handled in a sound and secure manner.
To accommodate the above, the intention is to replace the current acceptance requirement for sub-outsourcing in Article 5, no. 10 of the Outsourcing Order with a notification requirement in line with the EBA Guidelines.
Outsourcing by financial institutions except for insurance companies
In line with the EBA Guidelines and the revised outsourcing definition in Article 5, no. 27 of the DFBA, the proposed bill suggests that Article 72a(1) of the DFBA is amended as follows:
"A credit institution; bank; mortgage-credit institution; investment company; and investment management company shall be entitled to outsource a process, service or activity, that would otherwise be undertaken by the institution, to a service provider."
Further, the Danish Minister for Industry, Business and Financial Affairs is granted the authority to issue further regulation with respect to:
• the institution's management; liability; risk; monitoring; control; and reporting; • the institution's internal governance and procedures for outsourcing; • the institution's handling of conflict of interests related to outsourcing; • minimum requirements to the outsourcing provider and sub-outsourcing providers including access and audit rights; • requirements to the outsourcing contract; • intra group outsourcing; and • the institution's obligation to notify the Danish FSA of the outsourcing.
We expect the above to be reflected in the revised Outsourcing Order in line with the EBA Guidelines.
Outsourcing by shared data centres
The outsourcing regulation in Article 72a of the DFBA also applies to shared data centres, cf. Article 343r of the DFBA. With the proposed bill the reference to outsourcing of "significant areas" in the current Article 343r(3) of the DFBA will be deleted.
Outsourcing by market operators
The proposed bill suggests that the outsourcing regulation for market operators in Article 62 of the Danish Capital Markets Acts is aligned with the outsourcing regulation in Article 72a of the DFBA.
Outsourcing by insurance companies and certain pension schemes
In line with the revised outsourcing definition in Article 5, no. 27 of the DFBA, the proposed bill suggests a new 72b(1) of the DFBA with the following wording:
"Insurance companies shall be entitled to outsource a process, service or activity, that would otherwise be undertaken by the insurance company, to a service provider."
A notification requirement to the Danish FSA follows from Article 72b(2) of the DFBA. Further, the Danish Minister of Industry, Business and Financial Affairs is granted the authority to issue further regulation with respect to:
• the insurance company's liability and control of the outsourcing provider; • the insurance company's internal governance and procedures for outsourcing; and • minimum requirements to the outsourcing provider and sub-outsourcing providers including access and audit rights;
Currently, group 1 insurance companies and group 2 insurance companies are not subject to the same outsourcing regulation. With the aim of aligning the outsourcing regulation for insurance companies, it is suggested in the remarks to the proposed bill that an executive order is issued applicable to group 2 insurance companies reflecting the outsourcing regulation in Article 274 of the Commission Delegated Regulation (EU) 2015/35 (Solvency II) which is only applicable to group 1 insurance companies.
Similar regulation as set out in Article 72b of the DFBA is suggested for ATP and LD Pension in a revised Article 23c of the ATP Act and a revised Article 4 in the LD Pension Act.
Outsourcing by e-money institutions and payment institutions
Outsourcing by e-money institutions and payments institutions is regulated by Article 39 of the Danish Payments Act. Article 39 of the Danish Payments Act currently only applies to outsourcing of "significant operational functions" which is suggested replaced by "a process, service or activity" in line with the EBA Guidelines.
The Outsourcing Order does currently not apply to e-money institutions and payment institutions, however, in line with the EBA Guidelines the revised Outsourcing Order will according to the remarks to the proposed bill apply to e-money institutions and payment institutions. The EBA Guidelines explicitly state that the guidelines do not directly apply to account information services providers (AISP). The revised Article 39 in the Danish Payments Act does, however, not distinguish between e-money institutions and payments institution and AISPs. Hopefully, it will be clarified in the final bill or the revised Outsourcing Order exactly what applies to AISPs.
The deadline for responding to the consultation is 16 December 2019. The proposed bill, if adopted, becomes effective as of 1 July 2020.