The European Banking Authority is consulting on draft Guidelines on Outsourcing Arrangements (the “draft Guidelines”), which will apply to all financial institutions that are within the scope of the EBA’s mandate, including banks, certain investment firms as well as payment and e-money institutions. Once adopted, the draft Guidelines will replace the existing Guidelines on outsourcing published by the Committee of European Banking Supervisors in 2006 (“the CEBS Guidelines”).
Overview of the Draft Guidelines
The draft Guidelines seek to establish a more harmonised framework for all financial institutions supervised by the EBA. They are divided into five titles, as follows:
- Title 1 - proportionality and group application;
- Title 2 - outsourcing arrangements;
- Title 3 - governance framework;
- Title 4 - outsourcing process; and
- Title 5 – guidelines on outsourcing addressed to competent authorities.
The draft Guidelines are considerably more prescriptive than the CEBS Guidelines, including regarding their scope; the outsourcing policy; the outsourcing contract; other documentation requirements; risk assessments; outsourcing of critical and important functions; outsourcing to third countries; intra-group outsourcing; and sub-outsourcing.
The draft Guidelines integrate the EBA’s recommendation on outsourcing to cloud service providers, published in December 2017. They are to be read in conjunction with the EBA’s guidelines on internal governance, on common procedures and methodologies for the supervisory review and evaluation process and on ICT risk assessment under the SREP.
The consultation on the draft Guidelines is open until 24 September 2018.
The CEBS Guidelines apply to outsourcing by credit institutions. In contrast, the draft Guidelines apply to outsourcing arrangements by credit institutions, investment firms falling within the scope of the CRD IV Directive 2013/36, payment institutions as defined in Article 4(4) of the revised Payment Services Directive 2015/2366 and to e-money institutions within the meaning of Article 2(1) of the E-Money Directive 2009/110 (collectively, “Financial Institutions”). Credit institutions and CRD IV investment firms must comply with the draft Guidelines on a consolidated, sub-consolidated and solo basis.
According to the EBA, Financial Institutions also need to consider the risks associated with receiving services from third parties, even when these arrangements are not considered to be outsourcing arrangements.
The Outsourcing Policy
The draft Guidelines stipulate that the outsourcing policy should consider the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. It should cover at least:
- the responsibilities of the management body, business lines, internal control functions and define the principles, responsibilities and processes in respect of outsourcing arrangements;
- the planning of outsourcing arrangements;
- the implementation, monitoring and management of outsourcing arrangements;
- documentation and record-keeping; and
- the exit strategies and termination processes.
In addition, the outsourcing policy should distinguish between:
- the outsourcing of critical or important functions and other outsourcing arrangements;
- outsourcing to service providers which are authorised by a competent authority and those which are not;
- intra-group outsourcing arrangements; and
- outsourcing to service providers located within the EU/EEA and third country service providers.
The Outsourcing Contract
Like the CEBS Guidelines, the draft Guidelines requires a written contract between the Financial Institution and the service provider. The draft Guidelines specify certain minimum requirements that must be included in all outsourcing contracts, as well as a number of additional requirements that apply when outsourcing critical or important functions. The additional requirements include provisions regarding: performance monitoring; agreed service levels; the service provider’s reporting obligations; the respective parties’ financial obligations; whether the service provider should take mandatory insurance; requirements to implement and test business contingency plans; termination rights; and provisions on insolvency.
Other Documentation Requirements
According to the draft Guidelines, each Financial Institution should maintain a register of its outsourcing arrangements which documents and records all current outsourcing arrangements and which includes certain specified information regarding: existing outsourcing arrangements; service providers, and where-applicable sub-service providers; critical and important functions; and outsourcing to cloud service providers.
Financial Institutions must identify, manage, monitor and report all risk they are or might be exposed to in relation to arrangements with third parties. The draft Guidelines set out a number of requirements as to how risk is to be assessed. These include: risks associated with the Financial Institution’s relationship with the service provider; the risks caused by allowing sub-outsourcing; the concentration risks caused by multiple outsourcing to the same service provider; and/or the concentration risks posed by the outsourcing of a number of critical or important functions to a limited number of service providers.
Outsourcing of critical and important functions
The draft Guidelines require a Financial Institution to identify the outsourcing of critical or important functions and impose stricter requirements on such outsourcing as compared to other outsourcing arrangements. They also provide a harmonised set of criteria for assessing criticality or importance.
The draft Guidelines apply in fully to intra-group outsourcing arrangements. Financial Institutions should pay particular attention to conflicts of interest in the context of intra-group outsourcing arrangements. In particular, each Financial Institution should ensure that the selection of a group entity is based on objective reasons, the conditions of the outsourcing arrangement are set at arms length and that they explicitly deal with any conflicts of interests that the outsourcing arrangement may entail.
Outsourcing to third countries
Outsourcing arrangements with third country service providers must be subject to additional safeguards that ensure that they do not unduly increase risks or impair the ability of competent authorities to effectively supervise Financial Institutions.
Among other things, the draft Guidelines specify certain conditions that must be met before a Financial Institution outsources banking activities or payment services that require authorisation or registration by a competent authority in the Member State where the Financial Institution is authorised.
In addition, when outsourcing to third country service providers, a Financial Institution should be satisfied that the service provider acts in a socially responsible manner and adheres to international standards on human rights, environmental protection and appropriate working conditions, including the prohibition of child labour.
According to the EBA, competent authorities must grant authorisation in full compliance with EU Law and should set a strict framework in line with the draft Guidelines for outsourcing from Financial Institutions to third country entities and ensure consistent and effective supervision.
Financial Institutions should only agree to sub-outsourcing if the service provider undertakes to:
- comply with all applicable laws, regulatory requirements and contractual obligations; and
- grant the Financial Institution the same contract rights of access and audit as those granted by the service provider.
In addition, the Financial Institution should ensure that the service provider appropriately oversees the sub service providers in line with the policy defined by the Financial Institution.
The outsourcing agreement should specify whether or not the service provider can sub-contract the provision of a critical or important function. Where such sub-contracting is permitted, the draft Guidelines set out a number of provisions which must be included in the outsourcing agreement.
As well as having a broader scope of application, the draft Guidelines are considerably more prescriptive than the CEBS Guidelines meaning that inscope Financial Institutions will need to review and update their outsourcing arrangements once the draft Guidelines are adopted.
According to the draft Guidelines, they will apply to outsourcing arrangements entered into on or after 30 June 2019 (this is an indicative date). They will also apply to outsourcing agreements entered into before 30 June 2019 from the point they are reviewed or renewed. A Financial Institution should use the next scheduled review or renewal date following 30 June 2019 to revise, and, if necessary, amend outsourcing agreements entered into before that date to ensure that they comply with the draft Guidelines. With the exception of outsourcing arrangements to cloud service providers, Financial Institutions should complete the documentation of all existing outsourcing arrangements following the first renewal date of the relevant arrangement, but not later than by 31 December 2020. A Financial Institution should have documented any outsourcing to cloud service providers by 1 July 2018, in line with the EBA’s recommendation on outsourcing to cloud service providers.