The Austrian parliament recently passed an amendment to the Austrian Banking Act (Bankwesengesetz – BWG), introducing a new statutory outsourcing regime for credit institutions applicable from 3 January 2018.
Credit institutions and other financial institutions have entered into outsourcing arrangements for many years and outsourcing has become increasingly important in this sector.
The reasons for outsourcing are diverse and include improving cost structures, leveraging synergies, freeing internal resources to focus on core functions, taking advantage of the capabilities of a service provider or accessing new/enhanced technologies, etc.
Despite the increased importance of outsourcing, there is still no harmonised outsourcing framework for credit institutions at a European Union level. Accordingly, in an attempt to increase legal certainty and predictability of supervisory actions, the Austrian legislator has now implemented a dedicated local law regime (also) for credit institutions.
New outsourcing regime
The new national outsourcing regime introduced by Section 25 of the Austrian Banking Act (BWG) sets out specific requirements that need to be complied with before and during the outsourcing of material operational banking functions. Conceptually, it follows the outsourcing rules and principles set forth in MIFID II/regulation (EU) 2017/565 and PSD II.
Operational banking functions qualify as material if a failure in their performance would significantly affect compliance with an institution's obligations under the BWG, its solvability, its liquidity or the soundness or continuity of any banking services offered to its clients. Because the outsourcing of non-material banking functions will not be subject to the statutory outsourcing requirements, credit institutions should take particular care when determining which functions are considered significant with regard to their specific business model. The assessment of whether or not an outsourced activity qualifies as a material operational banking function needs to be carried out consistently and should be documented accordingly.
As of 3 January 2018, all outsourcing arrangements will need to be based on written agreements determining the scope of services to be outsourced to an external service provider. As one of the key requirements, the outsourcing must not undermine the quality of the internal control mechanisms of a credit institution or the ability of the Austrian regulator (FMA) to monitor an institution's compliance with its legal obligations.
As opposed to other supervisory laws, such as the Austrian Payment Services Act, Section 25 of the BWG explicitly requires a particularly high level of care and due diligence when outsourcing functions to a third-country service provider. Specifically, the institution must continuously monitor the political, legal and economic developments in the third country to ensure that any adverse developments do not impair the FMA's supervisory powers.
Outsourcing to third-country providers is therefore likely to become more burdensome and care should be taken especially in the context of Brexit, when UK providers become third-country providers.
The Austrian legislator has introduced a list of specific requirements in an annex to Section 25 of the BWG, which contains 12 particular obligations that any outsourcing arrangement – including intra-group outsourcings – will need to meet.
These requirements include inter alia:
- Qualifications: Credit institutions need to ensure that the service provider has all relevant qualifications and authorisations and is reliable;
- Regular assessment: Credit institutions need to determine methods and criteria (eg performance indicators) according to which service providers are assessed on a regular basis;
- Monitoring: Credit institutions need to continuously monitor the performance of a service provider to react to any failures in due course. Thus, credit institutions still need to maintain appropriately skilled personal resources;
- Termination: Credit institutions need to be able to terminate their outsourcing agreements if required and without any adverse effects on continuity and quality of any banking services provided to their customers;
- Contingency planning: Credit institutions need to prepare a contingency plan and ensure continuous compliance therewith to maintain customer data safety in case of IT system failures (if relevant for the outsourced activity).
While credit institutions already apply some of these requirements today to comply with the EBA/CEBS outsourcing guidelines, it should be ensured that current documentation and processes are in line with the new statutory – and thus legally binding – regime as of 3 January 2018.
Going forward, credit institutions will be required to notify the FMA of any new proposed outsourcings that they are about to enter into. Notifications thus have to be made before any functions are outsourced. The FMA may request information in relation to outsourcing agreements and/or the respective service providers. While credit institutions are not required to (actively) notify the FMA about existing outsourcing arrangements, the FMA is permitted to request information about these at any time. It therefore remains to be seen whether the FMA will increasingly request such information.
To ensure compliance with the new outsourcing regime, institutions should review and, if necessary, revise their current processes and outsourcing arrangements to demonstrate that they have carefully assessed any risks associated with outsourcing and to comply with the new regulatory parameters. In particular, we recommend that credit institutions:
- determine which activities are currently outsourced;
- review any existing outsourcing agreements for compliance with the new rules and amend them as necessary;
- review existing and prospective service providers with regard to their abilities and reliability;
- establish/revise internal processes (due diligence, monitoring, etc) in order to comply with the legal requirements when outsourcing core operational functions;
- document their outsourcing processes in an outsourcing policy or revise their existing policies;
- establish (IT) contingency plans to the extent necessary; and
- notify the regulator of intended outsourcings.