The revised European Banking Authority ("EBA") Guidelines on outsourcing arrangements (the "Guidelines") have recently come into force. They change the rules for outsourcing by credit institutions and investment firms subject to the Capital Requirements Directive* as well as by payment and electronic money institutions ("Financial Institutions").
Financial Institutions should start taking the first steps towards complying with the Guidelines. These include reviewing existing outsourcing arrangements and aligning internal documentation with the new outsourcing rules.
Is it still outsourcing?
The good news is that the Guidelines exclude many types of contracts from the definition of "outsourcing". By reviewing their ongoing contracts, Financial Institutions might find some arrangements are no longer considered outsourcing. This could significantly lower the burden of compliance obligations (and incidental costs) linked to outsourced activities.
Among the exclusions are contracts concluded for market information services, contracts concluded under a global network infrastructure (Visa, Mastercard), or the acquisition of services which otherwise would not be undertaken by the Financial Institution (legal services, clerical services), etc.
New obligations: internal policy and documentation
On the other hand, the Guidelines have introduced new obligations for Financial Institutions. These refer to the need to adapt the internal policy and documentation related to outsourced activities. To meet these new obligations, Financial Institutions need to take several measures, including:
- amending their internal policy in such a way that it differentiates between:
- outsourcing of critical/important functions and classic outsourcing;
- outsourcing to service providers authorised by a competent authority and those that are not;
- intra-group outsourcing and outsourcing to entities outside the group;
- outsourcing to providers located in the EU and those located outside the EU, especially considering the imminent Brexit;
- introducing new provisions on identifying and managing conflicts of interests in intra-group outsourcing, especially as regards financial conditions, so that the outsourced service is set at arm's length;
- creating an electronic register of information on all outsourcing arrangements that would include detailed information regarding each outsourced activity, such as scheduled audits, risk assessment, substitutability assessment, etc.
The National Bank of Romania ("NBR") is expected to issue a draft regulation that would amend the current domestic outsourcing rules to comply with the Guidelines.
It remains to be seen if the NBR will import the Guidelines entirely or if it will opt for stricter requirements, as it has in the existing regulation. What is unquestionable is that the new rules will change the way in which Financial Institutions manage their outsourced activities.
Although the 31 December 2021 deadline for complying with the Guidelines might seem rather relaxed, an early start is still advisable, as we expect the changes will require time and effort to implement, depending on the degree to which the Financial Institution relies on outsourcing arrangements.
*Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms.