The European Banking Authority has published its Final Report on EBA Draft Guidelines on outsourcing arrangements (the Guidelines).
What is its scope?
The Guidelines are relevant to UK banks, building societies, designated investment firms and IFPRU investment firms. (For brevity, we simply refer to banks below.) Other FCA controlled entities, such as UK insurers, should continue to comply with the FCA's F16/5 Guidance for Cloud.
They set out the governance framework for bank outsourcings, including cloud outsourcings, in one document.
When does it come into force?
The Guidelines enter into force on 30 September this year and will apply to bank outsourcings "entered into, reviewed or amended" after 30 September.
Under the transitional period, with the exception of outsourcing to Cloud providers (for which the EBA recommendation already applies), banks are also expected to review and amend their existing outsourcing arrangements to ensure compliance at first renewal or, at the latest, 31 December 2021.
An exception is Guideline 63(b), which applies to the outsourcing of banking or payment services to a service provider located in a third country. This scenario will require a cooperation agreement between the bank's regulator and the regulator which supervises the service provider, a requirement which comes into force from 31 December 2021.
What does it replace?
Both the Committee of European Banking Supervisors (CEBS) 2006 Guidelines on outsourcing and the EBA's recommendations on outsourcing to cloud service will be repealed on 30 September. (In practice the existing EBA cloud recommendation have been largely incorporated within the Guidelines albeit, with more emphasis on the distinction between the outsourcing of critical and important functions and other outsourcings.)
The Guidelines set out a new governance framework for bank outsourcings, including cloud outsourcings.
Arrangements are divided into two categories, the regime for outsourcing critical or important functions being stricter than the regime for other outsourcings. Additional safeguards apply where the service provider sub-contracts part of the services and/or where the service provider is in a third country.
Contracts rights for in agreements for the outsourcing of critical or important functions are included but compliance requires more than contract terms. Banks are expected to have a comprehensive Outsourcing Policy which is regularly reviewed and updated and robust monitoring and governance in practice.
All outsourcings must be documented in a register, accessible by regulators, with more information required for the outsourcing of critical or important functions. Banks are required to liaise with the regulator over the latter.
Structure and key features
The Guidelines are organised into five sections, or Titles, with the following key themes:
(1) Proportionality: group application and institutional protection schemes
- Proportionality - explains that the principle of proportionality means that the Guidelines are to be to be applied in an appropriate manner taking into account the bank's size and internal organisation and the nature, scope and complexity of its activities. Banks should also take into account existing EBA Guidelines on internal governance.
- Groups - explains management responsibility and the application of the Guidelines in the context of groups and institutional protection schemes. For certain centralised arrangements, particularly where the outsourcing is of critical or important functions, the Guidelines require transparency so that all banks within the framework receive key information about performance, audit, proposed changes, exit plans, register entries and so on.
(2) Assessment of outsourcing arrangements
- Key definitions - explains which arrangements are considered to be "outsourcing" for the purposes of the Guidelines and the test to decide whether the relevant functions are "critical or important".
(3) Governance framework
- Risk management framework - explains that banks should have a holistic risk management framework across all business lines to identify and manage risks including arrangements with third parties. Banks cannot outsource responsibility for regulatory compliance; in particular a bank cannot outsource oversight of critical or important functions, it must retain the skills and resources to do so in-house and must exercise this oversight. In particular a bank should establish an outsourcing function, or designate a senior staff member, accountable to the management body and responsible for managing and overseeing outsourcing risks and documentation. This part of the Guidelines requires banks to ensure some key, top level, aspects of outsourcing (such as risk management, confidentiality arrangements, compliance with GDPR and so on). For critical and important functions banks should also be able to transfer the function to another service provider, bring it back in-house of discontinue those of its business activities which reply on the function, all within an appropriate time frame.
- Outsourcing policy - the bank should maintain an Outsourcing Policy to cover the main phases of the outsourcing. The Guidelines outline in some detail what the policy should cover as a minimum (eg responsibilities and decision making, business requirements, risk management, due diligence, business continuity, implementation and management, exit and so on). The policy should differentiate between different categories of outsourcing (critical and important or not / authorised and non-authorised providers / intra-group / providers within the EU and providers in third counties).
- Conflicts - includes guidelines regarding identifying and managing conflicts of interests.
- Business continuity - for outsourced critical or important functions business continuity plans should be in place and tested regularly (groups may rely on one plan). These plans should anticipate unacceptable performance, service provider insolvency and, where relevant, political risk in the provider's jurisdiction.
- Audit - internal audit requirements are set out in this part of the Guidelines.
- Register - banks should maintain a register of information on all outsourcing agreements. The minimum level of information is set out in the Guidelines, with more detail required for the outsourcing of critical or important functions. This information should be available to the regulator along with supporting documentation, which could include a copy of the outsourcing agreement, and retained after the outsourcing comes to an end. Regulators should be informed of the planned outsourcing of critical or important functions and of material changes or events. Monitoring information, risk assessments and so on should be documented.
(4) The outsourcing process
- Pre-outsourcing analysis - covers the aspects of the proposed outsourcing to be assessed by the bank, explains supervisory conditions, explains what should be covered by the risk assessment (including sub-contracting, data protection and location aspects), and sets out minimum requirements for due diligence.
- The outsourcing agreement - section 13, headed Contractual phase, includes key aspects of an outsourcing agreement which should be included at a minimum for a critical or important function. As a minimum the following needs to be covered:
- A clear description of the outsourced function to be provided
- The start and end date and relevant notice periods
- The governing law
- The parties' financial obligations
- Whether the outsourcing is of a critical or important function
- The locations from which the critical or important function will be provided or relevant data will be kept and processed
- Provisions regarding availability, integrity, privacy and safety of the data (in line with further requirements within the Guidelines)
- The right of the bank to monitor service provider's performance
- The agreed service levels, including "precise quantative and qualitative performance targets"
- The reporting obligations
- Mandatory insurance requirements
- Requirements regarding business contingency plans
- Provisions to ensure that the data can be accessed in the case of insolvency, resolution of discontinuation of the business of the service provider
- An obligation on the service provider to co-operate with relevant regulators
- A clear reference to relevant BRRD requirements
- The "unrestricted right" of banks and their regulators to inspect and audit the service provider, as specified in other obligations in the Guidelines, andTermination rights.
- A separate section with additional terms covers the sub-contracting of critical or important functions. In addition:
- Service providers are expected to oversee their sub-contractors. Where sub-contracting could have a material adverse effect on a bank's critical or important function (which expressly includes the scenario where the sub-contractor refuses to grant necessary audit rights and/or to comply with all laws and contractual obligations) the bank is expected to exercise its right to object to the sub-contracting and/or terminate the contract
- Data security requirements must be specified and monitored - a risk based approach to be taken to outsourcings which involve cloud providers and/or personal or confidential information. Banks should take into account differences in national provisions regarding the protection of data, as well as GDPR
- Termination trigger scenarios to be included in contracts are set out, as are service provider obligations on exit
- Access, information and audit rights - where the outsourcing is of a critical or important function, the Bank must ensure the agreement allows for them and regulators (or any person appointed by regulators):
- "full access to all relevant business premises" including the "full range of devices, systems, networks, information and data used, including related financial information and personnel and access to external auditors", and
- "unrestricted rights of inspection and auditing"
- Pooled audits and third party certifications can be used, albeit these are expressly "without prejudice" to the bank's "final responsibility regarding outsourcing arrangements". In any event the agreement must not limit or impede the effective exercise of access and audit rights.
- Oversight - sets out ongoing expectations upon banks to monitor outsourcings using a risk based approach. Activities include keeping risk assessments up to date, managing concentration risk, ensuring that reports and key performance indicator information is received, and reviewing (and testing) business continuity plans. Short comings should be addressed and, ultimately, could result in contract termination with immediate effect.
- Exit - an Exit Strategy should support the outsourcing covering various aspects of the end of the arrangement, as set out in the Guidelines. The strategy should provide for contract termination, provider failure, poor / failed outsourced function and material risks.
(5) Guidelines addressed to competent authorities
- The final section of the Guidelines is addressed to regulators. For example additional information which the regulator can require (in addition to the information in the register) is set out. Regulators should be able to identify sector overreliance on a particular service provider from the information and documentation provided by the banks, which will help regulators to identify and manage risks to the stability of the financial sector.
Draft guidelines and consultation comments
Publication of the Guidelines follow the EBA's draft version which was published last year and subject to public consultation. 59 responses were received and the EBA met with various interested European associations, such as the European Banking Federation, to hear their views.
Following feedback the guidelines were reviewed to better differentiate between the stricter regimes for the outsourcing of critical and important functions and the lighter touch for non-material outsourcings. Clarification was made as regards their application for group arrangements and changes were made to ensure harmonisation with related legislation as well as consistency with the outgoing EBA recommendations on outsourcing to cloud service providers.
Unsurprisingly audit rights were a hot topic. Many respondents argued for a lighter regime, particularly in the context of standardised services provided to many customers on standard terms. However the EBA resisted encouragement to make radical changes, stressing the importance of audit rights for oversight and supervision and emphasising that simplifications, such as the ability to pool audit information, were already included. Interestingly the EBA also declined a request for standard form audit clauses which, it was argued, could help banks when negotiating audit rights.
The Guidelines are consistent with the Payments Services Directive (PSD2) which regulates outsourcing by payment institutions, the Markets in Financial Instruments Directive (MiFID II) which regulates outsourcing by firms performing investment services, the Electronic Money Directive and the Bank Recovery and Resolution Directive. They also take into account principles such as the corporate governance principles for banks.