In February this year the European Banking Authority (EBA) published its Final Report on its Guidelines on outsourcing for financial services organisations.
After 30th September, all outsourcing arrangements which are either new, or existing but being amended, will need to comply with these Guidelines.
There will also be a ‘transitional period’ until 31 December 2021, by which time all outsourcing arrangements will need to be reviewed and amended to make sure they meet the requirements. However, this transitional period does not apply to outsourcings to the cloud and so all cloud arrangements will need to comply from 30th September onwards.
The Guidelines apply to a broad range of financial services organisations including credit institutions, investment firms within the scope of the Capital Requirements Directive, payment institutions and e-money institutions (here, collectively referred to as ‘banks’) as well as ‘competent authorities’ that supervise these financial institutions (regulators).
The new Guidelines replace the Committee of European Banking Supervisors (CEBS) Guidelines on outsourcing of 2006 and integrate most of the EBA’s 2017 recommendations on cloud outsourcings and cover both cloud and non-cloud arrangements.
A key theme within the Guidelines is the distinction between outsourcing of ‘critical and important’ functions and other non-material outsourcing arrangements. The Guidelines also clarify that outsourcing to the cloud is not automatically outsourcing of a ‘critical or important’ function as previous drafts had suggested.
‘Outsourcing’ is defined as ‘an arrangement of any form between an institution, a payment institution, or an electronic money institution and service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself’.
What are “critical and important” functions?
As much of the Guidelines apply to “critical and important functions”, it will be crucial for banks to determine what functions fall into this category. Section 4 of the Guidelines contains detailed guidance on a number of factors and tests a bank should use to determine whether a particular function is critical and important. It describes certain functions that will always be considered ‘critical and important’ – namely:
- functions where a defect or failure in its performance would materially impair:
- A bank’s continuing compliance with its conditions of authorisation or obligations under Directive2013/36/EU and Regulation (EU) No 575/2013;
- A bank’s financial performance; and
- The soundness or continuity of banking and payment services and activities;
- the outsourcing of operational tasks of internal control functions unless an assessment shows a failure to provide that function or an inappropriate performance of that function would have no adverse impact on that internal control function; and
- outsourced functions of banking activities or payment services to an extent that would require authorisation by a competent authority.
When assessing the criticality or importance of a function, as well as the outcome of a risk assessment, a number of factors (as set out in Section 12.2 of the Guidelines) must be considered. These include:
- Whether the outsourcing is directly connected to banking activities or payment services; and
- The potential impact of any disruption to the outsourced functions or a failure of the service provider to provide the service at the agreed service levels on various aspects of a bank’s operations including its financial resilience, business continuity and operational resilience, operational and legal risks and reputational risks.
A bank will also need to look at the potential impact of the outsourcing arrangement on its ability to:
- identify, monitor and manage all risks;
- comply with all legal and regulatory requirements; and
- conduct appropriate audits regarding the outsourced function.
Additionally, there is a need to consider the potential impact on its services to its customers and on its outsourcing arrangements overall, including the extent to which it may be exposed to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area.
The Guidelines are divided into 5 main titles – below are some key points to note from each.
I. Proportionality and Group Application
Proportionality – the Guidelines require banks to consider the principle of proportionality when complying with them. This will mean considering a bank’s individual risk profile in terms of the nature of the institution, the complexity of its activities and outsourced functions and its business model. It will also need to look at the risks associated with the outsourced function and the criticality/importance of the outsourced function and the potential impact on its activities. Banks will also need to take account of the criteria set out in Title I of the EBA Guidelines on internal governance.
Groups – The Guidelines will apply to intra-group outsourcing arrangements, although banks will need to determine through the principle of proportionality, how strictly such arrangements should be treated in applying the Guidelines. The Guidelines also prescribe ensuring there is adequate protection for other banks in the group framework where there is a centralised outsourcing arrangement particularly of critical/important functions.
II. Assessment of Outsourcing Arrangements – the assessment of what constitutes outsourcing and critical and important functions (see above).
The Guidelines set out detailed guidance on what a bank’s Governance Framework should look like including:
- A comprehensive and holistic risk-management framework across its institutions – to identify and manage risks including those caused by arrangements with 3rd parties;
- a maintained Outsourcing Policy – which should include distinction between critical and important outsourcings, and other categories such as non-critical/important, intra-group and outsourcings to providers in third countries. The policy should help a bank decide the extent to which the guidelines apply to a particular outsourcing arrangement;
- an outsourcing register of all outsourcing arrangements (external and intra-group) including those that have terminated/expired;
- Audit rights as part of a bank’s oversight and supervision of services – these must be set out in critical/important outsourcings; and
- business continuity plans to be in place and tested regularly for critical and important outsourcings.
IV. The Outsourcing Process
Pre-Contractual. There is guidance on the steps to be taken before the outsourcing takes place, namely, pre-contractual analysis, any necessary authorisations from competent authorities, due diligence, and a detailed risk assessment including the impact of any subcontracting, data protection issues and location aspects.
Contractual Phase. The Guidelines set out minimum requirements for contractual provisions applying to critical/important outsourcings (these were previously thought to apply to every outsourcing) including the following:
- A clear description of the outsourced function;
- Start/end dates of the agreement and notice periods of the parties;
- Governing law;
- Parties’ financial obligations;
- Whether subcontracting of a critical/important function is permitted;
- Locations from where the critical/important function will be provided;
- Provisions regarding the accessibility, availability, integrity, privacy and safety of data;
- A banks rights to monitor the supplier’s ongoing performance;
- Agreed service levels including ‘precise quantitative and qualitative performance targets’ and appropriate corrective action if not met;
- Reporting obligations of the supplier;
- Mandatory insurance requirements;
- Business continuity requirements;
- Provisions ensuring data can be accessed where there is an insolvency;
- Obligations on suppliers to cooperate with regulators;
- Clear reference to BRRD requirements ; and
- Unrestricted inspection and audit rights for banks and their regulators.
There are also further sections setting out contractual requirements for critical/important outsourcings on subcontracting, audit and access to information, termination rights, oversight of outsourced functions, and exit strategies.
V. Guidelines to Competent Authorities – the last title gives guidance to competent authorities.
Further points to note
The Guidelines highlight what they describe as “concentration risk” from outsourcing activities both in terms of a concentration of a small pool of suppliers within a particular sector or over reliance by individual banks on a particular supplier. Competent authorities will need to monitor outsourcing registers provided to them by banks to identify such risks and where necessary take action. This is a particular concern with cloud services. Banks will need to consult with regulators at an early stage to identify any risks where possible, this may however prove challenging as Banks will not have first-hand information on who other banks are contracting with and getting this information from suppliers directly may also prove challenging owing to confidentiality obligations.
Finally, with the Brexit backdrop, it’s worth noting that the Guidelines say that where banking or payment services are outsourced to a third country, the competent authorities responsible for supervising the EU and non- EU based organisation, will need an agreement in place between them. So, if and when the UK becomes a third country, the FCA will need to have cooperation agreements in place with EU-based regulators.