1 Legal background
On 25 February 2019, the European Banking Authority ("EBA") published its Final Report on the EBA Draft Guidelines on outsourcing arrangements ("EBA Outsourcing Guidelines"), which were under consultation during the second half of 2018.
The new EBA Outsourcing Guidelines will apply from 30 September 2019 to all outsourcing arrangements concluded, reviewed or amended on or after this date and will replace the old Outsourcing Guidelines issued by the EBA's predecessor, the Committee of European Banking Supervisors ("CEBS"), back in 2006.
The EBA Outsourcing Guidelines follow the intention to establish a more harmonised framework for all financial institutions supervised by the EBA and repeal the EBA's Recommendations on outsourcing to cloud service providers published only in 2018, which are incorporated into the new EBA Outsourcing Guidelines.
2 In-scope institutions
The EBA Outsourcing Guidelines apply to competent authorities and directly to financial institutions, including credit institutions, payment institutions and electronic money institutions.
Investment firms pursuant to Directive 2014/65/EU ("MiFiD2") are not in scope. However, according to the EBA, the updated guidelines are consistent with the current requirements under the Capital Requirements Directive IV, Payment Service Directive 2, the Electronic Money Directive, the Bank Recovery and Resolution Directive and MiFID2. This harmonised approach should make it easier for banks to comply with the various underlying legal requirements (which for the most part are similar anyway).
Austria introduced national statutory outsourcing rules for credit institutions only at the beginning of 2018 (see Section 25 of the Austrian Banking Act (Bankwesengesetz) and Schoenherr's Legal Insight of 22 November 2017 on this topic. The EBA Outsourcing Guidelines are issued under Art. 16 of the EBA Regulation and thus qualify as "soft law".
Nevertheless, competent authorities and financial institutions shall make every effort to comply. Going forward, credit institutions will therefore also need to consider the requirements of the EBA Outsourcing Guidelines (and, depending on their scope of activities, also other statutory requirements, e.g. as set out in MiFID2 Delegated Regulation).
Institutions, particularly credit institutions, are obliged to review and amend existing outsourcing arrangements in compliance with the EBA Outsourcing Guidelines. Where the review of outsourcing arrangements (relating to critical or important functions) is not finalised by 31 December 2021, institutions and payment institutions would need to inform the Financial Market Authority about this fact, including an explanation of the measures planned to complete the review or the possible strategy for exiting/terminating the respective outsourcing agreements.
3 Key points of the EBA Outsourcing Guidelines
Outsourcing plays an increasingly important role in the financial services industry, allowing institutions to focus on their core business.
In the area of core banking services, the new guidelines now provide more specific and detailed guidance for institutions.
Key points addressed in the EBA Outsourcing Guidelines include the following:
- Clear definition of outsourcing;
- Introduction of criteria helping institutions to assess whether an outsourced activity, service, process or function (or part of it) is critical or important;
- Emphasis that institutions need to have sound internal governance agreements, in particular a clear organisational structure;
- Requirement for an up-to-date written outsourcing policy and maintenance of an updated outsourcing register (documentation requirements);
- Requirements around the outsourcing process, including the need for a pre-outsourcing analysis,a risk assessment of outsourcing arrangements and proper due diligence;
- Stricter requirements for outsourcings to third country providers;
- Clarification that sub-outsourcing requires ex ante notification to the financial institutions in case critical or important functions are outsourced;
- Compliance with appropriate IT security standards;
- Implementation of appropriate access, information and audit rights both for institutions and regulators.
4 Be prepared!
To ensure compliance with the new EBA Outsourcing Guidelines, institutions should review and, if necessary, revise their current processes and outsourcing arrangements to comply with the new regulatory parameters.