The European Banking Authority (EBA) published its Final Report on the Draft Guidelines on outsourcing arrangements in February 2019 (the Guidelines) which replace the guidelines from the 2006 Committee of European Banking Supervisors and integrate the EBA's existing recommendations on outsourcing to cloud service providers.
The new "outsourcing checklist"?
The Guidelines aim to create a more harmonised framework for all financial institutions subject to the EBA.
The Guidelines confirm that financial institutions need to take a holistic approach to their outsourcing arrangements as part of their institution-wide risk management framework which should extend across all business lines and internal units and be integrated throughout the outsourcing life-cycle.
The Guidelines are not a wholly consolidated “checklist” for regulated outsourcing; outsourcing is but one element of the high-level principle that financial institutions are required to have robust internal governance arrangements.
This principle is reinforced throughout the layers of EU legislation, implementing domestic legislation and European Supervisory Authorities’ guidance.
The requirements for outsourcing should be seen as one aspect of the increasingly complex web of interlinked regulatory requirements.
Having said that, in our view, it is the most helpful consolidated statement in relation to outsourcing for some time.
Scope and timeframe
The Guidelines apply to credit institutions and investment firms that are subject to Capital Requirements Directive (as well as payment and electronic money institutions) (financial institutions).
They enter into force on 30 September 2019 and apply to all outsourcing arrangements entered into, reviewed or amended on or after that date.
Financial institutions must align all existing outsourcing arrangements to the Guidelines following the first renewal date of each existing outsourcing arrangement and, in any case, by no later than 31 December 2021.
The Guidelines also incorporate the EBA's recommendations on outsourcing to cloud service providers which applied from 1 July 2018.
While the EBA has not made changes to the cloud guidance as part of its incorporation into the Guidelines, it has introduced additional requirements that apply to all outsourcing arrangements.
Therefore, existing outsourcing arrangements to cloud service providers will need to be reviewed and, if needed, the agreements updated prior to 31 December 2021 in light of this broader guidance.
Type of outsourcings affected
The Guidelines apply to all outsourcings of financial institutions, including intra-group arrangements.
Outsourcings of "critical or important functions" are subject to a stricter regime than other outsourcings.
The Guidelines adopt and elaborate on the definitions "outsourcing" and "critical or important" from the MiFID II framework.
In our view, much of the discussion in the Guidelines reflects the factors that financial institutions already applied to considering whether an arrangement is an outsourcing, for example whether the function would normally be performed by the financial institution itself and whether the functions relate to core business lines.
However, the EBA has sought to provide further guidance on the definition of outsourcing by listing activities that should not generally be considered as such, including global financial messaging infrastructures and the provision of market information services (e.g. data feeds from Bloomberg or Moody's).
While financial institutions already have processes in place to assess whether something is a critical or important function, the Guidelines also provide helpful clarity as to the types of additional factors that should be included in the assessment, for example whether the arrangement is directly connected to the provision of banking activities or payment services, the potential impact of any disruption to the outsourced function and the failure to provide the service at the agreed service levels on a continuous basis, the potential impact on clients, the size and complexity of any business area affected and the ability to reintegrate the outsourced function into the financial institution if necessary or desirable.
Holistic approach required
The Guidelines require a holistic approach from financial institutions to all of their outsourcing arrangements, which is intended to embed the principles of sound governance and robust risk management at all stages of the outsourcing process, from the procurement process to the contract itself and through to the ongoing management of the outsourcing.
Financial institutions must approve, implement, regularly review and update a written outsourcing policy.
The outsourcing policy must include a set of criteria that is included in the Guidelines (including responsibilities of the management body and exit strategies and termination).
While having and complying with an outsourcing policy is already a requirement for credit institutions and investment firms today under EBA guidelines on internal governance, and a matter of best practice for most other organisations, the Guidelines add additional detail to this requirement.
Before entering into an outsourcing arrangement, financial institutions should ensure in their selection and assessment process that the service provider is suitable.
Again, this is not a new requirement as it is already part of the EU-level legislation of financial institutions.
In our experience, financial institutions typically ensure that service providers have the reputation, appropriate and sufficient abilities, expertise, capacity, resources and (if applicable) required regulatory authorisation.
Interestingly, the Guidelines also include a list of non-exhaustive additional factors that should be considered when financial institutions conduct due diligence on a service provider, including in relation to the service provider's business model, nature, scale, complexity, group structure, their long-term relationships with other service providers, and whether the service provider is a parent undertaking or subsidiary, is part of the accounting scope of consolidation or is a member of or is owned by institutions that are members of the same institutional protection scheme.
A financial institution must also take steps to ensure the service provider's values and code of conduct are consistent with its own.
A specific concern raised by the EBA is around concentration risk.
The EBA wants to ensure that financial institutions have considered the concentration risk that might arise from multiple outsourcings to the same service provider or the outsourcing of critical or important functions to a limited number of service providers, particularly for cloud services, where a small group of suppliers dominate the market.
To this end, the Guidelines require financial institutions to consider the risk of multiple outsourcings to the same service provider (or closely connected service providers) across a financial institution or group, or any outsourcing to a dominant supplier who cannot be easily substituted.
The existing requirements in MiFID II, PSD2 and the E-money Directive already contain requirements to be contained in a written outsourcing agreement.
The Guidelines also specify requirements that must be included in: (a) all outsourcings; and (b) critical or important outsourcings, which add some more colour to the existing requirements.
For critical or important functions, the written agreement must include a specific list of criteria (including locations from where the function is performed, the parties' financial obligations, the right to monitor, business continuity obligations, termination rights, exit assistance, audit rights etc.).
Of particular note is the level of detail that the Guidelines specify must be included in the written agreement in relation to sub-outsourcing of critical or important functions.
Sub-outsourcing has long been a key point of negotiation between customers and service providers, and the provisions of the Guidelines are helpful in clarifying the conditions that must be included if financial institutions permit sub-outsourcing; for example, the written agreement should specify types of activities that are excluded from sub-outsourcing, the conditions that must be complied with, the oversight that the service provider must have in relation to the sub-contracted services, a requirement to obtain specific or general written authorisation from the financial institution before sub-outsourcing data (which aligns with the GDPR requirements for sub-processing), a requirement that the financial institution must be able to object to the sub-outsourcing, and the right to terminate the arrangement in the case of undue sub-outsourcing (which is not defined, but the example given is where the sub-outsourcing materially increases the risks for the financial institution).
The Guidelines also specify that a financial institution should only agree to a sub-outsourcing if the service contractor grants the same contractual audit and access rights as the service provider.
We expect that customers will continue to push for a requirement in the written agreement that all sub-outsourcing of critical or important functions is subject to the prior written consent of the financial institution.
We would typically expect financial institutions to already have considered most of these types of provisions in their outsourcing agreements for critical or important functions. However, there are still likely to be some gaps or differences in approach as a result of the additional detail in the Guidelines.
Financial institutions must monitor, on an ongoing basis, the performance of service providers with regard to all outsourcing arrangements on a risk-based approach (with the main focus being on critical or important functions).
Financial institutions should reassess the critical or importance of that function regularly. This requirement ties into the overarching risk management and governance framework that financial institutions need to put in place and implement.
Each outsourcing will need to be monitored on a case-by-case basis and requirements that are included in the written agreement can help a financial institution to do this (e.g. monitoring of service performance against service levels and service credits).
The outsourcing register
Most interestingly, in our view, is the new requirement that all financial institutions should now have and maintain a register of information on all their outsourcing arrangement.
For financial institutions subject to the Capital Requirements Directive, this requirement further extends to sub-consolidated and consolidated levels.
Such financial institutions must already have a register of information on cloud outsourcings, under the EBA's existing recommendations, but this requirement will be extended to all outsourcing arrangements and to all entities covered subject to the Guidelines.
The register should document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcings.
The register must include a set of minimum information listed in the Guidelines, including a reference number for each outsourcing, a brief description of the outsourcing, the locations from where the functions are performed, and the start, renewal and end date and/or notice periods.
Additional information must be captured for critical or important outsourcings, including a brief summary of the most recent risk assessment, the individual or decision-making body that approved the outsourcing, certain information on sub-contractors to which material parts of the functions are sub-outsourced, and a view on how easily the service provider can be substituted (with the identification of alternative service providers).
The full register – or specified sections – must be made available to a regulator on request, which is a step back from the EBA's previous requirement that the register be provided at least every three years.
Other than in respect of cloud outsourcings, the register is a new requirement on financial institutions and may require a significant amount of work to compile and keep it up to date.
Did the EBA listen to the consultation?
The EBA consulted on the Guidelines last year and it has, in part, listened.
Respondents said that the Guidelines were too far reaching and burdensome, as they extended to arrangements that were not critical or important.
The list of contractual requirements that previously applied to all outsourcing agreements now applies only to critical or important outsourcings, and the full access and audit requirements have now been limited to focus primarily on critical or important outsourcings but, in most respects, the Guidelines still apply to all outsourcings.
Some respondents had concerns that the draft Guidelines treated every cloud solution as critical or important.
The EBA has addressed this in the Guidelines, commenting that cloud outsourcing should follow the same approach as other arrangements but "taking into account cloud specificities".
The EBA also highlighted in its feedback to respondents that the Guidelines do not say that all cloud services are outsourcing arrangements.
Many respondents asked for the date of application and transitional arrangements to be postponed.
Many respondents also asked for existing contracts to be exempted from the scope.
The EBA listened in some respects by changing the date of application and prolonging the period for transitional arrangements.
However, the EBA expects existing arrangements to be reviewed and amended to ensure compliance by the end of 2021 at the latest.
Where this has not been done for the outsourcing of critical or important functions, financial institutions should notify regulators of the fact, including the measures planned to complete the review or the possible exit strategy.
What should financial institutions do now?
- Prepare a register: Even if financial institutions already have some kind of register in place, it is unlikely to contain all of the fields required by the Guidelines. Whether an existing register will need to be updated or a new register will need to be created, it is likely to require a significant amount of work in order to meet the effective date of the Guidelines.
- Updates to policies and processes: Financial institutions will need to review existing outsourcing policies to check they comply with the Guidelines and make updates as necessary. Sourcing and procurement processes need to be implemented, or updated, that comply with the holistic approach required by the Guidelines and that then feed into the contractual requirements in the Guidelines. This can be a particularly complex challenge where financial institutions are large groups with consolidated and sub-consolidated outsourcing arrangements both intra-group and externally, including where outsourcings are on a multi-jurisdictional basis.
- Check existing agreements: Financial institutions should begin a programme of review of all existing outsourcing arrangements to check they comply with the Guidelines by 31 December 2021. Where necessary, financial institutions will need to either update existing outsourcing agreements (which may require negotiation with the service provider), or consider the existing termination rights and prepare an exit strategy. As part of its exit strategy, the Guidelines require a financial institution to have exit plans that are not only documented and comprehensive, but also sufficiently tested where appropriate.
- Ongoing management: Financial institutions must maintain effective oversight of all outsourcing arrangements. This is often helped by tools included in the outsourcing agreement (e.g. service levels to measure service performance, service credits, regular audit rights, rights to request information etc.) and it will therefore be important to review existing agreements, and negotiate any new agreements, in this context.
Is this the future for insurers?
Insurance regulation often follows the one applicable to banks; for example, the adoption in Solvency II of the same rules on outsourcing as were in MiFID before it. It seems unlikely that the regulators will want to take different approaches to outsourcing arrangements as between insurers and banks.
Against this backdrop, we think that insurers should take note of the Guidelines.
The approach to outsourcings taken by the EBA may soon end up being followed by the European Insurance and Occupational Pensions Authority in relation to insurers. Watch this space to see if our prediction holds true - time will tell…
Please contact us if you would like to know more about the Guidelines or how your organisation can prepare for them.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells' cutting-edge interactive Lawtech tools, register for free on Engage.
You can also keep track of all the Engage content by following our LinkedIn page.