New rules governing the outsourcing arrangements in the EU financial sector
1 March 2019
The revised Guidelines on outsourcing arrangements (Guidelines) published on 25 February by the European Banking Authority (EBA) will apply starting with 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date. With effect from the same date, the CEBS’ guidelines on outsourcing (CEBS Guidelines) and the EBA recommendations on outsourcing to cloud service providers will be repealed (the latter being hereto integrated).
By way of exception, the new rules on the cooperation between the competent authorities responsible for the supervision of the financial institutions and the competent authorities responsible for the supervision of a third country service provider, if the performance of the outsourced functions requires an authorization or registration, will apply starting with 31 December 2021.
We summarized below few key aspects provided by the Guidelines.
The Guidelines aim to establish a more harmonised outsourcing framework for the financial institutions falling within its scope of application, namely:
o credit institutions and investment firms subject to the Capital Requirements Directive (CRD);
o payment institutions; and
o electronic money institutions.
The outsourcing process – main steps
o Before entering into any outsourcing arrangement, the financial institutions should:
i) assess if the outsourcing arrangement concerns a critical or important function (previously referred to in the CEBS Guidelines as “material activity”);
ii) assess if the supervisory conditions for outsourcing are met (i.e. depending on where the service provider is located, in case of outsourcing arrangements referring to functions whose performance requires an authorization/registration, specific requirements have to be observed);
iii) identify and assess all relevant risks associated to the outsourcing arrangement (see in Section 12.2 of the Guidelines what factors have to be considered);
iv) undertake appropriate due diligence on the prospective service provider (see in Section 12.3 of the Guidelines what factors have to be considered);
v) identify and assess conflicts of interest that the outsourcing may cause.
Third party arrangements: when is it outsourcing?
o When assessing if an arrangement with a third party falls under the definition of outsourcing, the financial institutions should assess whether:
i) the outsourced function (or part thereof) is performed on a recurrent or an ongoing basis by the service provider; and
ii) the function (or part thereof) is normally falling within the scope of functions that would or could realistically be performed by the financial institution (even if the financial institution has not performed this function in the past itself).
o For example, the following services do not represent outsourcing:
i) the acquisition of services that would otherwise not be undertaken by the financial institution (e.g., legal opinions and representation in front of the court and administrative bodies, maintenance of the financial institution’ premises, servicing of company cars, catering, travel services), goods (e.g., plastic cards, card readers, office supplies, personal computers, furniture) or utilities;
ii) statutory audit;
iii) marketing information services (e.g., provision of data by Bloomberg);
iv) global network infrastructures (e.g., Visa, MasterCard).
o When assessing whether an outsourcing relates to a function that is critical or important (previously referred to as “material activities” in the CEBS Guidelines), the financial institutions should consider additional factors, such as:
i) whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorized;
ii) the potential impact of any disruption to the outsourced function on the operational risk, legal risk, reputational risk, recovery and resolution planning;
iii) the potential impact of the outsourcing arrangement on their ability to identify, monitor and manage all risks, comply with all legal and regulatory requirements and conduct appropriate audits regarding the outsourced functions;
iv) the potential impact of the services provided to their clients;
v) the protection of data and the potential impact of a confidentiality breach;
vi) the size and complexity of any business area affected;
vii) the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying arrangement;
viii) the ability to reintegrate the outsourced function into the financial institution, if necessary or desirable.
o The functions necessary to perform activities of core business lines or critical functions (in the meaning of Directive 2014/59/EU) should be considered as critical or important functions for the purpose of the Guidelines, unless failing to provide the outsourced function or inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function.
The outsourcing contract
o As opposed to the previous CEBS Guidelines, the new Guidelines do not provide a minimum mandatory set of provisions to be included in the outsourcing arrangements for non-critical functions.
o However, specific provisions in the outsourcing arrangements have to regulate:
i) sub-outsourcing of critical or important functions;
ii) security of data systems;
iii) access, information and audit rights;
iv) termination rights of the financial institution under the outsourcing arrangement;
v) oversight of the outsourced functions by the financial institutions;
vi) exit strategies.
o The Guidelines clarify the responsibilities of the management body of each financial institution, including overseeing all risks and managing the outsourcing arrangements. Amongst others, the financial institutions should:
i) document all current outsourcing arrangements (distinguishing between the outsourcing of critical functions and other arrangements) and maintain an updated register of information on all outsourcing arrangements;
ii) maintain at all times sufficient substance and ensure that outsourcing does not lead to a situation in which a financial institution becomes an “empty shell” or “letter-box-entities”;
iii) align their outsourcing policy the EBA Guidelines on internal governance;
iv) identify, assess and manage conflicts of interests with regard to their outsourcing arrangements (i.e. when outsourcing creates material conflicts of interests, appropriate management measures have to be taken).
Outsourcing arrangements within the same group or institutional protection scheme
o The Guidelines shall apply on an individual, sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation as referred in the Capital Requirements Regulation (“CRR”).
o Specific rules become applicable for cases where the Guidelines apply on a consolidated basis (at the level of the group) or when the service providers are part of the same group as the financial institutions (e.g., individual or centralized (at the level of the group) monitoring of the service providers).
o The financial institutions should ensure compliance with the Guidelines of the existing outsourcing arrangements.
o Financial institutions should complete in line with the Guidelines the documentation of all existing outsourcing arrangements (except for outsourcing arrangements to cloud service providers) following the first renewal date of each existing outsourcing arrangement, but not later than 31 December 2021.
By reference to outsourcing arrangements of critical or important functions, in case such revision is not finalized by 31 December 2021, the financial institutions have to inform their competent authority in this respect, detailing the measures planned to complete the review or the available exit strategies.