Following our recent e-update concerning outsourcing to the cloud, this week we take a look at the European Banking Authority’s ‘Consultation Paper – EBA Draft Guidelines on Outsourcing arrangements’ (the Guidelines).  The consultation period is open until 24 September 2018 and the draft Guidelines can be found here.

The Consultation

The EBA notes the trend within the financial services industry, like many others, towards engaging third-party outsourcers to reduce costs and improve flexibility and efficiency.  In recent years this trend has accelerated further through the emergence of financial technology or ‘FinTech’.  Owing to the significant technological changes that have taken place within the financial services industry, the relationship between institutions and outsourcers is increasingly important and requires heightened regulatory attention.  At the same time the EBA wishes to establish a “more harmonised framework” for the outsourcing arrangements of financial institutions.  The broadened scope of the Guidelines addressees reflects these changes.

Who will the Guidelines apply to?

The Guidelines will apply to a broad range of financial institutions.  The Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing of 14 December 2006 applied only to credit institutions.  In contrast, the new Guidelines will apply not just to credit institutions but also to investment firms subject to the CRD Directive 2013/36/EU, payment institutions (as defined in Article 4(4) of Directive (EU) 2015/2366) and electronic money institutions (as defined in Article 2(1) of Directive 2009/110/EC).  References in this e-update to ‘institutions’ refers to the above institutions.

When will the Guidelines apply?

The Guidelines are intended to apply from 30 June 2019 (although the exact date has to be confirmed) at which point both the CEBS Guidelines on Outsourcing and the EBA’s Recommendations on cloud outsourcing will no longer apply.  Institutions are expected to ensure that their existing outsourcing arrangements comply with the Guidelines no later than 31 December 2020. 

The Guidelines

Section 4 of the draft Guidelines, which is split into five titles contains thirteen specific guidelines on outsourcing.  As well as helpfully reminding institutions what should be included in contracts for outsourcing arrangements, key issues addressed within the Guidelines include the following:

1. Governance framework: the management team of an institution remains fully responsible and accountable for compliance with regulatory requirements notwithstanding a decision to outsource certain activities. This is especially true of critical or important functions which have been outsourced. Institutions should establish an outsourcing function or designate a senior staff member who is directly accountable to the management body or, at the very minimum, ensure that there is a clear allocation of responsibility for monitoring outsourcing arrangements.  

2. Outsourcing policy: management teams should adopt and maintain a written outsourcing policy, highlighting the importance of proper internal governance whilst providing a blueprint for the effective implementation of outsourcing arrangements. The Guidelines set out certain minimum requirements which should be included in the policy.   

3. Internal audit function: information and audit rights are a key part of any outsourcing, especially for the outsourcing of critical and important functions and the internal audit function should be able to effectively enforce such rights.  Audit recommendations and findings should be subject to a formal follow-up procedure and their resolution documented in a timely manner. 

4. Documentation requirements: the Guidelines emphasise the importance of maintaining a register of outsourcing arrangements and the register must contain certain minimum information.

5. Due Diligence: considerations to take account of when selecting an outsourcing provider, include:

  • does the service provider have appropriate and sufficient ability, capacity, resources, organisational structure and (if relevant) authorisations to perform critical or important functions on behalf of an institution?
  • can the service provider perform these functions in a reliable and professional manner?
  • what is the service provider’s business model, scale, complexity and financial situation?
  • are there appropriate technical and organisational measures in place concerning storage and processing of personal/confidential information?
  • if the outsourcing arrangement involves the processing of personal data, is the outsourcer GDPR compliant?

Notably, the Guidelines also identify adherence to international standards on human rights, environmental protection and appropriate working conditions as factors to consider in the due diligence assessment of outsourcing partners.

6. Risk assessment: institutions are expected to identify, manage, monitor and report all risks to which they may be exposed, including risks associated with concentration and sub-contracting by the service provider.

7. Security of data and systems: an important factor which will influence selection of an outsourcing partner. Practical tip – ensure that data and system security requirements are defined within the written outsourcing agreement.

8. Access, information and audit rights: the EBA has provided further detail on the rights of access and the scope of audit activities that should form part of outsourcing agreements, including access to business premises and devices, systems, networks, information and data used for the outsourced activity.

Institutions may use ‘pooled audits’ organised jointly with other clients of the outsourcer to make more efficient use of audit resources provided that, amongst other things:

  • the scope of the audit certification covers key systems identified by the institution (e.g. IT infrastructure);
  • ongoing assessment of the certification content occurs; and
  • the institution retains the contractual right to perform individual audits at its discretion.

9. Termination & Exit:  the Guidelines provides examples of when institutions should have the right to terminate an outsourcing arrangement (including where there are weaknesses in the management and security of personal data).

Exit strategies designed to protect business continuity in the event of disruption to outsourced activities, such as technical failures or insolvency on the part of the outsource provider, are essential. Key points when developing exit strategies include the need to:

  • define the objectives of the exit strategy;
  • conduct a business impact analysis in line with the risk of the outsourced activity to identify the resources required to implement an exit plan and assess how long it would take;
  • assign responsibility to implement exit plans and manage the transition of activities; and
  • define what is meant by “success”.

The draft Guidelines provide much food for thought in terms of what is expected of institutions when engaging in outsourcing, especially the outsourcing of critical and important functions.