In August 2018 we provided an update on the European Banking Authority’s (EBA) Consultation Paper on their Draft Guidelines on Outsourcing Arrangements (the “Guidelines”). The final version of the Guidelines was published on 25 February 2019, and aims to create a more harmonised framework for all financial institutions under the EBA’s remit.
The Guidelines update and replace the guidance on outsourcing that the EBA’s predecessor, the Committee of European Banking Supervisors (CEBS), issued in 2006. Whereas CEBS guidelines applied only to credit institutions, the new Guidelines seek to provide a more harmonised framework for a wider set of financial institutions including credit institutions, investment firms and payment and electronic money institutions.
However, the Guidelines form only one part of the regulatory picture in relation to outsourcing. The Guidelines emphasise that institutions should have robust internal policies and governance and ensure compliance with additional layers of regulation, including EU legislation and guidance from European Supervisory Authorities.
The Guidelines make a number of changes to the earlier draft version that the EBA consulted on last year and integrate its 2017 recommendations on outsourcing to cloud service providers (which have been applicable since 1 July 2018) into the Guidelines.
Scope and Timeframe
The Guidelines cover all outsourcing arrangements entered into by an institution, including intra-group arrangements, reviewed or amended on or after 30 September 2019. Relevant institutions have until the end of 2021 to ensure that their existing outsourcing arrangements comply.
Key Points in the Guidance
An institution’s management body remains fully responsible and accountable for regulatory compliance whether or not certain activities are outsourced, particularly where the functions outsourced are considered critical or important. The Guidelines note that governance arrangements should be proportionate, taking into account factors such as the “complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities”.
Definition of outsourcing
The Guidelines adopt and expand on the definitions of “outsourcing” and “critical or important” from the MiFID II Framework and provide further guidance by specifying a number of activities that would not generally be considered outsourcing.
Outsourcing of critical or important functions
Outsourcing of functions that are “critical or important” are subject to a stricter regime than other outsourcings. While institutions will already have processes in place to determine critical or important functions, the guidelines provide a helpful list of situations in which a function should always be deemed critical or important, for example where impaired performance would prevent compliance with other obligations.
Requirement to have an outsourcing policy
Institutions must adopt and keep updated a written outsourcing policy providing for effective internal governance and implementing of outsourcing arrangements. The Guidelines set out minimum criteria which should be included in the policy.
Due Diligence on service provider
As mentioned in our last update, some of the main questions to consider when choosing a service provider are:
- does the service provider have appropriate and sufficient ability, capacity, resources, organisational structure and (if relevant) authorisations to perform critical or important functions on behalf of an institution?
- can the service provider perform these functions in a reliable and professional manner?
- what is the service provider’s business model, scale, complexity and financial situation?
- are there appropriate technical and organisational measures in place concerning storage and processing of personal/confidential information?
- if the outsourcing arrangement involves the processing of personal data, is the outsourcer GDPR compliant?
The Guidelines also oblige institutions to consider whether subcontractors, particularly those located in third countries, act in an ethical and socially responsible manner, adhere to international standards on human rights, environmental protection and ensure appropriate working conditions.
Risk Assessment of outsourcing arrangements
Institutions should identify, manage, monitor and report all risks to which they might be exposed to in connection with their outsourcing arrangements, in particular operational risks.
Holding and maintaining an outsourcing register
Institutions should maintain an updated register on all their outsourcing arrangements and document their current outsourcing arrangements, distinguishing between critical or important functions and other outsourcing arrangements. The Guidelines also set out a number of additional pieces of information to be included on the register. Institutions are to make the register available to the competent authority on request.
Internal Audit Function
The internal audit function in the Guidelines provides a mechanism to independently review outsourced activities and set out a number of matters which the audit should specifically check, such as whether the institution’s framework for outsourcing is being implemented properly and whether the activities are still correctly categorised as relating to critical or important functions.
Access, information and audit rights
Institutions must set out rights of access and audit for regulators in their outsourcing contracts, including access to business premises and devices, systems, networks, information and data used for the outsourced activity.
Security of Data and Systems
Institutions should ensure that service providers, where relevant, comply with appropriate IT security standards and should define data and system security requirements within the outsourcing agreement, monitoring compliance on an ongoing basis.
When outsourcing to service providers in third countries, institutions must ensure that EU legislation and regulatory requirements are complied with and that the competent authority can effectively supervise the institution.
Termination and Exit
Outsourcing arrangements should expressly allow the institution to terminate the arrangement. The Guidelines provide examples of when institutions should have the right to do so (including where there are weaknesses in the management and security of personal data).
Exit strategies designed to protect business continuity in the event of disruption to outsourced activities, such as technical failures or insolvency on the part of the outsource provider, are essential. Key points when developing exit strategies include the need to:
- define the objectives of the exit strategy;
- conduct a business impact analysis in line with the risk of the outsourced activity to identify the resources required to implement an exit plan and assess how long it would take;
- assign responsibility to implement exit plans and manage the transition of activities; and
- define what is meant by “success”.
Overall, the final Guidelines provide useful clarification on what is expected of financial institutions going forward.