EBA Guidelines on Outsourcing Arrangements - Cledara

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know. Learn how to easily navigate around the latest compliance requirements ... CledaraWhy CledaraByStageStartupsGetprocessesrightfromthegetgoScaleupsScalewithbuiltinprocessesByFunctionFinanceAutomateyourbusyworkFoundersSeeeverythinginoneplaceITGetvisibility&controlofyourSaaSEveryoneGetapplicationsfasterandsaferSolutionsWhatisSaaSManagement?AnintroductiontotheSaaSmanagementjourneyPurchasingLinkSaaSpurchasingandapprovalsManagementGetvisibility&controlofyourSaaSAutomationMaketimeforthethingsthatmatterComplianceBuilt-incomplianceIntegrationsStreamlineaccounting&invoicingRewardsEarncashbackonyoursoftwarespendBlogPricingCompanyCareersWe'rehiring!CheckoutouropenrolesAboutCledaraCustomersMarketplaceFAQsBookademoLoginGetCledaraSignupStartupComplianceJanuary13,2022EBAGuidelinesonOutsourcingArrangements:EverythingYouNeedtoKnowLearnhowtoeasilynavigatearoundthelatestcompliancerequirementsbytheEBAforoutsourcingarrangements.TheEBAguidelinesonoutsourcingarrangementscameintoeffecton31stDecember2021.Theguidelinesaremadetoregulatethewaybusinessespurchaseandhandleoutsourcedsoftware(i.eSalesforceortheCRMyouuse).Theseguidelinesmeanthatcompanieslikeyoursneedtomakesureoutsourcingarrangementsareproperlymanagedandimplementriskmanagementandcomplianceprocessestohandlethecloudsoftwareyouuse,aswellasavarietyofotheroutsourcedservices.Althoughalloutsourcedsoftwarerequirecompliancechecks,therearecertaintypesofsoftwarethatwillrequiredeeperdiligence,specificallytheonesthatmeetthedefinitionof“criticalorimportant”underMiFIDII.Let’shavealookandbesuretocheckoutoureBookonthetopicforadeeperdive!‍WhenWastheEuropeanBankingAuthority(EBA)Deadline?TheEBAdeadlinewasissuedinFebruary2019andenteredintoforceinSeptember2019.Theharddeadlineforcomplianceoccurredon31December2021.Anycontractswithcloudsoftwareprovidersthatentered,reviewed,orwereamendedafter30September2019mustcomplywiththeguidelines,andallexistingcloudsoftwarevendorsneededtobereviewedby31December2021.‍WhoNeedstoComply?‍Ifyou’rereadingthis,it’sprobablybecausecomplianceisonyourmind.Ifnot,weadmireyourpassionforcompliance!Eitherway,here’sarundownofallfinancialinstitutionsthatmustfullycomplywiththenewregulation:BanksPaymentinstitutions,includingAuthorisedPaymentInstitutions(API)andPaymentInitiationServiceProviders(PISP)ElectronicmoneyinstitutionsInvestmentfirms,subjecttoDirective(EU)2013/36IV(CapitalRequirementsDirective) Themostcommonlicensesusedbyfintechstartupsaree-moneyLicenses,PISPsorAPIs,eitherdirectlythroughlicensestheyhold,orindirectlythroughAgentrelationshipswithdirectlylicensedpartnersandthereforefallwithinthescopeoftheregulatoryguidelines.‍EBAGuidelinesforUK-BasedCompanies‍EventhougheveryregulatedentityintheUKwillneedtocomplywiththeseguidelines,werecommendcheckingwithyourlocalregulator.HerearetheregulationsaccordingtoFCAandPRA:ForthoseregulatedbytheFinancialConductAuthority(FCA).TheFCApubliclyre-affirmedthatregulatedentitiesintheUKmustmeettheEBA’sharddeadlineattheendof2021,despiteBrexitandthepandemic. Asalawfirmcoveringthematternoted,theFCAconfirmedthattheyhad“notifiedtheEBAthatwewillcomplywiththeguidelines”,including“thereviewofexisting‘criticalorimportant’outsourcingarrangementsenteredintobefore30September2019.”ForthoseregulatedbythePrudentialRegulationAuthority(PRA).ThePRApubliclypushedthedeadlinetocomplywiththeGuidelinesfromDecember2021toMarch2022stating“thedisruptionandreprioritizationcausedbytheCOVID-19pandemicandchangestotheUK,EU,andglobalregulatorylandscapeinthisarea.”HowtoClassifyYourExistingSoftwareStack TheEuropeanBankingAuthority's(EBA)outsourcingrequirementshavesignificantlyenhancedthird-partycontrolregardingcloudproviders.Anoutsourcedserviceisconsideredcriticalorimportantwhenthefailureofthetechnologyinquestionresultsinadisruptiontoyourbusiness,afailuretoprovideyourservicesortheinabilitytosupportyourcustomers.Yourfirsttaskshouldbetoclassifyallyourcloudsoftwarestackintotwogroups:1)Criticalorimportant2)Non-criticalorimportantThiswilltellyouwhichsoftwarerequiresgreaterdiligencechecks.Buthowdoyoufindoutwhatsoftwareis“criticalorimportant”tomybusiness?Firstofall,toclassifyallyourcloudsoftwarestack,youneed100%visibilityoverwhatsoftwareyouhave,soimportanttoolsarenotexcludedfromyourclassificationInotherwords,ifthefailureofthetechnologyinquestionresultsinadisruptiontoyourbusiness,andinafailuretoprovideyourservicesortheinabilitytosupportyourcustomers,itmaybeconsideredas“criticalorimportant”.Let’slookatanexample.Ifyouareaneobank,thesearesomeofthetoolsthatyoumightwanttoconsideras“criticalorimportant”suchas:YourCRM(i.e.Salesforce,Pipedrive)Yourcustomersupportsoftware(i.e.Zendesk)YoursinglesessionanduserauthenticationserviceorSSO(i.e.Okta) YourPEPsandsanctionsscreeningtool(i.e.ComplyAdvantage)Ontheotherhand,it’slikelythatyouranalytics(i.e.GoogleAnalytics)oryourinternalcommunications(Slack)softwarewouldnotberegardedascriticalorimportant.Softwareapplicationconsidered“criticalorimportant”variesonyourbusiness.TheEBAguidelinesapplytoallofyourcloudsoftwareandyouwillneedtorunacomplianceprocessforallofyourSaaS,andrememberthatcertaintypesofSaaSwillrequiredeeperdiligence. EBAGuidelinesforOutsourceArrangementseBookDownloadoureBooktofindoutmoreaboutEBAguidelinesforoutsourcingarrangementsandlearnhowtoorganicallyembedcomplianceinyourcompany’sprocesses.SubscribeformoreSaaSInsightsJoinournewslettertostayaheadofthecurveinallthingsSaaS. RelatedpostsWhySaaSManagementWillHelpYouAchievetheISO27001CertificationUKCompaniestoComplywithEBAGuidelinesforOutsourcingArrangementsamidBrexitandCOVIDpandemic2020GDPRFinesontheRiseNewEBAOutsourcingGuidelines:WhatSaaSisConsideredCriticalorImportant?TryCledaratodayJoinour600+customerstomanageallyourSaaSinoneplacewithCledara.JennyLiuHeadofFinance@Marshmallow Signup