EBA guidelines on outsourcing arrangements: 7 key aspects

The Guidelines aim at establishing a more harmonised framework for the outsourcing arrangements of financial institutions, by specifying the ... Search Breadcrumb Home Blog EBAguidelinesonoutsourcingarrangements:7keyaspects Authorinfo LiesaBoghaert 13/03/2019 Informationtechnology On25February2019,theEuropeanBankingAuthority(EBA)publishednewGuidelinesonOutsourcingarrangements(the‘Guidelines’)applicabletobanks,investmentfirms,paymentandelectronicmoneyinstitutions(hereinafter:financialinstitutions).TheGuidelinesacknowledgeandaddressthefactthat,overrecentyears,financialinstitutionshavebeenincreasinglyinterestedinoutsourcingbusinessactivitiesinordertoreducecosts,improvetheirefficiencyandhaveeasyaccesstonewfinancialtechnologies(fintech).TheGuidelinesaimatestablishingamoreharmonisedframeworkfortheoutsourcingarrangementsoffinancialinstitutions,byspecifyingtheinternalgovernancearrangementsthattheyshouldimplementwhenoutsourcingfunctionsanddetermininghowcompetentauthoritiesshouldreviewandmonitorthesearrangements. Saveforoneprovision,theGuidelineswillapplytoalloutsourcingarrangementsenteredinto,reviewedoramendedonorafter30September2019.Institutionsarehoweverobligedtoreviewandamendallexistingoutsourcingarrangementsby31December2021atthelatest,withaviewtocompliance.Furthermore,theGuidelinesreplacetheOutsourcingGuidelinesof2006issuedbytheEBA’spredecessor,theCommitteeofEuropeanBankingSupervisors(CEBS)andincorporatetheEBA’sRecommendationsonoutsourcingtocloudserviceprovidersof2017,whichwillbothberepealedupontheGuidelines’entryintoforce.7takeawaysfromtheEBAguidelinesonoutsourcingWithasmanyas125pages,theEBA’sGuidelinesprovideacomprehensiveinstrumentforfinancialinstitutionstotakeathandwhenconsideringtooutsourceanactivity,service,processorfunction.Tosaveyoureading,belowarepresentedthe7keytakeawaysfromthenewGuidelines:1.CleardefinitionofoutsourcingInitsGuidelines,theEBAalignsitsdefinitionof‘outsourcing’withthatsetoutintheMiFIDIIframework* andgivesvaluableguidanceonhowtoassessifanarrangementwithathirdpartyfallsunderthedefinitionofoutsourcing.AccordingtotheEBA,itiscrucialtoassessifthefunction(orapartthereof)thatisoutsourcedtoaserviceprovider,isperformedonrecurrentorongoingbasisbytheserviceproviderandifthisfunction(orpartthereof)wouldnormallyfallwithinthescopeoffunctionsthatwouldorcouldrealisticallybeperformedbythefinancialinstitution,evenifthisinstitutionhasnotperformedthisfunctioninthepastitself.Furthermore,theGuidelinesindicatecertainprocesses,servicesandactivities,which‘asageneralprinciple’shouldnotbeconsideredoutsourcing.Amongthoseare:functionsthatarelegallyrequiredtobeperformedbyserviceproviders(suchasstatutoryaudits),marketinformationservices(suchastheprovisionofdatabyBloomberg)andglobalnetworkinfrastructures(suchasVisaandMasterCard).2.CriteriatoassessifanoutsourcedfunctioniscriticalorimportantThenewGuidelinesalsoprovidecriteriafortheidentificationofcriticalorimportantfunctionsthathaveastrongimpactonthefinancialinstitution’sriskprofileoronitsinternalcontrolframework(formerlyso-called‘materialactivities’).Ifsuchcriticalorimportantfunctionsareoutsourced,stricterrequirementsapplytotheseoutsourcingarrangements.Assuch,theGuidelinesdrawadistinctionbetweenoutsourcingthatis‘criticalorimportant’andotheroutsourcing.Whenassessingwhetheranoutsourcingrelatestoafunctionthatiscriticalorimportant,financialinstitutionsshouldtakeintoaccountatleast10factorsmentionedbytheGuidelines(suchasthesizeandcomplexityofanybusinessareaaffected,theabilitytoreintegratetheoutsourcedfunctionintotheinstitutionifnecessaryordesirable…)Besidesthat,theGuidelinesdefine3situationsinwhichafinancialinstitutionshouldalwaysconsiderafunctionascriticalorimportant.Unfortunately,theEBAdidnotprovideaclearconsolidatedlistofwhichguidelinesapplytowhichtypeofarrangements,arguingthattheGuidelinesaresufficientlyclearasregardsthescopeoftherequirements.3.NeedforsoundgovernanceInrespectofgovernance,theEBAemphasisesthatfinancialinstitutionsremainfullyresponsibleandaccountableforcomplyingwithalltheirregulatoryobligations,includingtheabilitytooverseetheoutsourcingofcriticalorimportantfunctions.Tothisaim,financialinstitutionsshouldmakesureto:clearlyassigntheresponsibilitiesforthedocumentation,managementandcontrolofoutsourcingarrangements,allocatesufficientresourcestoensurecompliancewithalllegalandregulatoryrequirementsandestablishanoutsourcingfunctionordesignateaseniorstaffmemberwhoisdirectlyaccountabletothemanagementbodyandresponsibleformanagingandoverseeingtherisksofoutsourcingarrangements,aswellasthedocumentationthereof.Inanycase,itisimportantthatfinancialinstitutionsatalltimesmaintainsufficientsubstanceanddonotbecome‘emptyshells’or‘letter-box-entities’.4.Requirementsforthepre-outsourcingphaseBeforeenteringintoanyoutsourcingagreement,accordingtotheGuidelines,financialinstitutionsshouldalwaysperforma‘pre-outsourcinganalysis’,whichincludesseveraldifferentassessments.Hence,financialinstitutionsneedto:assessiftheoutsourcingarrangementconcernsacriticalorimportantfunction,assessifthesupervisoryconditionsforoutsourcingaremet(e.g.authorisationoftheserviceproviderbycompetentauthoritytoperformcertainbankingactivitiesorpaymentservices),identifyandassessallrelevantrisksoftheoutsourcingarrangement(e.g.operationalrisks),undertakeduediligenceontheprospectiveserviceproviderand identifyandassessconflictsofintereststhattheoutsourcingmaycause.5.RequirementsforthecontractualphaseOnthecontractuallevel,theGuidelinesrequirethatawrittenagreementisconcludedbetweenthefinancialinstitutionandtheserviceprovider.Thisagreementshould clearlyallocatesandsetsouttherightsandobligationsofthepartiesandincludescertainspecifiedprovisions.Besidesthat,theagreementshoulddetailwhetherornotsub-outsourcingofcriticalorimportantfunctionsispermitted.Ifso,thesub-contractorneedstocomplywithcertainrequirementsandthefinancialinstitutionshouldensurethattheserviceprovideroverseesthesub-serviceprovider.Furthermore,appropriateITsecuritystandardsshouldbeimposedontheserviceproviderandshouldbemonitoredonanongoingbasis.Lastly,outsourcingcontractsshouldcontainprovisionsregardingtheaccess,informationandauditrightsofboththefinancialinstitutionandthecompetentauthorities,aswellasaprovisiononterminationrights.6.OutsourcingtoserviceprovidersinthirdcountriesWithregardtooutsourcingtoserviceproviderslocatedinthirdcountries,theEBAstressesthatfinancialinstitutionsareexpectedtotakeparticularcarethatcompliancewithEUlegislationandregulatoryrequirements(e.g.professionalsecrecy,accesstoinformationanddata,protectionofpersonaldata)isensured.Moreover,theEBAstressesthat additionalsafeguardsareputinplacewhichguaranteethattheoutsourcingdoesnotleadtoanundueincreaseinriskordoesnotimpairtheabilityofcompetentauthoritiestoeffectivelysupervisethefinancialinstitution,inparticularwhencriticalorimportantfunctionsareconcerned.7.Documentkeeping:outsourcingpolicyandoutsourcingregisterTheEBAGuidelinesentailtwoimportantdocumentkeepingobligations.Firstofall,financialinstitutionsthatarecurrentlyoutsourcingcertainactivitiesorareplanningtodosointhefuture,havetoputinplaceawrittenoutsourcingpolicythatincludesthemainphasesofthelifecycleofoutsourcingarrangementsanddefinestheprinciples,responsibilitiesandprocessesinrelationtooutsourcing.Thispolicymustbeimplemented,regularlyreviewedandupdated.Secondly,inthecontextofriskmanagement,financialinstitutionshavetomaintainanupdatedregisterofinformationonalloutsourcingarrangementsattheinstitutionandshoulddocumentallcurrentoutsourcingarrangements,distinguishingbetweentheoutsourcingofcriticalorimportantfunctionsandotheroutsourcingarrangements.Evendocumentationonoutsourcingarrangementsthathaveended,shouldbemaintainedwithintheregisterforanappropriateperiod.*See:Article2(3)oftheCommissionDelegatedRegulation(EU)2017/565of25April2016supplementingDirective2014/65/EUoftheEuropeanParliamentandoftheCouncilasregardsorganisationalrequirementsandoperatingconditionsforinvestmentfirmsanddefinedtermsforthepurposesofthatDirective.InneedofadviceregardingtheEBAoutsourcingguidelines?Pleasefeelfreetocontactus. Relatedposts OutsourcingyourJusticeCoordinationCell ForeignoperatorsandtheBelgianJusticeCoordinationCell WhatdoyouneedtoknowabouttheAIAct?