Guidelines on outsourcing arrangements

These draft Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, ... Skiptomaincontent Home» Regulationandpolicy» Internalgovernance» GuidelinesOnOutsourcingArrangements Followuson: Guidelinesonoutsourcingarrangements FinalandtranslatedintotheEUofficiallanguages ThesedraftGuidelinesprovideacleardefinitionofoutsourcingandspecifythecriteriatoassesswhetherornotanoutsourcedactivity,service,processorfunction(orpartofit)iscriticalorimportant.TheGuidelines,whichreviewtheexistingCEBSGuidelinesonoutsourcingpublishedin2006,aimatestablishingamoreharmonisedframeworkforoutsourcingarrangementsofallfinancialinstitutionsinthescopeoftheEBA’saction. Documents EBArevisedGuidelinesonoutsourcingarrangements Compliancetable (Updated9April2021) SelectLanguage bgбългарски csceština dadansk deDeutsch elΕλληνικά enEnglish esespañol eteestikeel fisuomi frfrançais hrhrvatski humagyar ititaliano ltlietuviukalba lvlatviešuvaloda mtMalti nlNederlands plPolski ptPortuguês roRomână skSlovencina slSlovenščina svsvenska Links Publichearing Internalgovernance NewsPressReleaseConsultationPapers News EBAconsultsonGuidelinesonoutsourcing 22June2018 TheEuropeanBankingAuthority(EBA)launchedtodayapublicconsultationonitsdraftGuidelinesonoutsourcing. TheseGuidelines,whichreviewtheexistingCEBSGuidelinesonoutsourcingpublishedin2006,aimatestablishingamoreharmonisedframeworkforoutsourcingarrangementsofallfinancialinstitutionsinthescopeoftheEBA'saction.ThedraftGuidelinesprovideacleardefinitionofoutsourcingandspecifythecriteriatoassesswhetherornotanoutsourcedactivity,service,processorfunction(orpartofit)iscriticalorimportant. Inparticular,therevisedGuidelinescovercreditinstitutionsandinvestmentfirmssubjecttotheCapitalRequirementsDirective(CRD),butalsopaymentinstitutionssubjecttotherevisedPaymentServicesDirective(PSD2)andelectronicmoneyinstitutionssubjecttothee-moneyDirective.Theconsultationrunsuntil24September2018.   Overtherecentyears,therehasbeenanincreasingtendencybyinstitutionstooutsourceactivitiesinordertoreducecostsandimproveflexibilityandefficiency.Inthecontextofdigitalisationandincreasingimportanceofinformationtechnology(IT)andfinancialtechnologies(FinTech),financialinstitutionsareadaptingtheirbusinessmodels,processesandsystemstoembracesuchtechnologies.Outsourcingtocloudserviceprovidersgainedrapidlyimportanceinmanyindustries.Overall,IThasbecomeoneofthemostprevalentoutsourcedactivities.OutsourcingisalsorelevantinthecontextofgainingormaintainingaccesstotheEUfinancialmarket.Inparticular,thirdcountryinstitutionsmaysetupsubsidiariesorbranchesintheEUinordertogetormaintainaccesstoEUfinancialmarketsandinfrastructures,whiletheparentinstitutionwouldprovideamaterialpartofthebusinessactivities.    TherevisedGuidelinesdealwiththeresponsibilitiesofthemanagementbodyfortheestablishmentofanappropriateframeworkforoutsourcing,itsimplementationandapplicationinagroup,theduediligenceprocessandriskassessmentbeforeenteringinsucharrangements.TheGuidelinesalsoclarifyaspectsrelatedtothecontractualarrangements,themonitoringanddocumentationofoutsourcingarrangementsaswellasthesupervisionbycompetentauthorities.   Againstthisbackground,theGuidelinesspecifythattheresponsibilityoftheinstitution'smanagementbodycanneverbeoutsourced.Outsourcingmustnotleadtoasituationwhereaninstitutionbecomesaso-called‘emptyshell'thatlacksthesubstancetoremainauthorised.Institutionsmustremainabletooverseeallrisksandtomanageoutsourcingarrangements.Institutionsshouldbeabletoeffectivelycontrol,challengethequalityandperformanceofoutsourcedprocesses,servicesandactivities,andcarryouttheirownriskassessmentandongoingmonitoring.    The Guidelinessetupaframeworkfortheduediligenceprocessofinstitutionswiththeobjectiveofensuringthatfunctionsareonlyoutsourcedtoreliableserviceproviderssothattheongoingprovisionofservicesandcompliancewithregulatoryrequirementsisensured.Institutionsmustensureauditandaccessrightsinwrittenoutsourcingagreementsbothforthemselvesandforcompetentauthoritiesandarerequiredtomaintainaregisterofalloutsourcingarrangements.  Consultationprocess CommentstothisconsultationcanbesenttotheEBAbyclickingonthe"sendyourcomments"buttonontheconsultationpage.Pleasenotethatthedeadlineforthesubmissionofcommentsis24September2018.   ApublichearingwilltakeplaceattheEBApremiseson4September2018from10:00to12:00UKtime.Allcontributionsreceivedwillbepublishedfollowingtheendoftheconsultation,unlessrequestedotherwise. Legalbasisandnextsteps ThesedraftGuidelineshavebeendevelopedaccordingtoArticle74ofDirective2013/36/EU,whichmandatestheEBAtofurtherharmoniseinstitutions'governancearrangements,processesandmechanismsacrosstheEU,Directive2015/2366/EU,Directive2009/110/ECandArticle16ofRegulation(EU)No1093/2010.TheRecommendationsonoutsourcingtocloudserviceproviders havebeenfullyintegratedintheEBAdraftGuidelinesonoutsourcingandwillberepealedwhentheGuidelinesenterintoforce.   TheEBAGuidelineswillapplytocompetentauthoritiesacrosstheEU,aswellastoinstitutionsonasoloandconsolidatedbasis,paymentinstitutionsandelectronicmoneyinstitutions.    Presscontacts FrancaRosaCongiu [email protected]| +33186527052| Follow@EBA_News PressRelease EBApublishesrevisedGuidelinesonoutsourcingarrangements 25February2019 TheEuropeanBankingAuthority(EBA)publishedtodayitsrevisedGuidelinesonoutsourcingarrangementssettingoutspecificprovisionsforthegovernanceframeworksofallfinancialinstitutionswithinthescopeoftheEBA'smandatewithregardtotheiroutsourcingarrangementsandrelatedsupervisoryexpectationsandprocesses.TheaimoftheGuidelinesistoestablishamoreharmonisedframeworkforthesefinancialinstitutions,namelycreditinstitutionsandinvestmentfirmssubjecttotheCapitalRequirementsDirective(CRD),aswellaspaymentandelectronicmoneyinstitutions.Therecommendationonoutsourcingtocloudserviceproviders,publishedinDecember2017,hasalsobeenintegratedintotheGuidelines. Inthecontextofdigitalisationandgiventheincreasingimportanceofnewfinancialtechnology(Fintech)providers,financialinstitutionsareadaptingtheirbusinessmodelstoembracesuchinnovations.SomehaveintensifiedtheuseofFintechsolutionsandhavelaunchedprojectstoimprovetheircostefficiencyalsoinresponsetotheintermediationmarginsofthetraditionalbankingbusinessmodelbeingputunderpressurebythelowinterestrateenvironment.Outsourcingisawaytogetrelativelyeasyaccesstonewtechnologiesandtoachieveeconomiesofscale. ThenewGuidelines,whichareconsistentwiththerequirementsonoutsourcingunderthePaymentsServicesDirective(PSD2),theMarketsinFinancialInstrumentsDirective(MiFIDII)andtheCommission'sDelegatedRegulation(EU)2017/565[1],aimatensuringthatinstitutionscanapplyasingleframeworkonoutsourcingforalltheirbanking,investmentandpaymentactivitiesandservices.Suchaframeworkalsoensuresalevelplayingfieldbetweendifferenttypesoffinancialinstitutions. Inparticular,theGuidelinesclarifythatthemanagementbodyofeachfinancialinstitutionremainsresponsibleforthatinstitutionanditsactivitiesatalltimes.Tothisend,themanagementbodyshouldensurethatsufficientresourcesareavailabletoappropriatelysupportandensuretheperformanceofthoseresponsibilities,includingoverseeingallrisksandmanagingtheoutsourcingarrangements.Outsourcingmustnotleadtoasituationinwhichaninstitutionbecomesan‘emptyshell'thatlacksthesubstancetoremainauthorised. Particularchallengestoensuretheeffectivesupervisionofinstitutionsandpaymentinstitutionsexistwhenfunctionsareoutsourcedtoserviceproviderslocatedinthirdcountries.FinancialinstitutionsareexpectedtoensurecompliancewithEUlegislationandregulatoryrequirements(e.g.professionalsecrecy,accesstoinformationanddata,protectionofpersonaldata)inparticularregardingcriticalorimportantfunctionsoutsourcedtoserviceproviders. Inthisrespect,theGuidelinesspecifywhicharrangementswiththirdpartiesaretobeconsideredasoutsourcing.TheGuidelinesdifferentiatebetweenrequirementsoncriticalandimportantoutsourcingarrangementsandotheroutsourcingarrangementsOutsourcingofcriticalandimportantfunctionshasahigherimpactontheinstitutions'andpaymentinstitutions'riskprofile.Hence,therequirementsarestricterascomparedtotherequirementsforotherlessriskyoutsourcingarrangements. Finally,competentauthoritiesarerequiredtoeffectivelysupervisefinancialinstitutions'outsourcingarrangements,includingidentifyingandmonitoringriskconcentrationsatindividualserviceprovidersandassessingwhetherornotsuchconcentrationscouldposearisktothestabilityofthefinancialsystem.Toidentifysuchriskconcentrations,competentauthoritiesshouldbeabletorelyoncomprehensivedocumentationonoutsourcingarrangementscompiledbyfinancialinstitutions. Legalbasisandnextstep Article74(1)ofCRDrequiresthatinstitutionsmusthaverobustgovernancearrangements,whichincludeaclearorganisationalstructure.Outsourcingarrangementsareoneaspectofinstitutions'andpaymentinstitutions'organisationalstructure.Paragraph(3)ofthatArticlemandatestheEBAtoissueGuidelinesonthosearrangements,processesandmechanisms. UnderArticle 16ofRegulation(EU)No1093/2010[2](theEBARegulation),theEBAisalsorequiredtoissueguidelinesandrecommendationsaddressedtocompetentauthoritiesandfinancialinstitutionswithaviewtoestablishingconsistent,efficientandeffectivesupervisorypracticesandensuringthecommon,uniformandconsistentapplicationofUnionlaw.Inparticular,theconditionsforoutsourcingoffunctionsofbankingactivitiesbyinstitutionsarenotharmonisedtothesameextentasforinstitutionsandpaymentinstitutionssubjecttoMiFIDIIandPSD2. TheEBAGuidelineswillenterintoforceon30September2019andcontainsometransitionalperiodsforimplementingaregisterofalloutsourcingarrangementsandtoagreeoncooperationagreementsbetweencompetentauthoritiesortoreintegrateoutsourcedfunctionsormovethemtootherserviceproviders,iftherequirementsoftheguidelinescanotherwisenotbemet. [1]CommissionDelegatedRegulation(EU)2017/565of25April2016supplementingDirective2014/65/EUoftheEuropeanParliamentandoftheCouncilasregardsorganisationalrequirementsandoperatingconditionsforinvestmentfirmsanddefinedtermsforthepurposesofthatDirective [2]Regulation(EU)No 1093/2010oftheEuropeanParliamentandoftheCouncilof24 November 2010establishingaEuropeanSupervisoryAuthority(EuropeanBankingAuthority),amendingDecisionNo 716/2009/ECandrepealingCommissionDecision2009/78/EC(OJL 331,15.12.2010,p. 12). Presscontacts FrancaRosaCongiu [email protected]| +33186527052| Follow@EBA_News ConsultationPapers ConsultationondraftGuidelinesonoutsourcing(EBA/CP/2018/11) Summary 22/06/2018 TheEuropeanBankingAuthority(EBA)launchedtodayapublicconsultationonitsdraftGuidelinesonoutsourcing.TheseGuidelines,whichreviewtheexistingCEBSGuidelinesonoutsourcingpublishedin2006,aimatestablishingamoreharmonisedframeworkforoutsourcingarrangementsofallfinancialinstitutionsinthescopeoftheEBA’saction.ThedraftGuidelinesprovideacleardefinitionofoutsourcingandspecifythecriteriatoassesswhetherornotanoutsourcedactivity,service,processorfunction(orpartofit)iscriticalorimportant. Inparticular,therevisedGuidelinescovercreditinstitutionsandinvestmentfirmssubjecttotheCapitalRequirementsDirective(CRD),butalsopaymentinstitutionssubjecttotherevisedPaymentServicesDirective(PSD2)andelectronicmoneyinstitutionssubjecttothee-moneyDirective.Theconsultationrunsuntil24September2018.   Overtherecentyears,therehasbeenanincreasingtendencybyinstitutionstooutsourceactivitiesinordertoreducecostsandimproveflexibilityandefficiency.Inthecontextofdigitalisationandincreasingimportanceofinformationtechnology(IT)andfinancialtechnologies(FinTech),financialinstitutionsareadaptingtheirbusinessmodels,processesandsystemstoembracesuchtechnologies.Outsourcingtocloudserviceprovidersgainedrapidlyimportanceinmanyindustries.Overall,IThasbecomeoneofthemostprevalentoutsourcedactivities.OutsourcingisalsorelevantinthecontextofgainingormaintainingaccesstotheEUfinancialmarket.Inparticular,thirdcountryinstitutionsmaysetupsubsidiariesorbranchesintheEUinordertogetormaintainaccesstoEUfinancialmarketsandinfrastructures,whiletheparentinstitutionwouldprovideamaterialpartofthebusinessactivities.    TherevisedGuidelinesdealwiththeresponsibilitiesofthemanagementbodyfortheestablishmentofanappropriateframeworkforoutsourcing,itsimplementationandapplicationinagroup,theduediligenceprocessandriskassessmentbeforeenteringinsucharrangements.TheGuidelinesalsoclarifyaspectsrelatedtothecontractualarrangements,themonitoringanddocumentationofoutsourcingarrangementsaswellasthesupervisionbycompetentauthorities.   Againstthisbackground,theGuidelinesspecifythattheresponsibilityoftheinstitution’smanagementbodycanneverbeoutsourced.Outsourcingmustnotleadtoasituationwhereaninstitutionbecomesaso-called‘emptyshell’thatlacksthesubstancetoremainauthorised.Institutionsmustremainabletooverseeallrisksandtomanageoutsourcingarrangements.Institutionsshouldbeabletoeffectivelycontrol,challengethequalityandperformanceofoutsourcedprocesses,servicesandactivities,andcarryouttheirownriskassessmentandongoingmonitoring.    The Guidelinessetupaframeworkfortheduediligenceprocessofinstitutionswiththeobjectiveofensuringthatfunctionsareonlyoutsourcedtoreliableserviceproviderssothattheongoingprovisionofservicesandcompliancewithregulatoryrequirementsisensured.Institutionsmustensureauditandaccessrightsinwrittenoutsourcingagreementsbothforthemselvesandforcompetentauthoritiesandarerequiredtomaintainaregisterofalloutsourcingarrangements.  Consultationprocess CommentstothisconsultationcanbesenttotheEBAbyclickingonthe"sendyourcomments"buttonontheconsultationpage.Pleasenotethatthedeadlineforthesubmissionofcommentsis24September2018.   ApublichearingwilltakeplaceattheEBApremiseson4September2018from10:00to12:00UKtime.Allcontributionsreceivedwillbepublishedfollowingtheendoftheconsultation,unlessrequestedotherwise. Legalbasisandnextsteps ThesedraftGuidelineshavebeendevelopedaccordingtoArticle74ofDirective2013/36/EU,whichmandatestheEBAtofurtherharmoniseinstitutions’governancearrangements,processesandmechanismsacrosstheEU,Directive2015/2366/EU,Directive2009/110/ECandArticle16ofRegulation(EU)No1093/2010.TheRecommendationsonoutsourcingtocloudserviceproviders havebeenfullyintegratedintheEBAdraftGuidelinesonoutsourcingandwillberepealedwhentheGuidelinesenterintoforce.   TheEBAGuidelineswillapplytocompetentauthoritiesacrosstheEU,aswellastoinstitutionsonasoloandconsolidatedbasis,paymentinstitutionsandelectronicmoneyinstitutions.    Annex(RegistertemplateforGlsonoutsourcing) ConsultationPaperondraftGuidelinesonoutsourcingarrangements(EBA-CP-2018-11) Responses ABBL,theLuxembourgBankers'AssociationAIMAAmundiAnnunziata&ConsoAsociaciónEspañoladeBanca(AEB)AssociationforFInancialMarketsinEuropeAssociationofForeignBanksinGermany(VerbandderAuslandsbankeninDeutschland)AssogestioniAustrianEconomicChamber,DivisionBankandInsuranceBBVABVIBancaMontedeiPaschidiSienaBankofNewYorkMellonBitkomBundesverbandderZahlungsinstitutee.V.CISPEaisblCentredesprofessionsfinancièresCityofLondonLawSocietyRegulatoryCommitteeDeutscheBankDeutscheBörseGroupEPSM-EuropeanAssociationofPaymentServiceProvidersforMerchantsESBGEYEuroclearS.A.EurofinasEuropeanAssociationofCo-operativeBanks(EACB)EuropeanBankingFederationEuropeanConfederationofInstitutesofInternalAuditing(ECIIA)EuropeanFinancialCongressEuropeanFundandAssetManagementAssociation(EFAMA)EuropeanPaymentInstitutionsFederationGermanBankingIndustryCommittee(GBIC)InteressengemeinschaftKreditkarten(TheIKisacompetitionneutralplatformwithoutlegalcapacityforentities,whichactinthecreditanddebitcardbusinessinGermany(Issuer,Acquirer,NetworkServiceProviders,ProcessingEntities,Licensors),registeredintheEU-TransparencyRegisterunderIdent-no.209142612442-39)LondonStockExchangeGroupMicrosoftModularFXServicesLtdNationalBankofRomania-RegulationandLicensingDepartmentNordicFinancialUnions(NFU)OpusPinsentMasonsRiskRewardLimitedSWIFTStandardCharteredBankStateStreetCorporationTemenosTheRoyalBankofScotlandZdruženjebankSlovenijeeveristechUK BSGOpinions BSGresponsetoEBADraftGuidelinesonoutsourcing(EBACP201811)_24Sep2018 PublicHearing Note:APublicHearingisrelatedtothisconsultationbutisnotvisibletopublicuserssincethedateispast