EBA Guidelines On Outsourcing: Eight Steps To Comply ...

EIGHT KEY STEPS TO SUCCESSFUL AGILE AND TIME-BOXED DELIVERY · 1. Outsourcing register: · 2. Business case: · 3. Risk assessment: · 4. Due diligence: ... EBAGUIDELINESONOUTSOURCING:EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE EBAGUIDELINESONOUTSOURCING: EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE AlexandreVandeput Published:19April2021 TheEuropeanBankingAuthority’s(EBA)guidelinesonoutsourcing,issuedinFebruary2019andenteredintoforceinSeptember2019,haveconsiderablyincreasedthelevelofcontrolofthird-partiesincludingcloudproviders.Fortunately,theEBAhadforeseenatransitionalperiod,whichwillendon31December2021.Thisgivesbanks,assetmanagers,paymentserviceprovidersandelectronicmoneyinstitutionsninemonthstoadapttheiroperationalriskmitigationframeworksandtoremediatelegacyoutsourcingcontractstoensurecompliance. Thistimeframeis,indeed,veryshort.Ourexperienceconfirmsthatmanyfinancialinstitutionsareyettoaddressthekeyaspectsoftheguidelines,includingassigningrolesandresponsibilities,reviewingtheservicelevelagreements(SLAs)forintra-grouparrangementsanddraftingtheadaptedoutsourcingpolicy.Meanwhileallcontractualarrangementswiththird-partieswillneedtobeproperlyremediatedbytheendoftheyear. Furthermore,twomajortrendsareputtingadditionalpressureonfulfillingthoseobligations-theincreasingrelianceoncloudserviceproviders(whichfallentirelyintotheguidelinesscope)andtheaccelerateddigitalizationeffortsbymanyifnotallfinancialinstitutionsfollowingthepandemic.   Inthisfirstbloginourseriesoninformationandcommunicationtechnology(ICT)risksmitigationframework,AlexandreVandeputdiscusseshowtoensuresafecomplianceontime.    TIMEISRUNNINGOUTONCOMPLIANCEWITHTHEEBAGUIDELINESONOUTSOURCINGARRANGEMENTS Baseduponourobservationsfromprojectswithinretail,commercial,paymentsandelectronicmoneyinstitutions,thepressureisrisingonIT,operationsandriskdepartmentstoadapttheiroutsourcingcontrolframeworkstotherevisedguidelines.Furthermore,firmsneedtoensurethattheactualoutsourcingarrangementsareproperlymanaged. Manyinstitutionsarebehindscheduleforcomplyingwiththeguidelines,withsubstantialinternalalignment,effortstodeliverkeydocumentationaswellasgapanalysisandprocessreviewstilloutstanding.Leavinga‘sanity’bufferofthreemonthsbeforetheenddateisbestpractice,whichmeansthatanyinstitutionfallingintothescopeoftheEBAsupervisorycontrolneedstobesetandreadywithinsixmonths(i.e.bytheendofSeptember)–thisalsoincludesthesummerholidayperiod.Withsuchatighttimeframe,iftheexecutionisnotmanagedwithrazor-sharpprecision,institutionsmayendupinbreach. EIGHTKEYSTEPSTOSUCCESSFULAGILEANDTIME-BOXEDDELIVERY Workingonkeydeliverablesandprocesses,prioritizingtheworkahead,havingcleargovernanceinplacearesomeoftheprerequisitesforensuringthatfinancialinstitutions’ExecutiveCommitteeswillbeabletovalidatetheworkontimeandcomplysafely. Moreprecisely,werecommendthefollowingeight-stepprocesstofullycomplywithintherequiredtimeframe: 1.Outsourcingregister:Startbyleveragingyourexistingoutsourcingregister,whilemakingsureyouareaddingtherelevantfieldsrequired.Donotforgetthatthisexerciseisdoneforthebenefitoftheservicereceiverandthatthisregisterneedstobeconsideredfromalegalentitystandpoint.Also,ensurethatallcloud-relatedoutsourcingengagementsareidentified. 2.Businesscase:Thisdocumentisdraftedtodemonstratethatthejustificationforoutsourcingisarticulatedandacceptedandthattheservicereceiverhasconsideredthedifferentoptionsavailablebeforeoptingforanoutsourcingsolution,withthematerialitylevelofalloutsourcingcontractsproperlydefined.  3.Riskassessment:Ensurethattherisktaxonomyisclearlyconsistentacrosstheinstitution,potentiallyleveragingtheoutcomesoftheInternalControlFramework.Thelevelofautomationoftheseassessmentsiskeyforthistobeefficient.Youwillalsoneedtoidentifyinherentrisksandmakesuretheyareaccepted,mitigated,orrejected. 4.Duediligence:Thisinvolves‘vetting’serviceproviderswhomustdemonstratesufficientandrelevantexperience,reputationandoverallsuitabilitytoperform(includingkeycertificationsasrequired). 5.Oversight:Developasetofagreedkeyriskindicators(KRIs)andkeyperformanceindicators(KPIs)betweentheserviceproviderandservicereceiver,aswellasapplyingtheongoingmonitoringprinciple(thefrequencywilldependonthematerialityoftheoutsourcedactivityorprocess). 6.Contracts,SLA’sandguidelines:Startdraftingcontractualagreementsbetweenintra-andextra-groupserviceproviders.Involveatthatstagethekeystakeholdersfromyourlegaldepartment. 7.DRP,BCMandexitplans:Draftexitplansforanymaterialoutsourcingarrangementsdescribingexitscenariosandrelatedexittriggers,precededbytangibledisasterrecoveryplanning(DRP)andbusinesscontinuitymanagement(BCM). 8.Outsourcingpolicy:Thisisthecornerstoneofyouroutsourcingremediationframeworkandshouldbetheconclusiveoutcomeofthewholeinitiative.Avoidtreatingthisasatick-boxexerciseasitwillonlyleadtofrustration,misalignmentandmisunderstandingamongkeystakeholders.  OURRECOMMENDATION Startingnowisnottoolate,butthetimeisshortandthetaskischallenging.Ensurethatyoucan: -Workinatime-boxedmanner -Leverageapre-definedsetofdeliverablesanddocuments -Haveaconsistentriskstaxonomyinplace -Putinplaceacleargovernancestructurewithstrongsponsorship  -Workonachangemanagementplanfromtheoutset  Wewouldalsoemphasisethatautomationshouldbeconsidered,astherequiredprocesses,toolsanddocumentsarelikelytogenerateasubstantialadministrativeburden.Automationtoolsprovideusefulfunctionalitiessuchascentralizedaccess,workflowmanagementandautomateddashboardsandreporting. ContactustodiscusshowCapcocanhelpyourfirmreachthefast-approachingcompliancedeadlineontime.  CONTACTS  JeroenDossche,Partner M+32478221180 [email protected]  AlexandreVandeput,PrincipalConsultant M+32499755200 [email protected]     RELATEDINSIGHTS Readmore 19April2021 EBAGUIDELINESONOUTSOURCING:EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE AreyouontracktocomplywiththeEBAguidelinesonoutsourcingbytheendoftheyear?Automationiskeytomanagethechallengewithjustafewmonthstogo. Readmore 09July2021 HOWWILLTHEDIGITALOPERATIONALRESILIENCEACT(DORA)CHANGEYOURORGANIZATION? Inthisarticle,weexploretheconceptofoperationalresilience,thetypesofentitiesaffectedandtheimmediateimpactonfinancialinstitutionsandcriticalICTthird-partyserviceprovidersbyDORA.  Readmore 01December2021 ADAPTINGTOTHENEWSTANDARDCONTRACTUALCLAUSES(SCCS)–ANORGANIZATION-WIDEEFFORT Cross-bordertransfersofpersonaldatanowrequiretheuseofnewstandardcontractualclauses–SCCs.WillyourfinancialfirmbeontimetofullyintegratethembytheDecember2022deadline?Findoutwhattechnicalandorganizationalchangesarerequired. TermsofUse DataPrivacyNotice CookieNotice Imprint ©Capco2022,AWiproCompany