EBA outsourcing guidelines and location – what you need to ...

The EBA's guidelines on outsourcing have applied to all new outsourcing from 30 September 2019. Firms have until December 2021 to update all ... Skiptomaincontent togglemenu search-panel language contact Navigation Search Changelanguageandcontentcustomisation Findanadvisor Getintouch Findanoffice Gotit Search Search Searchfor: Jumpstraightto: Anunexpectederrorhasoccurred Pleaseenterasearchterm Signin Register Selectyourlanguage Deutsch(Deutschland) English(UnitedKingdom) español(España,alfabetizacióninternacional) français(France) 中文(中国) Pleaseselect Whatsectorsareyouinterestedin? Wecanuseyourselectiontoshowyoumoreofthecontentthatyou’reinterestedin. Technology,Science&Industry Energy FinancialServices Infrastructure RealEstate Sign-upandwe’llrememberyourpreferences Sign-uptofollowtopics,sectors,peopleandalsohavetheoptiontoreceiveaweeklyupdateoflastestnewsacrossyourareasofinterest. Gotanaccountalready? Signin Register Notnow Wanttospeaktoanadvisorfromyourclosestoffice? Findotheroffices Signin Register Search Searchfor: Anunexpectederrorhasoccurred Pleaseenterasearchterm Sectorsweworkin Sectorsweworkin Energy Energy CleanTech NaturalResources Nuclear Oil&Gas Renewables AllEnergy FinancialServices FinancialServices Banks Insurance PrivateEquity AllFinancialServices Infrastructure RealEstate Technology,Science&Industry Technology,Science&Industry DiversifiedIndustrial LifeSciences&Health Technology&DigitalMarkets AllTechnology,Science&Industry AllSectorsweworkin Whatwedo Whatwedo Yourassets Yourassets Constructionadvisory&disputes Intellectualproperty Planning&environment Projects Property AllYourassets Yourcompany Yourcompany Commercial Corporate Pensions&long-termsavings Publicpolicy Restructuring Tax Technology,media&telecommunications​andprivacy AllYourcompany Yourfinance Yourfinance Banking Financialregulation&products Insurance-advisory&disputes Investmentfunds AllYourfinance Yourlegalteamandresource Yourlegalteamandresource ADT–innovativelegalservicesdelivery VarioConsulting,process&technology VarioFlexibleservices VarioLegalprojectmanagement VarioManagedlegalservices AllYourlegalteamandresource Yourpeople Yourpeople Diversityandinclusionconsulting Employment&reward AllYourpeople Yourrisksandregulatoryenvironment Yourrisksandregulatoryenvironment Climatechangemitigationandsustainability Competition,EU&trade Forensic&accountingservices Litigation&arbitration Health&safety Whitecollarcrime&investigations AllYourrisksandregulatoryenvironment AllWhatwedo Solutions Solutions Alteria-brandmanagementandenforcement BiotechExpress-biotechstartupdocumentation Cyturion-cyberreadiness DatalisandDatalisIMA DawnRaidandCriticalIncidentTools D&Imaturityassessment EmploymentLaw+ HumanCyberIndex-securityculturedevelopment Parallens-parallelimportingtracking PensionsServices P2C:ProcurementtoCompletion SeniorManagersandCertificationRegime Vaultare–Compliancereadiness AllSolutions Locations Locations Africa Africa SouthAfrica AllAfrica Americas Americas Canada USA AllAmericas AsiaPacific AsiaPacific Australia China Indonesia Japan Singapore AllAsiaPacific Europe Europe France Germany Ireland Spain TheNetherlands UnitedKingdom AllEurope MiddleEast MiddleEast Qatar SaudiArabia UnitedArabEmirates AllMiddleEast AllLocations People Out-Law Thinking Thinking BrainFood BrainFood Alwayson:thenewabnormal? ArtificialIntelligence COP26:ourlastbestchance PodcastforGeneralCounsel Thefuture-proofGC Theprojectparadox ThepurposefulGC Whygenderinitiativesfail Whyracismisabusinessissue AllBrainFood CaseStudies CaseStudies Buildingaprivateequity-backedmicrocity DeliveringdemocratizedinvestmentforAJBell EstablishingtheMindfulBusinessCharter GettingaheadofBrexit HelpinganEnglishPremierLeagueclubwin Leveraginglegaltechtorespondtoprivacyconcerns Pavingthewayforautonomouslast-miledelivery Pioneeringvoluntarycollectiveredress Usingvoicetechnologyinfinancialservices AllCaseStudies SpecialReports SpecialReports Brexit DigitalSingleMarket Futureofmobility Industrialisedconstruction Russia-Ukrainecrisis AllSpecialReports AllThinking EventsandTraining AboutUs Careers Out-Law/YourDailyNeed-To-Know EBAoutsourcingguidelinesandlocation–whatyouneedtoknow Out-LawAnalysis|29Jun2020|5:59am| 5min.read Shareviaemail Shareonsocial Sharevialinkedin Shareviatwitter Shareviafacebook Shareviawhatsapp Shareviaprint BanksandotherfinancialinstitutionsshouldundertakeadditionalduediligencewheretheserviceordatatheyareoutsourcingwillbelocatedoutsidetheEU.FirmsshouldinparticularassesstheirarrangementswithcloudproviderslocatedoutsideoftheEU. ThisduediligencecanhelpfirmscomplywithEuropeanBankingAuthority(EBA)guidancethatrequiresthemtospecifythelocationoftheservicesandtheirdataincontractsforcriticalorimportantoutsourcings. TheEBA'sguidelinesonoutsourcinghaveappliedtoallnewoutsourcingfrom30September2019.FirmshaveuntilDecember2021toupdateallexistingdocumentationtomeetthestandards,whichaddressawiderangeofissues–includingsub-outsourcing. MhairiMival LegalDirector Withbusinesscontinuityattheheartofthe EBA'sguidelines,itisimportanttoconsiderwhetheracountry'sresponseto thepandemichasincreasedtheriskofoutsourcingservicesordatatothat country  AmongthevariousnewrequirementsbroughtinundertheEBA'sguidelines,firmsmustensurethelocationfromwhichthatservice"willbeperformedand/orwheretherelevantdatawillbekeptandprocessed,includingthepossiblestoragelocation"isspecifiedinall"criticalorimportant"contracts.Theserviceprovidermustalsonotifythefirmifitproposestochangethelocation.ThisrequirementisoneofanumberofcontractualtermsthattheEBAviewsasessentialforthesebusinesscriticaloutsourcingarrangements. LocationisacoreconcernfortheEBAfromthepointofviewofitsabilitytosupervisetheoutsourcedactivity.Fromadatasecurityperspectiveinparticular,theregulatorystandardsimposedonsuppliersinthirdcountriesmaynotmeettherobuststandardsexpectedofEuropeanbanksandfinancialinstitutions. Itisworthrememberingthat,whilethecontractualrequirementsonlocationarelimitedtothe"criticalorimportant"outsourcingarrangements,theguidelines'recordkeepingrequirementsapplyacrosstheboardtoalloutsourcingarrangementsfirmsputinplace.Firmsmustkeeparecordofthecountryfromwhichtheserviceisperformed,includingthelocationofthedata.Forthatreason,firmsshouldconsiderincludingacontractualobligationonaserviceprovidertonotifythefirmofanychangetothelocationoftheservicesordatainalloutsourcingcontractssothatthefirm'srecordsarekeptaccuratethroughouttheoutsourcing. Broadcategoryofdata FirmswillalreadybefamiliarwithrequirementstoensurethatthelocationofpersonaldataisclearlydefinedinacontractundertheGeneralDataProtectionRegulation(GDPR).However,theEBAguidelinesarebroaderandrequirethecontracttoincludethelocationdetailsofalldataprocessedbyasupplieronbehalfoftheregulatedinstitutionwherethereisanoutsourcingofacriticalorimportantfunction. Iftheserviceproviderprocessesdataacrossdifferentregions,forexampleinaprimarydatacentreintheUKandaback-upcentreinIreland,thenbothlocationsshouldbelisted.Inaddition,firmsshouldconsiderwhethertheserviceproviderusesasub-contractortoprocessdataonitsbehalf,andifitdoes,thelocationofthesub-contractoranditsprocessingactivitiesshouldbeincludedaswell. Exactlocationofadata Theprospectofdisclosingthelocationofadatacentrewillnaturallyraiseconcernsfromasecurityperspective.AftersomefeedbackonthispointduringtheEBA'sinitialconsultation,theguidelineswereclarifiedsothatonlythecountryorregionmustberecorded,notthepreciselocationofthedata.Therefore,thelocationofthedatacanbesetoutinbroadtermstoacountryorregion,forexample,'theEU'. Duediligence Beforeanyoutsourcingcommences,theguidelinesrequirefirmstoundertakeapre-outsourcinganalysis.Thisrequires,amongstotherthings,ariskassessmentofthepotentialadditionalrisksassociatedwiththelocationoftheserviceordata.TheEBAexpectsfirmstofactorintotheirriskassessmentsadditionalsafeguardswheretheserviceproviderislocatedinacountrybasedoutsideoftheEU.Forexample,thefirmshouldconsiderthepotentialdifficultyinaccessingthedataforthepurposeofoversightandaudit–byboththefirmanditsregulators–andenforcingacourtjudgmentinthatserviceprovider'slocation. Thelocationofdataandtheassessmentoftheriskinaparticularlocationisnotaone-offcompliancemeasure.Thelocationshouldbedocumentedinthefirms'outsourcingregisterandregularlyreviewedandassessedtoensureongoingcomplianceinlightofanychangeinlegalorpoliticalcircumstance. LocationsoutsideoftheEU CountriesthatarelocatedoutsideoftheEUareconsideredtobe'thirdcountries'.TheEBAhassaid:"Withregardtooutsourcingtoserviceproviderslocatedinthirdcountries,financialinstitutionsareexpectedtotakeparticularcarethatcompliancewithEUlegislationandregulatoryrequirements(e.g.professionalsecrecy,accesstoinformationanddata,protectionofpersonaldata)isensuredandthatthecompetentauthorityisabletoeffectivelysupervisefinancialinstitutions".FirmswillhavetorequireoutsourcedserviceproviderstocomplywithconfidentialityandGDPRobligationsthatareequivalenttoEUstandardsandensurethatregulatorscanexercisetheirrightsofaccessandauditatthepremisesfromwhichtheservicesareprovided. Inaddition,theEBArequiresinstitutionsto"takeappropriatestepstoensurethatserviceprovidersactinamannerconsistentwiththeirvaluesandcodeofconduct".Inparticular,wheretheserviceproviderandtheirsub-contractorsarebasedinathirdcountry,firmsshouldbesatisfiedthattheserviceproviderisactinginanethicalandsociallyresponsiblemannerandadherestointernationalstandardsonhumanrights,environmentalprotectionandappropriateworkingconditions,includingtheprohibitionofchildlabour. ThisobligationappliestoalloutsourcingsandwillrequirethefirmtoensurethattheserviceprovideriscompliantwiththeseinternationalandEUlegalrequirementsandwithanyinternalpoliciesorcodesofconductthatthefirmhasinplace.Withexistingarrangements,itmaybeverydifficultforaserviceprovidertorenegotiatetermswiththeirsubcontractorstomeetthisrequirement. Contractualchallengesoutsourcingtocloudprovidersinthirdcountries TheadditionalcontractualrequirementsthatfirmsnowhavetoputinplacemaycauseacomplianceissuewherefirmsareoutsourcingtosmallcloudproviderslocatedoutsideoftheEU. Thelowcostcloudmodeldoesnoteasilyaccommodateindividualcustomers'specificrequirements,evenwheretheseflowfromasectorwideregulatoryregime.Indeed,themanybenefitsthatcloudservicescanofferareoftentakenontheunderstandingthattherewillbeverylittleroomforthenegotiationofcontractualtermsortakeonofadditionalrisk.ManycloudprovidersinthirdcountrieswillsimplynotbeabletochangetheirprocessesorinternalpoliciestomeettheEBAguidelines. SpecialReport BankingonCloud Learnmore Withthisinmind,anumberofthelargercloudservicesprovidersarenowwellversedinthecontractualrequirementsoftheEBAguidelinesandarenowlookingtogetaheadoftheircustomer'scontractualremediationprojects.AswesawwiththeapplicationofGDPRin2018,somecloudprovidershaveupdatedtheirexistingstandardtermsandconditionstoincorporatetheirinterpretationoftheguidelines'requirements. BusinesscontinuityissuesandCovid-19 ItgoeswithoutsayingthatCovid-19willhavealastingimpactontheapproachtakentobusinesscontinuityplanning.WithbusinesscontinuityattheheartoftheEBA'sguidelines,itisimportanttoconsiderwhetheracountry'sresponsetothepandemichasincreasedtheriskofoutsourcingservicesordatatothatcountry.Firmsshouldlookathowcertaincountrieshavedealtwiththepandemic,andwhatmeasurestheyareputtinginplacetopreventaresurge,aspartoftheirriskbasedapproachforexistingandnewoutsourcingarrangements. AdditionalreportingbyCarolynLangofPinsentMasons. FollowTechnologysourcing Technologysourcing BankingonCloud Banks Data,privacy&cyber Europe Financialregulation&products FinancialServices FinancialServicesRegulation Fintech Ireland Supplychainmanagement Technology&DigitalMarkets Technology,Media&Telecommunications UnitedKingdom Writtenby MhairiMival LegalDirector +44(0)1312250006 [email protected] ViewProfile LatestNews 18minutesago DigitalMarketsAct:EUagreesonnewrulesfor‘gatekeepers’ 40minutesago WesternAustraliatotargetrenewableswithnewlandtenurelegislation 08Apr2022 SupportingUkrainianrefugeesthroughUKsponsorship 08Apr2022 Stewardshipvehiclesforgardencommunities 08Apr2022 Gardencommunities:using‘digitaltwins’inyourdatastrategy Editor'sPick Out-LawAnalysis Sub-outsourcingandterminationrights–whatyouneedtoknow 22Jun2020 Don'tmissathing Sign-uptoreceivethelatestnews,insightandanalysisdirecttoyoure-mailinbox SignUp Youmightalsolike Out-LawNews UKgovernment‘stillconsidering’reformofVATandpropertyrules TheUKgovernmenthasindicatedthatitwillfurtherexplorepotentialoptionsforreformoftheVATandpropertyrules,althoughithasruledoutmakinganyimmediatechanges. 2Dec2021 Corporatetax Out-LawNews UK'unlikely'tocopyPortugal'snewwork-lifebalancelaws AnneSammontellsHRNewsaboutanewPortugueselawmakingitillegaltocontactstaffoutsidecontractedworkinghours 2Dec2021 Employment&Reward Out-LawNews UKseekingdecarbonisationofpublicestatewithhelpofnewguidance TheUKgovernmenthassetoutguidanceintendedtohelptheestatesteamsandmanagersofpublicsectorpropertiesreduceemissionsfromanddecarbonisethepublicestate. 2Dec2021 RealEstate Left Out-LawAnalysis 23February2021 Pensionsdisputes:managingmemberexpectationsparamount Showmemore Out-LawAnalysis 1February2021 UKsubsidycontrolpost-Brexit:accesstoeffectivejudicialremedies Showmemore Out-LawNews 8February2016 'Stepsofcourt'settlementwasnotnegligent,courtrules Showmemore Out-LawNews 27August2020 'Vastmajority'ofcompaniesnotseekingtoavoidtax Showmemore Out-LawNews 19March2021 'Worldfirst'industrialdecarbonisationstrategydevelopedintheUK Showmemore Out-LawAnalysis 21September2020 3Dprinting:UKproductsafetyissues Showmemore Out-LawNews 18January2021 5GpotentialforbusinesshighlightedinUKfundingprogramme Showmemore Out-LawAnalysis 11February2021 Aglobalviewofthelawapplicabletoanarbitrationagreement Showmemore Right Sectorsandwhatwedo Sectorsweworkin Energy FinancialServices Infrastructure Technology,Science&Industry RealEstate Whatwedo Yourassets Yourcompany Yourfinance Yourlegalteamandresource Yourpeople Yourrisksandregulatoryenvironment Yourprivacymatterstous Weusecookiesthatareessentialforoursitetowork. Toimproveourwebsite,wewouldliketouseadditionalcookiestohelpusunderstandhowvisitorsusethesite,measuretraffictooursitefromsocialmediaplatformsandtopersonaliseyourexperience. Someofthecookiesthatweuseareprovidedbythirdparties. PleasevisitourCookiePolicyformoreinformation.Toacceptallcookiesclick'Acceptall'. Torejectalloptionalcookiesorchoosewhichoptionalcookiestoallow,click‘Cookiesettings’. Thistoolusesacookietorememberyourchoices. SeeourCookiePolicyformoreinformation Acceptall Cookiesettings