EBA launches a welcome improvement of the current outsourcing guidelines

The EBA aim to preserve the trust in the reliability of the financial system through FinTech. Danish authorities should amend the current national regime in line with the new guidelines, e.g. in respect of sub-contracting and audits. 

New guidelines

On 22 June 2019, the EBA launched a consultation paper on its draft outsourcing guidelines. The new guidelines will replace the existing CEBS Guidelines on Outsourcing published in 2006 that applied to credit institutions only. They aim at establishing a more harmonised framework for all financial institutions that are within the scope of EBA’s mandate, namely credit institutions and investment firms subject to CRD, as well as payment and electronic money institutions.

The EBA aim to preserve the trust in the reliability of the financial system while supporting tendencies and evolving needs of financial institutions, e.g.: 

• the increased tendency by institutions to adapt their business models, processes and systems to embrace outsourcing, cloud and information technology through FinTech, e.g. as a response to the pressure on margins from more traditional banking business models by the low interest rate environment; and                                                             
• the need for certain third country institutions to gain and maintain access to the EU financial market through subsidiaries or branches in the EU and the need to use the parent institution to provide a material part of the business activities.  

The new guidelines' key elements 

Continued responsibility of management body

The financial institution’s management body remains responsible at all times. To this end the management body should ensure that sufficient resources are available that appropriately support and ensure the performance of those responsibilities, including to oversee the risks and to manage the outsourcing arrangements.

Outsourcing must not lead to a situation where an institution becomes a so called “empty shell” that lacks the substance to remain authorised.

Outsourcing to third countries

With regard to outsourcing to service providers located in third countries, financial institutions must take particular care that compliance with EU legislations and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) are ensured and that the competent authority is able to effectively supervise financial institutions, including in particular the critical or important functions outsourced to service providers.

Definition of outsourcing 

The guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. If such critical or important functions are outsourced, stricter and stronger requirements apply as compared to other outsourcing arrangements. The definition provided in the guidelines is in line with the related Commission delegated regulation (EU) 2017/565 supplementing MiFID II. 

A framework for due diligence

The guidelines provide a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers so that the ongoing provision of services and compliance with regulatory requirements is ensured. They provide that institutions must ensure audit and access rights in written outsourcing agreements both for themselves and for competent authorities and that institutions are required to maintain a register of all outsourcing arrangements. 

Obligations of authority 

Competent authorities are required to effectively supervise financial institutions’ outsourcing arrangements, including the identification and monitoring of risk concentration at single service providers and to assess whether these could pose a risk to the stability of the financial system. To identify such risk concentration, competent authorities should be able to rely on a comprehensive documentation of outsourcing arrangements of financial institutions.

Right to inspection, audit and information access 

The institutions’ and competent authorities’ right to inspections and access to information, accounts and premises should be ensured within the written outsourcing agreement. The right to audit is key to provide appropriate assurance that outsourced functions are provided as contractually agreed and in line with regulatory requirements.

Further guidance is provided on how institutions and payment institutions can exercise to the audit rights in a risk-based manner, taking account of concerns regarding the organisational burden for both, the outsourcing institution and the service provider, as well as of practical, security and confidentiality concerns regarding physical access to certain types of business premises and access to data in multi-tenant environments. The guidelines allow for the use of third-party certifications and third-party reports made available by the service provider for the audits (but they should not rely solely on those). Institutions may also use pooled audits organised jointly with other clients of the same service provider and performed by them and these clients or by a third party appointed by them, in order to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider. Hopefully, Denmark will amend its more restrictive regime on audits allowing institutions to satisfy the need for inspection and access to information in various and less cumbersome manners.

Cloud specific guidelines 

The recommendations on outsourcing to cloud service providers have been fully integrated in the guidelines and they will be repealed when the guidelines enter into force. The guidelines specify that sub-outsourcing requires ex ante notification to institutions and payment institutions in case of outsourcing of critical or important functions, and institutions should always have the right to terminate the contract if planned changes to services, including such changes caused by sub-outsourcing, would have an adverse effect on the risk assessment of the outsourced services. Hopefully, Denmark will amend its more restrictive regime on sub-contracting to require notification and termination rights only and not consent from the institutions (which is a requirement under the applicable regime).

Reading the guidelines 

The guidelines do not change the principle of proportionality, according to which the guidelines must be applied in a manner that is appropriate, taking into account in particular the size of the institution, internal organisation and the nature, scope and complexity of their activities. 

They should be read in conjunction with and without prejudice to the EBA guidelines on internal governance, which already include requirements on institutions outsourcing policies, the EBA guidelines on common procedures and methodologies for the supervisory review and evaluation process and the EBA guidelines on ICT risk assessment under the SREP.

For payment institutions, the guidelines should be read in conjunction with the EBA guidelines on the information to be provided for the authorisation of payment institutions under Directive 2015/2366/EU (PSD2), EBA guidelines on security measures for operational and security risks under PSD2 and EBA guidelines on major incident reporting under PSD2.

The EBA will receive comments to its consultation until 24 September 2018, and a public hearing will take place at the EBA premises on 4 September 2018.