On 25 February 2019, the European Banking Authority (EBA) published revised Guidelines on outsourcing arrangements for financial institutions, namely credit institutions and investment firms subject to the Capital Requirements Directive (CRD), and for payment and electronic money institutions (collectively referred to here as ‘financial institutions’). Running to 70 pages, plus another 55 pages setting out the EBA’s summary and analysis of comments raised during the consultation, the Guidelines are more detailed and, in some cases, more prescriptive than those they replace although for the most part they build on the previous guidance. This article summarises some of the main issues to be aware of.
Keeping pace with innovation
In updating its rulebook, the EBA is responding to the increasing importance of Fintech, cloud computing and digitalisation, with financial institutions adapting their business and operating models to embrace such innovations, as well as seeking cost and operating efficiencies. As the EBA points out, outsourcing enables financial institutions to gain relatively easy access to new technologies and to achieve economies of scale.
A “more” harmonised framework
The Guidelines will apply from 30 September 2019 with transitional arrangements until 31 December 2021. They will replace the current CEBS Guidelines on outsourcing (GL02/2006) and the Recommendation on Outsourcing to Cloud Service Providers (EBA/REC/2017/03). The latter has been integrated into the Guidelines. The Guidelines aim to ensure that financial institutions can apply a single framework on outsourcing for all their banking, investment and payment activities and services, as well as providing a level playing field between different types of financial institutions. They are consistent with the requirements on outsourcing under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II) and the Commission Delegated Regulation (EU) 2017/565.
A particular focus of the Guidelines relates to the governance and management oversight of outsourcing arrangements. The management body of each financial institution remains responsible for that institution and its activities at all times, including outsourcing. Management should ensure that sufficient resources are available within the retained organisation in order to oversee all risks and to manage the outsourcing arrangements, and that it has appropriate governance structures and frameworks (including due diligence process and risk assessment) in place for outsourcing. The retained organisation must not be allowed to become an “empty shell” lacking the substance to remain authorised.
Frameworks for due diligence by financial institutions should have the objective of ensuring that functions are only outsourced to reliable service providers. However, as has been seen recently with the administration of Interserve and before that the collapse of Carillion, best practice requires diligence and oversight on an ongoing basis throughout the outsourcing life-cycle on a proactive and pre-emptive basis. Section 15 of the Guidelines set out in some detail the approach to be taken when documenting exit strategies when outsourcing critical or important functions are outsourced, which should include a forced exit in the event of failure of the service provider.
All outsourced functions
Notably, the Guidelines apply to all outsourced services, activities and functions, not just those deemed “critical and important” (per MiFID II). However, when it comes to outsourcing to third countries (i.e. outside of the EEA), the “critical and important” test remains important. Non-recurrent activities such as purchases of goods (including software licences) are not considered as outsourcing arrangements, whereas arrangements for recurrent or ongoing services are.
Because of the particular challenges to effective supervision when functions are outsourced to service providers located in third countries, the Guidelines describe which arrangements with third parties are to be considered as outsourcing, with stricter requirements applicable to the outsourcing of “critical and important’ services, activities and functions, compared with other, lower risk outsourcing arrangements. Particular care is required by financial institutions to ensure that service providers in third countries comply with EU legislation and regulatory requirements including professional secrecy, access to information and data, and data protection.
The Guidelines also apply to subsidiaries of financial institutions located in third countries – although not directly subject to the Guidelines they are covered by its requirements on a consolidated basis. The same applies where third-country institutions establish subsidiaries and branches in the EEA in order to gain market access, relying on the outsourcing of functions to a parent or other group entity located in a third country.
When outsourcing important or critical functions to entities within the same group, financial institutions should ensure that the selection of the group entity is based on objective reasons and that the conditions of the outsourcing arrangement are set at arm’s length and explicitly deal with conflicts of interest that such an outsourcing arrangement may entail. All relevant risks must be clearly identified and the mitigation measures and controls put in place to ensure that outsourcing to an affiliated entity does not impair the financial institution’s ability to comply with the relevant regulatory framework documented. The same considerations apply to institutions that are members of an institutional protection scheme when outsourcing functions to a central service provider.
The EBA says that respondents to the consultation found the contractual requirements in the draft Guidelines too demanding and specific, and requested that a more principle-based approach be adopted, pointing out that certain expectations would raise significant legal and practical challenges, e.g. the inclusion of audit and access rights and the approach to sub-outsourcing that would trigger additional documentation and monitoring burdens. Notwithstanding these comments, the Guidelines specify certain requirements that should be included within the written outsourcing agreement (see section 13). These include rights for financial institutions and their competent authorities to inspect and access information, accounts and premises, as well as termination rights, data security standards, and rules relating to sub-outsourcing (i.e. subcontracting and sub-processing).
Financial institutions will need to review their current outsourcing and supply chains including current outsourcing contracts and consider whether there are gaps which can be closed, as well as updating contract forms, checklists and processes to ensure compliance with the Guidelines. Where applicable services, functions and activities are already outsourced, if the requirements of the Guidelines cannot be met through renegotiation of contract terms there are transitional periods which give financial institutions time to reintegrate outsourced functions or move them to other service providers.