The guidelines acknowledge and address the fact that, over recent years, financial institutions have been increasingly interested in outsourcing business activities in order to reduce costs, improve their efficiency and have easy access to new financial technologies (fintech). The Guidelines aim at establishing a more harmonised framework for the outsourcing arrangements of financial institutions, by specifying the internal governance arrangements that they should implement when outsourcing functions and determining how competent authorities should review and monitor these arrangements.
Save for one provision, the Guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. Institutions are however obliged to review and amend all existing outsourcing arrangements by 31 December 2021 at the latest, with a view to compliance.
Furthermore, the Guidelines replace the Outsourcing Guidelines of 2006 issued by the EBA’s predecessor, the Committee of European Banking Supervisors (CEBS) and incorporate the EBA’s Recommendations on outsourcing to cloud service providers of 2017, which will both be repealed upon the Guidelines’ entry into force.
With as many as 125 pages, the EBA’s Guidelines provide a comprehensive instrument for financial institutions to take at hand when considering to outsource an activity, service, process or function. To save you reading, below are presented the 7 key takeaways from the new Guidelines:
In its Guidelines, the EBA aligns its definition of ‘outsourcing’ with that set out in the MiFID II framework* and gives valuable guidance on how to assess if an arrangement with a third party falls under the definition of outsourcing.
According to the EBA, it is crucial to assess if the function (or a part thereof) that is outsourced to a service provider, is performed on recurrent or ongoing basis by the service provider and if this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by the financial institution, even if this institution has not performed this function in the past itself.
Furthermore, the Guidelines indicate certain processes, services and activities, which ‘as a general principle’ should not be considered outsourcing. Among those are:
The new Guidelines also provide criteria for the identification of critical or important functions that have a strong impact on the financial institution’s risk profile or on its internal control framework (formerly so-called ‘material activities’). If such critical or important functions are outsourced, stricter requirements apply to these outsourcing arrangements. As such, the Guidelines draw a distinction between outsourcing that is ‘critical or important’ and other outsourcing.
When assessing whether an outsourcing relates to a function that is critical or important, financial institutions should take into account at least 10 factors mentioned by the Guidelines (such as the size and complexity of any business area affected, the ability to reintegrate the outsourced function into the institution if necessary or desirable…) Besides that, the Guidelines define 3 situations in which a financial institution should always consider a function as critical or important.
Unfortunately, the EBA did not provide a clear consolidated list of which guidelines apply to which type of arrangements, arguing that the Guidelines are sufficiently clear as regards the scope of the requirements.
In respect of governance, the EBA emphasises that financial institutions remain fully responsible and accountable for complying with all their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions.
To this aim, financial institutions should make sure to:
In any case, it is important that financial institutions at all times maintain sufficient substance and do not become ‘empty shells’ or ‘letter-box-entities’.
Before entering into any outsourcing agreement, according to the Guidelines, financial institutions should always perform a ‘pre-outsourcing analysis’, which includes several different assessments.
Hence, financial institutions need to:
On the contractual level, the Guidelines require that a written agreement is concluded between the financial institution and the service provider, which clearly allocates and sets out the rights and obligations of the parties and includes certain specified provisions.
Besides that, the agreement should detail whether or not sub-outsourcing of critical or important functions is permitted. If so, the sub-contractor needs to comply with certain requirements and the financial institution should ensure that the service provider oversees the sub-service provider.
Furthermore, appropriate IT security standards should be imposed on the service provider and should be monitored on an ongoing basis.
Lastly, outsourcing contracts should contain provisions regarding the access, information and audit rights of both the financial institution and the competent authorities, as well as a provision on termination rights.
With regard to outsourcing to service providers located in third countries, the EBA stresses that financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that additional safeguards are put in place which guarantee that the outsourcing does not lead to an undue increase in risk or does not impair the ability of competent authorities to effectively supervise the financial institution, in particular when critical or important functions are concerned.
The EBA Guidelines entail two important document keeping obligations.
First of all, financial institutions that are currently outsourcing certain activities or are planning to do so in the future, have to put in place a written outsourcing policy that includes the main phases of the life cycle of outsourcing arrangements and defines the principles, responsibilities and processes in relation to outsourcing. This policy must be implemented, regularly reviewed and updated.
Secondly, in the context of risk management, financial institutions have to maintain an updated register of information on all outsourcing arrangements at the institution and should document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Even documentation on outsourcing arrangements that have ended, should be maintained within the register for an appropriate period.
*See: Article 2(3) of the Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive.