Following consultation in the second half of 2018, the European Banking Authority (EBA) has published its final report on draft guidelines for outsourcing arrangements. The report contains both the guidelines at pages 17-55 and the EBA’s feedback on the public consultation at pages 68-125.
Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018.
The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive(CRD) as well as to payment and electronic money (e-money) institutions.
To introduce further harmonisation, the guidelines reference the Markets in Financial Instruments Directive II (MiFID II) in their use of “critical or important function” in relation to outsourcing, and also acknowledge Solvency II and the revised Payment Services Directive (PSD2).
Member states’ competent authorities and financial institutions “must make every effort to comply” with the guidelines. The EBA has, however, acknowledged the need for proportionality, so that a firm and its competent authority(s) should have regard to the nature, scale and complexity of the firm’s activities when complying, or in the case of competent authorities, monitoring, compliance.
The guidelines set out a regime applicable to outsourcing arrangements, covering matters ranging from governance and policy to risk assessment, due diligence, contracting, continuous oversight, business continuity plans and exit strategy.
For many firms, the finalisation of the guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Below we discuss some points for firms to consider as they plan for implementation.
“Critical or important”
The guidelines apply to all outsourcing arrangements; however, the expectations are scaled so that more detailed requirements apply for those outsourcing arrangements that
relate to “critical or important functions”. As already mentioned, the guidelines take into account the principle of proportionality.
Quite a few outsourcing arrangements would be considered to relate to critical or important functions, ranging, for example, from IT outsourcing arrangements that directly support the provision of banking activities or payment services to those relating to oversight and reporting in relation to such activities or services.
Further, firms should identify, assess, monitor and manage all risks resulting from arrangements with third parties, regardless of whether or not those arrangements are outsourcing arrangements, noting that the risk assessment provisions applicable to outsourcing arrangements apply to these arrangements as well.
Careful consideration should therefore be given to the treatment of arrangements which relate to critical or important functions where it is unclear whether or not they constitute an outsourcing arrangement.
It will be important for firms to establish whether any given outsourcing relates to “critical or important functions”, to identify and comply with the relevant guidelines. The factors to be taken into account generally focus on the impact of the outsourcing on the “critical or important function”. There are, however, some that relate more to the nature of the outsourcing arrangement itself rather than the impact of that arrangement on the “critical or important function”.
It is not entirely clear what weight should be given to the possibility of substitution of the service provider or reintegration of the outsourced function when assessing whether a proposed outsourcing arrangement relates to a “critical or important function”, and caution should be exercised when considering these factors.
Access and audit rights
During commercial negotiations in relation to outsourcing contracts, access and audit rights can be particularly difficult to obtain. This is amplified when the proposed service provider is the only provider (or one of a limited few providers) of those services and there is a significant imbalance in bargaining power. These concerns were raised during the consultation process, but the EBA’s analysis was that institutions should comply with all regulatory requirements including with regard to their outsourced functions, regardless of the fact that the services being provided may be standardised or offered by a single or small number of providers.
The EBA noted that audit rights are a basis for effective oversight and supervision and so need to be ensured contractually for at least critical and important functions, and using a risk-based approach. Respondents raised the issue as to how audit rights could effectively be enforced if the contractual rights were denied by predominant providers.
As a result, the EBA amended the guidelines on contractual access, information and audit
rights. The draft guidelines referred to the possibility of third-party certifications and third-party reports made available by the service provider for the audits; however, they were not to be solely relied upon.
The guidelines provide for those measures, plus pooled audits organised jointly with other clients of the same service provider. They allow for institutions and payment institutions to assess whether they are adequate and sufficient to comply with their regulatory obligations, albeit they should not rely solely on those over time. Use of those reports and pooled audits is subject to a detailed list of conditions.
During the consultation phase, some respondents suggested that outsourcing requirements should not be applied, based on proportionality considerations, to intragroup outsourcing arrangements. The EBA clarified proportionality does not mean that requirements are inapplicable; instead requirements are applied, but in a proportionate way. The point was further raised by respondents that there should be lower compliance and reporting obligations for intragroup outsourcing arrangements.
The EBA clarified that while intragroup outsourcing can be a cost-effective and efficient way of receiving or sharing services, it is not free from risks. While a higher level of control needs to be taken into account, intragroup outsourcing must be subject to appropriate decision-making processes. Requirements in relation to recovery and resolution planning and identification and management of conflicts of interest were specifically referred to in the context of intragroup outsourcing.
The EBA noted that certain variations in the application of provisions to intragroup outsourcing arrangements had already been included in the draft guidelines, and the final guidelines contained additional variations, in particular in relation to the provisions on exit strategies. For an exit plan established at group level relating to a critical or important function, individual institutions or payment institutions must be satisfied that the plan can be effectively executed, but the plan does not need to be considered in their decision to make use of the outsourcing arrangement.
During the consultation some respondents considered that prior approval for suboutsourcings would be extremely challenging to obtain, and sought clarification on whether the approval is of a general nature or if the institution should grant its approval to each case of sub-outsourcing. The EBA’s analysis clarified that prior authorisation can be provided in general terms.
During the consultation a few respondents suggested that: the service provider should be held liable for any activity performed by the service provider’s third parties; financial institutions should be kept informed of any sub-outsourcing by the service provider and should be able to swiftly exit the outsourcing arrangement without cost; and on that basis institutions should be allowed to relax sub-outsourcing controls (i.e., controls over service providers that are effectively fourth parties in relation to institutions).
The EBA clarified, however, that institutions remain fully responsible for complying with all regulatory requirements when outsourcing functions. The liability of the service provider, including its liability in respect of its third-party providers, is part of the contractual arrangements that should be agreed between the service provider and the institution.
During the consultation several respondents asked for confirmation that no prior approval by the competent authority is necessary for an outsourcing arrangement. The EBA clarified that the guidelines neither require nor prevent competent authorities from applying a prior approval process for outsourcing arrangements, but firms should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with regard to planned outsourcing of “critical or important functions” and/or where an outsourced function has become “critical or important”.
The guidelines set out requirements in relation to the range of information required to be included in a register of outsourcing arrangements and firms may face challenges with practical implementation, for example, in identifying and collating all the relevant information and in keeping the register up-to-date.
While it may seem obvious, it should be noted that the register is intended to capture all specified categories of information in relation to “outsourcing arrangements”; regulatory expectations are unlikely to be met by a list of contracts. A well-designed register could, however, be a valuable information source for management bodies by providing operational insights, including:
- the concentration of arrangements with a particular service provider/exposure at a group or individual entity level to a particular service provider; and
- the spread of arrangements and data across different jurisdictions/exposure to particular jurisdictions. These insights should help to inform both strategic and operational decision-making.
The register should be kept at both the institution and, where applicable, at subconsolidated and consolidated levels. Firms that meet certain conditions may choose to keep the register centrally.
It should be noted, however, that under the guidelines the register should be capable of being provided to the competent authority on request in full or in part in an electronic format which can be processed.
The guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after September 30, 2019. Institutions should review and amend their existing outsourcing arrangements for compliance accordingly.
It is important to note that firms are required to complete the documentation of all existing arrangements following the first renewal date of each existing arrangement, but by no later than December 31, 2021, i.e., the transitional provisions “deadlines” work to firms’ own renewal schedules with an end date of December 2021. An outsourcing due for first renewal in October 2019 would be reviewed at renewal rather than December 31, 2021.
Where an institution has not completed a review of an outsourcing arrangement which relates to “critical or important functions” by December 31, 2021, this should be notified to the relevant competent authority, along with an explanation of the measures which the institution proposes to take either to complete the review or to exit the arrangement.
Once firms begin to review their existing outsourcing arrangements to bring them into line with the new guidelines, cross-functional working will be essential, as various control and business functions will have an interest in the use of third-party suppliers.
Programmes are likely to bring together legal, operational risk, regulatory, compliance, procurement and audit expertise, while oversight within the three lines of defence approach will need to be allocated not only to business functions but also to appropriate senior management, risk committee and at board level to provide good governance of the processes and to ensure that decisions are aligned with business strategy and risk appetite.
This article was first published in Thomson Reuters Regulatory Intelligence on 28 March 2019.