In this blog post, we round-up forthcoming developments in the UK and at EU and International levels in financial services regulation for August 2019.
Authors: Hannah Cassidy, Clive Cunningham, Natalie Curtis, Javier de Carlos, Katherine Dillon, Matthias Gippert, Leopoldo Gonzalez Echenique, Vincent Hatton, Patricia Horton, Pierre Le Ninivin, Kai Liebrich, Natasha Mir, Stuart Paterson, Fiona Smedley, Jenny Stainsby, Jennifer Xue
Many regulators view their ability to intervene as one of their key supervisory tools to reduce harm in cases where there is a risk of significant consumer detriment or threat to financial markets.
At the same time, many jurisdictions have put in place product governance regimes for financial services firms which aim to avoid, or at least mitigate from an early stage, any potential risks of failure to comply with investor protection rules. In particular, the design and distribution obligations under these product governance regimes aim to overcome the limitations of disclosure and ensure that firms which manufacture and distribute financial products take some responsibility and adopt a more targeted customer-centric approach.
The stages of development, level of detail, scope and coverage of regulators’ product intervention powers, and the product design and distribution obligations under product governance regimes, vary across jurisdictions.
Our guide (which can be found here) summarises the frameworks in selected jurisdictions, allowing a high-level comparison of the different regimes and offering a glimpse of the direction of travel.
Following consultation in the second half of 2018, the European Banking Authority (EBA) has published its final report on draft guidelines for outsourcing arrangements. The report contains both the guidelines at pages 17-55 and the EBA’s feedback on the public consultation at pages 68-125.
Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018.
The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive(CRD) as well as to payment and electronic money (e-money) institutions.
To introduce further harmonisation, the guidelines reference the Markets in Financial Instruments Directive II (MiFID II) in their use of “critical or important function” in relation to outsourcing, and also acknowledge Solvency II and the revised Payment Services Directive (PSD2).
Member states’ competent authorities and financial institutions “must make every effort to comply” with the guidelines. The EBA has, however, acknowledged the need for proportionality, so that a firm and its competent authority(s) should have regard to the nature, scale and complexity of the firm’s activities when complying, or in the case of competent authorities, monitoring, compliance.
The guidelines set out a regime applicable to outsourcing arrangements, covering matters ranging from governance and policy to risk assessment, due diligence, contracting, continuous oversight, business continuity plans and exit strategy.
For many firms, the finalisation of the guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Below we discuss some points for firms to consider as they plan for implementation.
“Critical or important”
The guidelines apply to all outsourcing arrangements; however, the expectations are scaled so that more detailed requirements apply for those outsourcing arrangements that
relate to “critical or important functions”. As already mentioned, the guidelines take into account the principle of proportionality.
Quite a few outsourcing arrangements would be considered to relate to critical or important functions, ranging, for example, from IT outsourcing arrangements that directly support the provision of banking activities or payment services to those relating to oversight and reporting in relation to such activities or services.
Further, firms should identify, assess, monitor and manage all risks resulting from arrangements with third parties, regardless of whether or not those arrangements are outsourcing arrangements, noting that the risk assessment provisions applicable to outsourcing arrangements apply to these arrangements as well.
Careful consideration should therefore be given to the treatment of arrangements which relate to critical or important functions where it is unclear whether or not they constitute an outsourcing arrangement.
It will be important for firms to establish whether any given outsourcing relates to “critical or important functions”, to identify and comply with the relevant guidelines. The factors to be taken into account generally focus on the impact of the outsourcing on the “critical or important function”. There are, however, some that relate more to the nature of the outsourcing arrangement itself rather than the impact of that arrangement on the “critical or important function”.
It is not entirely clear what weight should be given to the possibility of substitution of the service provider or reintegration of the outsourced function when assessing whether a proposed outsourcing arrangement relates to a “critical or important function”, and caution should be exercised when considering these factors.
Access and audit rights
During commercial negotiations in relation to outsourcing contracts, access and audit rights can be particularly difficult to obtain. This is amplified when the proposed service provider is the only provider (or one of a limited few providers) of those services and there is a significant imbalance in bargaining power. These concerns were raised during the consultation process, but the EBA’s analysis was that institutions should comply with all regulatory requirements including with regard to their outsourced functions, regardless of the fact that the services being provided may be standardised or offered by a single or small number of providers.
The EBA noted that audit rights are a basis for effective oversight and supervision and so need to be ensured contractually for at least critical and important functions, and using a risk-based approach. Respondents raised the issue as to how audit rights could effectively be enforced if the contractual rights were denied by predominant providers.
As a result, the EBA amended the guidelines on contractual access, information and audit
rights. The draft guidelines referred to the possibility of third-party certifications and third-party reports made available by the service provider for the audits; however, they were not to be solely relied upon.
The guidelines provide for those measures, plus pooled audits organised jointly with other clients of the same service provider. They allow for institutions and payment institutions to assess whether they are adequate and sufficient to comply with their regulatory obligations, albeit they should not rely solely on those over time. Use of those reports and pooled audits is subject to a detailed list of conditions.
During the consultation phase, some respondents suggested that outsourcing requirements should not be applied, based on proportionality considerations, to intragroup outsourcing arrangements. The EBA clarified proportionality does not mean that requirements are inapplicable; instead requirements are applied, but in a proportionate way. The point was further raised by respondents that there should be lower compliance and reporting obligations for intragroup outsourcing arrangements.
The EBA clarified that while intragroup outsourcing can be a cost-effective and efficient way of receiving or sharing services, it is not free from risks. While a higher level of control needs to be taken into account, intragroup outsourcing must be subject to appropriate decision-making processes. Requirements in relation to recovery and resolution planning and identification and management of conflicts of interest were specifically referred to in the context of intragroup outsourcing.
The EBA noted that certain variations in the application of provisions to intragroup outsourcing arrangements had already been included in the draft guidelines, and the final guidelines contained additional variations, in particular in relation to the provisions on exit strategies. For an exit plan established at group level relating to a critical or important function, individual institutions or payment institutions must be satisfied that the plan can be effectively executed, but the plan does not need to be considered in their decision to make use of the outsourcing arrangement.
During the consultation some respondents considered that prior approval for suboutsourcings would be extremely challenging to obtain, and sought clarification on whether the approval is of a general nature or if the institution should grant its approval to each case of sub-outsourcing. The EBA’s analysis clarified that prior authorisation can be provided in general terms.
During the consultation a few respondents suggested that: the service provider should be held liable for any activity performed by the service provider’s third parties; financial institutions should be kept informed of any sub-outsourcing by the service provider and should be able to swiftly exit the outsourcing arrangement without cost; and on that basis institutions should be allowed to relax sub-outsourcing controls (i.e., controls over service providers that are effectively fourth parties in relation to institutions).
The EBA clarified, however, that institutions remain fully responsible for complying with all regulatory requirements when outsourcing functions. The liability of the service provider, including its liability in respect of its third-party providers, is part of the contractual arrangements that should be agreed between the service provider and the institution.
During the consultation several respondents asked for confirmation that no prior approval by the competent authority is necessary for an outsourcing arrangement. The EBA clarified that the guidelines neither require nor prevent competent authorities from applying a prior approval process for outsourcing arrangements, but firms should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with regard to planned outsourcing of “critical or important functions” and/or where an outsourced function has become “critical or important”.
The guidelines set out requirements in relation to the range of information required to be included in a register of outsourcing arrangements and firms may face challenges with practical implementation, for example, in identifying and collating all the relevant information and in keeping the register up-to-date.
While it may seem obvious, it should be noted that the register is intended to capture all specified categories of information in relation to “outsourcing arrangements”; regulatory expectations are unlikely to be met by a list of contracts. A well-designed register could, however, be a valuable information source for management bodies by providing operational insights, including:
- the concentration of arrangements with a particular service provider/exposure at a group or individual entity level to a particular service provider; and
- the spread of arrangements and data across different jurisdictions/exposure to particular jurisdictions. These insights should help to inform both strategic and operational decision-making.
The register should be kept at both the institution and, where applicable, at subconsolidated and consolidated levels. Firms that meet certain conditions may choose to keep the register centrally.
It should be noted, however, that under the guidelines the register should be capable of being provided to the competent authority on request in full or in part in an electronic format which can be processed.
The guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after September 30, 2019. Institutions should review and amend their existing outsourcing arrangements for compliance accordingly.
It is important to note that firms are required to complete the documentation of all existing arrangements following the first renewal date of each existing arrangement, but by no later than December 31, 2021, i.e., the transitional provisions “deadlines” work to firms’ own renewal schedules with an end date of December 2021. An outsourcing due for first renewal in October 2019 would be reviewed at renewal rather than December 31, 2021.
Where an institution has not completed a review of an outsourcing arrangement which relates to “critical or important functions” by December 31, 2021, this should be notified to the relevant competent authority, along with an explanation of the measures which the institution proposes to take either to complete the review or to exit the arrangement.
Once firms begin to review their existing outsourcing arrangements to bring them into line with the new guidelines, cross-functional working will be essential, as various control and business functions will have an interest in the use of third-party suppliers.
Programmes are likely to bring together legal, operational risk, regulatory, compliance, procurement and audit expertise, while oversight within the three lines of defence approach will need to be allocated not only to business functions but also to appropriate senior management, risk committee and at board level to provide good governance of the processes and to ensure that decisions are aligned with business strategy and risk appetite.
This article was first published in Thomson Reuters Regulatory Intelligence on 28 March 2019.
Authors: Mark Ife and Paul Ellerman
Agreement has now been reached between the European Parliament, the Commission and the Council on the final texts of two Directives which will impact on the remuneration provisions which apply to banks and investment firms. The first is the Investment Firms Directive (IFD), which will introduce a new prudential regime for investment firms. The second is the Directive which contains the fourth set of amendments to the Capital Requirements Directive (which is generally being titled CRD5). The European Parliament will consider both Directives in its plenary sessions between 15 and 19 April 2019.
This briefing sets out details of the remuneration provisions contained in the IFD and the related Investment Firms Regulation (IFR). A subsequent briefing will cover the revised provisions contained in CRD5.
- New remuneration rules for investment firms
- Ability to apply proportionality?
- Impact of BREXIT on the IFD/IFR
- Next steps for the IFD
Following consultation in the second half of 2018, the European Banking Authority (“EBA“) published its Final Report on Draft Guidelines on Outsourcing Arrangements (the “Guidelines“) on 25 February 2019.
Most provisions of the Guidelines will enter into force on 30 September 2019. At the same time, the Guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (“CEBS“), in 2006 and will also incorporate the EBA’s 2017 Recommendation on Outsourcing to Cloud Service Providers which came into effect on 1 July 2018.
The Guidelines are intended to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate. The Guidelines apply to credit institutions and investment firms which are subject to the Capital Requirements Directive (“CRD“) as well as payment and electronic money institutions.
The Guidelines are issued under Article 16 of Regulation (EU) No. 1093/2010, the Regulation establishing the EBA. Member States’ competent authorities and financial institutions “must make every effort to comply” with the Guidelines. However, the EBA has acknowledged the need for proportionality within the text of the Guidelines, so that a firm and its competent authority(ies) should have regard to the nature, scale and complexity of the firm’s activities when complying with (or in the case of competent authorities, monitoring compliance with) the Guidelines.
The Guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. Institutions should review and amend their existing outsourcing arrangements for compliance accordingly. Where an institution has not completed a review of an outsourcing arrangement which relates to critical or important functions by 31 December 2021, this should be notified to the relevant competent authority, along with an explanation of the measures which the institution proposes to take to either complete the review or exit the arrangement.
For many firms, the finalisation of the Guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Cross-functional working will be essential, as various control and business functions will have an interest in the use of third party suppliers. Programmes are likely to bring together legal, operational risk, regulatory, compliance, procurement, and audit expertise, while oversight within the three lines of defence approach will need to be allocated not only to business functions but also to appropriate senior management, risk committee and board level to provide good governance of the processes and to ensure that decisions are aligned with business strategy and risk appetite.
We are conducting a detailed review of the Guidelines and will publish a more comprehensive analysis shortly.
Proposed guidelines from the European Banking Authority (EBA) would extend the “bankers’ bonus cap” to all IFPRU investment firms as well as all banks, irrespective of size – this may include asset managers, hedge funds, broker-dealers, and spread-betting, FX and commodity trading houses and would also extend to every firm (including AIFMs or UCITS management companies) in the same group as a bank or an IFPRU investment firm – approximately 1,000 firms in the UK. Continue reading
As has been widely reported, the European Banking Authority has stated that many role-based allowances should now be treated as variable remuneration, which will result in many banks being in breach of the “bankers’ bonus cap”. Continue reading
The European Banking Authority (EBA) has published a consultation paper containing draft Regulatory Technical Standards (RTSs) on the content of recovery plans under the draft Recovery and Resolution Directive (RRD). This builds on the EBA Recommendation issued in January 2013 to foster the development of group recovery plans and their discussion within colleges of supervisors. The EBA is to hold a public hearing on 30 April 2013, and responses to the consultation are sought by 11 June 2013. Continue reading
The European Banking Authority (EBA) today published an opinion addressed to competent authorities (as defined in the Capital Requirements Directive) which outlines a high level description of good practices with respect to the management of key risks that credit institutions encounter through their ETF business units or when dealing with ETFs, to:
- seek to ensure that potential risks associated with ETFs are managed adequately from the perspective of the credit institution – and indirectly from the perspective of its customers; and
- provide guidance as to the evaluation of risk that might emerge at bank level through their operational relationships with ETFs.
Although the opinion is addressed to competent authorities, credit institutions that have business units managing ETFs within their group, and those who may act as counterparties in swaps, securities lending and repos, as market makers/ authorised participants, or as ETF investors, should read it carefully – not least since it contains (in part II) a three-page checklist of questions – under the general headings of liquidity, counterparty credit risk, and operational risk/conflicts of interest – which they can, in due course, expect their supervisor to be posing to their risk management function (and on which firms need therefore to be able to provide answers/explanations).