New European Banking Authority guidelines offer catalyst for change to outsourcing arrangements

Following consultation in the second half of 2018, the European Banking Authority (EBA) has published its final report on draft guidelines for outsourcing arrangements. The report contains both the guidelines at pages 17-55 and the EBA’s feedback on the public consultation at pages 68-125.

Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018.

The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive(CRD) as well as to payment and electronic money (e-money) institutions.

To introduce further harmonisation, the guidelines reference the Markets in Financial Instruments Directive II (MiFID II) in their use of “critical or important function” in relation to outsourcing, and also acknowledge Solvency II and the revised Payment Services Directive (PSD2).

Member states’ competent authorities and financial institutions “must make every effort to comply” with the guidelines. The EBA has, however, acknowledged the need for proportionality, so that a firm and its competent authority(s) should have regard to the nature, scale and complexity of the firm’s activities when complying, or in the case of competent authorities, monitoring, compliance.

The guidelines set out a regime applicable to outsourcing arrangements, covering matters ranging from governance and policy to risk assessment, due diligence, contracting, continuous oversight, business continuity plans and exit strategy.

For many firms, the finalisation of the guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Below we discuss some points for firms to consider as they plan for implementation. Continue reading

Time to Mobilise: EBA finalises Guidelines on Outsourcing Arrangements

Following consultation in the second half of 2018, the European Banking Authority (“EBA“) published its Final Report on Draft Guidelines on Outsourcing Arrangements (the “Guidelines“) on 25 February 2019.

Most provisions of the Guidelines will enter into force on 30 September 2019. At the same time, the Guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (“CEBS“), in 2006 and will also incorporate the EBA’s 2017 Recommendation on Outsourcing to Cloud Service Providers which came into effect on 1 July 2018. Continue reading

Outsourcing to the Cloud: EBA issues Final Report on Recommendations

On 20 December 2017 the European Banking Authority (“EBA”) published its Final Report: Recommendations on Outsourcing to Cloud Service Providers (“CSPs“). The Recommendations will apply from 1 July 2018 to credit institutions as well as investment firms (i.e. not solely to banks). The aim of the EBA Recommendations is to: (i) provide guidance for institutions to enable them to use cloud solutions whilst appropriately managing risk; and (ii) promote supervisory convergence across the EU. The Final Report follows the EBA’s draft recommendations that were published on 18 May 2017 (refer to our previous article here). It should be noted that there is little substantive difference between the draft recommendations and those set out in the Final Report. Continue reading

EBA issues new regulatory guidelines on ICT Risk Assessment and report on Payment Services Directive

On 11 May 2017, the European Banking Authority (“EBA“) issued new Guidelines on ICT Risk Assessment by competent authorities or regulators (the “Guidelines“). The Guidelines were produced “in view of the growing importance and increasing complexity of ICT risk within the banking industry and individual institutions”. They are intended to take effect from 1 January 2018 and apply in parallel to the current guidance that regulators already follow to determine the operational risk to which banks are exposed. Financial institutions are expected to be subject to assessment of their operational risk, including in respect of their security, business continuity and data integrity among other areas.

Continue reading

EBA publishes guidance on (i) outsourcing to cloud service providers and (ii) ICT Risk Assessment by competent authorities

On 18 May 2017, the European Banking Authority (“EBA“) published its draft recommendations on outsourcing to cloud service providers (the “EBA Recommendations“). Under Article 16 of the Regulation (EU) No 1093/2010, the EBA is required to issue guidelines and recommendations addressed to both national competent authorities (NCAs) and financial institutions, with a view to establishing consistent, efficient and effective supervisory practices and ensuring the “common, uniform and consistent application of the European Union Law”.

Continue reading