Following consultation in the second half of 2018, the European Banking Authority (EBA) has published its final report on draft guidelines for outsourcing arrangements. The report contains both the guidelines at pages 17-55 and the EBA’s feedback on the public consultation at pages 68-125.
Most provisions of the guidelines will enter into force on September 30, 2019. At the same time, the guidelines will replace those issued by the EBA’s predecessor organisation, the Committee of European Banking Supervisors (CEBS), in 2006 and will also incorporate the EBA’s 2017 recommendations on outsourcing to cloud service providers which came into effect on July 1, 2018.
The guidelines are intended to establish a more harmonised framework for financial institutions that are within the scope of the EBA’s mandate. They apply to credit institutions and investment firms which are subject to the Capital Requirements Directive(CRD) as well as to payment and electronic money (e-money) institutions.
To introduce further harmonisation, the guidelines reference the Markets in Financial Instruments Directive II (MiFID II) in their use of “critical or important function” in relation to outsourcing, and also acknowledge Solvency II and the revised Payment Services Directive (PSD2).
Member states’ competent authorities and financial institutions “must make every effort to comply” with the guidelines. The EBA has, however, acknowledged the need for proportionality, so that a firm and its competent authority(s) should have regard to the nature, scale and complexity of the firm’s activities when complying, or in the case of competent authorities, monitoring, compliance.
The guidelines set out a regime applicable to outsourcing arrangements, covering matters ranging from governance and policy to risk assessment, due diligence, contracting, continuous oversight, business continuity plans and exit strategy.
For many firms, the finalisation of the guidelines will be a catalyst for a significant programme to review (and potentially rationalise or change) existing outsourcing arrangements. Below we discuss some points for firms to consider as they plan for implementation. Continue reading