1. Background – the European Banking Authority (EBA) issued at the end of Feb 2019 its revised Guidelines on Outsourcing arrangements (Guidelines). These are the first wholesale update since 2006 when the guidelines applied exclusively to credit institutions. They now apply to a broader range of in-scope financial institutions (FIs).
  1. Timings – the Guidelines will apply to outsourcing arrangements entered into, reviewed or amended after 30 Sept 2019. Existing arrangements must be updated in line with the Guidelines by 31 Dec 2021, although there may be some flexibility around that.
  1. Rationaleoperational risk control in the age of FinTech and digital transformation, outsourcing is an easy way to access new technologies and achieve economies of scale. Outsourcing cannot result in a loss of control of an FI's management, systems and processes and can increase its information security and data protection risks.
  1. Objective – the Guidelines require FIs to implement sufficient management and control over their outsourced service providers (OSPs) to the same extent that they would for their own systems and processes. The Guidelines harmonise the approach to those management and control frameworks.
  1. Scope – the Guidelines will apply to: credit institutions; investment firms; PSD2 payment institutions; EMD2 electronic money institutions; intra-group outsourcings between FIs; and outsourcings between independent FIs where one of the parties acts as an OSP.
  1. Definition of Outsourcing – an outsourcing is considered to be any arrangement where the OSP performs a process, service or activity for an FI, which would otherwise be undertaken by the FI itself. This is aligned with the same definition in the implementing regulation of MiFID2. There is scope for this definition to be widely interpreted to apply to simple procurement or purchasing activities. The Guidelines provide a thought process to assist with narrowing that interpretation. Certain standardised services are not considered to be an outsourcing e.g. market data services and correspondent banking.
  1. Application the Guidelines apply to all types of outsourcings (general, critical or important functions or intra-group) by FIs. They do not neatly prescribe which requirements apply to which type of outsourcing, which can be confusing at times, although stricter rules certainly do apply to the outsourcing of critical or important functions (previously referred to as material functions).
  2. Outsourcing critical or important functions – functions are critical or important where a defect or failure in their performance would materially impair compliance with an FI's financial authorisation and its regulatory obligations; financial performance; and/or the soundness or continuity of their banking and payment services and activities.
  3. Outsourcing regulated activities – outsourcing banking activities or payment services that require authorisation in the EU member state in which the FI is located may only take place if the outsourcing is to an OSP located:
  • in the EU, and that OSP is authorised or the service is otherwise allowed in that location; or
  • outside the EU, and there is a co-operation agreement between the relevant financial supervisory authorities. This will impact the UK on leaving the EU.
  1. Governance – the Guidelines require the following governance principles to be implemented for outsourcings:
  • effective day-to-day management and oversight over the outsourcing by the FI's management body;
  • FIs can continue to operate their business activities and critical or important functions;
  • all outsourcing risks (especially ICT and FinTech) are identified, assessed, monitored and managed; and
  • there is an appropriate flow of information with OSPs and confidentiality of data and that information.
  1. Assessment – before entering into an outsourcing arrangement, FIs should carry out a documented assessment that considers the following aspects:
  • whether the planned outsourcing concerns a critical or important function and/or regulated activity;
  • operational risks – including legal, ICT, compliance and reputational risks;
  • due diligence of the OSP; and
  • any conflicts of interest.
  1. Outsourcing Agreement – all outsourcings should be governed by a written contract. The outsourcing agreement for critical or important functions should contain, amongst other things:
  • a clear description of the outsourced function to be provided;
  • whether sub-outsourcing is permitted;
  • the location(s) where the function will be provided and/or where relevant data will be kept and processed;
  • monitoring of the OSP's performance and the application of service levels;
  • reporting obligations of the OSP to the FI;
  • co-operation, audit and access rights by the FIs and their supervisory authorities;
  • easy access to data by the FI in the event of discontinuation of business operations by the OSP; and
  • termination rights.
  1. Register – FIs should maintain an updated register of specified information on all of its outsourcings (past and present). The register should be made available to supervisory authorities upon request.
  2. Outsourcing Policy and Procedure – the Guidelines require FIs to implement a written outsourcing policy that defines the principles, responsibilities and processes of the main phases of the life cycle of an outsourcing.
  3. Notifications – FIs should notify their supervisory authorities of planned outsourcings of critical or important functions and any material changes or events that could have a material impact on the continuing provision of the FIs' business activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.