In the current context of digitisation and the increasing importance of information and financial technologies on the one hand and continuously low interest rates as well as the pursuit of cost efficiency on the other hand, outsourcing has become an important factor in the organisation of financial institutions. In this context, the European Banking Authority (EBA) has updated the CEBS outsourcing guidelines issued in 2006 with the publication of the Guidelines on Outsourcing (Guidelines) on 25 February 2019.
The Guidelines have been drawn up to ensure a level playing field and a more harmonised framework for outsourcing agreements between financial institutions. In addition, the Recommendation on Outsourcing to Cloud Service Providers, published in December 2017, has been integrated into the Guidelines.
Who is affected?
Compared to their predecessor, which applied exclusively to credit institutions, the Guidelines apply to all financial institutions within the scope of the EBA, i.e. to credit institutions and investment firms subject to the Capital Requirements Directive (Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013), payment institutions and electronic money institutions (Institutions). Only payment institutions providing exclusively account information services are excluded from the scope of the Guidelines.
What is outsourcing?
The Guidelines set out the internal governance arrangements, including sound risk management, that Institutions need to implement when outsourcing functions, in particular with regard to the outsourcing of critical or important functions.
The Guidelines also implement a new definition for the terms “outsourcing” and “critical or important function”.
These new definitions have been fully aligned with the MiFID II framework to create a consistent framework for outsourcing.
At the same time, the Guidelines also define the minimum regulatory requirements for non-critical or unimportant agreements.
According to the Guidelines, outsourcing refers to an agreement of any form between an Institution and a service provider under which the service provider carries out a process, provides a service or carries out an activity that the Institution would otherwise undertake itself.
With regard to the definition of a critical or important function, the Guidelines explicitly state the situations in which Institutions should always consider a function to be critical or important, referring to the concept of the material impairment of that function due to a defect or failure in its performance as known under the MiFID II rules.
What are the key changes?
The Guidelines contain provisions which in some cases go beyond the existing minimum requirements with regard to outsourcing. In particular, it is worth noting the following amendments:
- Extension of the target group: The new Guidelines apply not only to credit and financial services institutions, but now also to payment institutions and electronic money institutions (see above).
- Critical and important functions are to be identified by the Institutions on the basis of the Guidelines.
- The competent supervisory authority should be notified in advance, particularly in the case of critical or important functions being outsourced or significant changes to any such outsourcing.
- Before outsourcing, a thorough analysis must be carried out. The first step is to determine whether the agreement with the service provider even constitutes outsourcing within the meaning of the Guidelines. Afterwards, it needs to be examined whether the outsourcing concerns a critical or important function. In addition, a comprehensive risk analysis is to be made and the service provider is to be examined regarding its suitability by way of a due diligence. If a critical or important function is outsourced, such due diligence must meet more stringent requirements.
- Within the framework of their risk management, Institutions are obliged to maintain a detailed outsourcing register of all their outsourcing contracts. With respect to such register, there are again different requirements with regard to the outsourcing of critical or important functions on the one hand and the outsourcing of non-critical or unimportant functions on the other hand. At the request of the competent authority, Institutions must provide either the complete register or parts thereof in a processable electronic format.
- The management of an Institution has to adopt and regularly review a written outsourcing policy and ensure its implementation. This internal outsourcing policy should define, among other things, the principles, responsibilities and processes relating to outsourcing.
- Furthermore, conflicts of interest related to the intended outsourcing need to be identified and appropriately considered as part of the risk management processes. In addition, the Guidelines contain provisions for conflicts of interest arising from internal outsourcing within the Group.
- Additionally, the Guidelines stipulate that Institutions must develop exit strategies in the event of the termination of an outsourcing agreement concerning critical or important functions. In the Guidelines, the EBA specifies in detail which requirements Institutions must comply with.
- The new Guidelines contain a negative list of situations that do not qualify as outsourcing. For example, it is made clear that neither the maintenance of an Institution’s premises nor the procurement of goods and services (such as electricity, telephone, etc.) nor market information services such as rating agencies constitute outsourcing.
Timeline and national implementation
The Guidelines apply to all outsourcing agreements
- entered into,
- reviewed, or
since 30 September 2019.
A general transposition deadline of 31 December 2021 applies to
- the requirements for the outsourcing register,
- the review of existing outsourcing agreements concerning critical or important functions.
This means that Institutions should comprehensively review their operational structures, internal processes and contractual documentation in relation to outsourcing.
In accordance with the “comply or explain” principle, the competent national authorities are required to make a declaration to the EBA as to whether or not they intend to comply with the Guidelines.
For Institutions in Germany, any EBA guidelines only become binding once they have been confirmed by BaFin or implemented into national law. Generally speaking, BaFin normally incorporates any EBA guidelines into its administrative practice. According to our information, BaFin made a declaration to the EBA in July 2019 that it intends to comply with the Guidelines as of 20 December 2020. It is therefore expected that the Guidelines will be implemented as part of the forthcoming amendment of BaFin’s Minimum Requirements for Risk Management (MaRisk).
For Institutions in Luxembourg, it is expected that the Guidelines will be introduced in the form of a circular issued by the Luxemburg financial supervisory authority “Commission de Surveillance du Secteur Financier” (CSSF), as according to our information, the CSSF also declared its intention to comply with the Guidelines to the EBA in August 2019.
Need for action
Institutions should continue to assess the impact of the requirements of the Guidelines on their existing processes, guidelines and contractual templates. It is particularly important to be able to assess the extent of the necessary adjustments with regard to existing outsourcing agreements so that they can be implemented in good time.
When implementing the Guidelines into the organisation of Institutions, Institutions need to apply the principle of proportionality. In accordance with that principle, the requirements of the Guidelines need to be applied taking into account the complexity of the outsourced functions as well as the associated risks.
Copyright © Adobe Stock / designer491