On 30 September 2019, the guidelines on outsourcing arrangements (Guidelines) of the European Banking Authority (EBA) entered into force. The Guidelines are aimed at harmonising the framework for outsourcing arrangements for financial institutions (credit institutions, investment firms, payment institutions and e-money institutions).
As explained in our earlier alert, the Guidelines, amongst other things:
- define 'outsourcing' and clarify what does not constitute outsourcing;
- determine what should be considered the outsourcing of 'critical or important functions' and provide for specific requirements and obligations applicable to the outsourcing of such critical and important functions;
- contain detailed and comprehensive guidelines for financial institutions considering, implementing or operating outsourcing.
The Guidelines are addressed at the financial institutions identified above and to the competent authorities (both at national and EU-level), but will obviously also impact the service providers to which the financial institutions decide to outsource.
In the below, we will briefly touch upon some of the consequences of the Guidelines for these three categories of addressees.
2. FINANCIAL INSTITUTIONS
In anticipation of the Guidelines coming into effect , financial institutions have worked hard at, for example assessing to what extent the Guidelines required them to adjust their internal governance framework and operations, implementing such changes, updating their outsourcing policy, updating their business continuity plans (with regard to critical or important outsourced functions) and managing their register of outsourcing arrangements and sub-outsourcing, where applicable.
Other topics of interest include assurance of compliance with the appropriate IT security standards by services providers, the adoption of a risk-based approach to data storage and data processing location(s), and information security considerations in case of outsourcing to cloud service providers.
Click here for our earlier alert which contains additional information.
3. COMPETENT AUTHORITIES
The provisions addressed at competent authorities require them to monitor and assess potential concentration risks at the level of individual financial institutions (or on consolidated basis if part of a group), at sector level and, to evaluate the potential impact on other outsourcing institutions and stability of financial market.
It will be interesting to see how competent authorities will exercise their authorities in this respect, particularly in combination with the standards that service providers must meet pursuant to the Guidelines. These standards may materially limit the number of qualified service providers (e.g. cloud services), creating a potential concentration risk.
4. SERVICE PROVIDERS
The requirements that financial institutions will have to comply with when outsourcing functions (both critical or important functions and 'regular' functions) will translate into equivalent requirements that financial institutions will impose on the service providers they work with. This may include the authority to perform physical audits at the premises of the service provider, the requirement to have an exit plan available; including arranging transitional services if the original service provider defaults, or the agreement terminates; or the requirement to stay in compliance with applicable, and continuously changing – regulations.
When negotiating outsourcing arrangements, discussions arise regarding the distribution of responsibility, the distribution of liability and the distribution of costs between the financial institution and the service provider.
Should you have any questions concerning the above, please do not hesitate to contact one of the members of the Bird & Bird global Financial Services team.
If you would like to receive our payments alerts directly in your inbox, please click here.