On 25 February 2019, the European Banking Authority (EBA) published their final report on their guidelines on outsourcing arrangements.
The EBA's guidelines on outsourcing agreements of 25 February 2019 (Guidelines) are the final version of the draft guidelines on outsourcing agreements published for consultation by the EBA on 22 June 2018. The Guidelines will replace the Committee of European Banking Supervisor's (CEBS) guidelines on outsourcing issued in 2006 and the EBA's recommendation on outsourcing to cloud service providers published in December 2017.
1. Extended scope of the guidelines
The Guidelines will establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate by expanding the scope of the Guidelines not only to apply to credit institutions but also to investment firms subject to the CRD and payment and electronic money institutions subject to the PSD2 (Outsourcing Institutions).
The Guidelines apply to outsourcings by authorised payment and e-money institutions including payments initiation service providers (PISPs). They do, however, not extend to entities which are only account information service providers (AISPs).
2. Key provisions of the guidelines
The Guidelines identify that when an Outsourcing Institution uses a third party to provide important services to it, this can have a material effect on its business and, in particular, the delivery of its services to its customers and compliance with its legal and regulatory obligations. The Guidelines therefore provide a very comprehensive and detailed guide to an Outsourcing Institution contemplating, implementing or operating an outsourcing allowing Outsourcing Institution to effectively control and challenge the quality and performance of outsourced functions and be able to carry out their own risk assessment and ongoing monitoring. The Guidelines cover such matters as:
1. Assessment of the outsourcing proposition:An Outsourcing Institution shall carry out due diligence on any outsourcing proposition, with a particular focus on any increased risk to the business;
2. Contractual phase of the outsourcing: An Outsourcing Institution shall ensure that contractual arrangements are documented appropriately e.g. scope of services defined clearly, liability for delivery, control of sub-outsourcing, legal compliance, control of sub-outsourcing, audit rights for the Outsourcing Institution and its supervisor, termination rights etc.; and
3. Operating the outsourcing: An Outsourcing Institution shall evaluate, monitor, control and management the outsourcing in practice.
On the other hand, it is of particular importance that competent authorities have a comprehensive overview of the outsourcing arrangements of Outsourcing Institutions, enabling them to exercise their supervisory powers. Outsourcing Institutions are therefore required to inform the competent authorities or engage with competent authorities in a dialogue regarding planned outsourcing arrangements, in particular with regard to critical or important functions. However, the final responsibility for outsourcing always remains with the Outsourcing Institution.
3. New definition of "outsourcing" and "critical or important functions"
The Guidelines introduce a new definition of outsourcing in line with the related Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II.
The Guidelines define "outsourcing" as "an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution itself".
The Guidelines state that consideration shall be given to whether the process, service or activity "would or could realistically be performed by the [Outsourcing Institution] even if [it] has not performed this function in the past itself". Consequently, a service does not escape being an outsourcing just because it has never been handling internally.
The Guidelines explicitly state that a number of activities shall not be considered outsourcing:
- a function that is legally required to be performed by a service provider, e.g. statutory audit;
- market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s and Fitch);
- global network infrastructures (e.g. Visa and Mastercard);
- clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
- global financial messaging infrastructures that are subject to oversight by relevant authorities;
- correspondent banking services; and
- the acquisition of services that would otherwise not be undertaken by the institution or payment institution.
A number of the requirements and obligations under the Guidelines are related to outsourcing of "critical or important functions". The use of the term "critical or important functions" is based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II stating that "an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities".
Outsourcing Institutions shall always consider a function as "critical or important" in the following situations:
- where a defect or failure in its performance would materially impair:
- their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations;
- their financial performance; or
- the soundness or continuity of their banking and payment services and activities;
- when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
- when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority.
The assessment of whether an outsourcing is "critical or important" shall focus on a risk based approach taking into consideration the following:
- whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised;
- the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their:
- short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;
- business continuity and operational resilience;
- operational risk, including conduct, information and communication technology (ICT) and legal risks;
- reputational risks;
- where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;
- the potential impact of the outsourcing arrangement on their ability to:
- identify, monitor and manage all risks;
- comply with all legal and regulatory requirements;
- conduct appropriate audits regarding the outsourced function;
- the potential impact on the services provided to its clients;
- all outsourcing arrangements, the Outsourcing Institution’s aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
- the size and complexity of any business area affected;
- the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;
- the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);
- the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; and
- the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/67939.
4. Internal Governance
The Guidelines include rather comprehensive requirements for internal governance which are also risk based. The Guidelines explicitly state that outsourcing of functions cannot result in the delegation of the management body’s responsibilities and that Outsourcing Institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. An Outsourcing Institution's internal control framework, including its internal control mechanisms, should therefore also identify and manage risks related to outsourcing.
Further, the Guidelines require an Outsourcing Institution to approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. The outsourcing policy shall include exit strategies and documented exit plans for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement, termination processes and appropriate business continuity plans. The Guidelines also provide for requirements regarding conflicts of interest, business continuity plans and internal audit functions.
5. The Contractual Phase
The Guidelines list minimum requirements for an outsourcing agreement for critical or important functions some of which are the same as under the CEBS guidelines.
On some areas, the requirements are, however, revised materially e.g. with respect to sub-outsourcing which under the CEBS guidelines require prior consent by the Outsourcing Institution. The Guidelines leave it to some extent to the parties to determine whether sub-outsourcing of critical or important functions is permitted. If sub-outsourcing of critical or important functions is permitted, the Guidelines list additional requirements for the outsourcing agreement. The Guidelines do, however, still require the service provider to obtain prior specific or general written authorisation from the Outsourcing Institution before sub-outsourcing personal data. This requirement makes the authority for the parties to decide whether sub-outsourcing of critical or important functions is permitted less relevant as most outsourcings will include personal data. Additionally, Outsourcing Institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the outsourcing policy of the Outsourcing Institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, the Outsourcing Institution should exercise its right to object to the sub-outsourcing or terminate the contract
The Guidelines also provide for broad audit rights for an Outsourcing Institution and its competent authority to audit service performance and obtain any information needed with regard to the outsourced service. In relation to information, the applicable competent authority must not be prejudiced in its ability to supervise the Outsourcing Institution and this means that data which it can have obtained from the Outsourcing Institution itself shall still be accessible to it from the service provider.
The Guidelines furthermore stipulate that the Outsourcing Institution in the outsourcing agreement shall require access for the Outsourcing Institution's external auditors and competent authorities to relevant business premises (head offices and operations centres) of service providers, including the full range of devices, systems, networks, information and data used for providing the outsourced process, service or activity, financial information, personnel and the service provider’s external auditors.
6. Personal Data
The Guidelines contain a number of provisions related to data, but they largely emphasise the importance of continued compliance with GDPR (and other data legislation) rather than creating any specific new data obligations. Essentially, the carrying out of an outsourcing, or indeed using a service provider for any service, shall not materially and adversely affect an Outsourcing Institution's compliance with its data protection obligations and arrangements involving non-EU jurisdictions are required to be considered particularly carefully. There are no specific rules in the Guidelines on outsourcings which involve movement of data to third (non-EU) countries but Article 84 of the Guidelines does state that:
"[Outsourcing Institutions] should take into account differences in national provisions regarding the protection of data. [Outsourcing Institutions] should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients’ information, where applicable, are observed)."
Outsourcing Institutions and competent authorities shall, when applying the Guidelines, follow the principle of "proportionality". This essentially means that the Guidelines shall be applied more rigorously to large, complex, risky or critical/important outsourcings than in relation to small, simple, safe or immaterial outsourcings, in relation to which a more relaxed view may be taken.
8. Notification to competent authorities
The Guidelines require that any Outsourcing Institution shall notify its supervising competent authority in a timely manner (i.e. giving reasonable advance warning) of its intention to implement a critical/important outsourcing. It must provide adequate information for the competent authority to assess whether the relevant outsourcing is appropriate. There is no requirement in the Guidelines for the relevant competent authority's consent to be required.
9. Guidelines addressed to competent authorities
In addition to the guidance directed at Outsourcing Institutions, the Guidelines also provide for some provisions addressed at the competent authorities. Those provisions do not only stipulate the 'usual' requirements that the competent authorities should carefully monitor the compliance by the Outsourcing Institutions of the Guidelines, they also require the competent authorities to monitor and assess concentration risks within the Outsourcing Institution, including on a consolidated basis, caused by multiple outsourcing arrangements with a single service provider or closely connected service providers or multiple outsourcing arrangements within the same business area and concentration risks at sector level, e.g. where multiple institutions or payment institutions make use of a single service provider or a small group of service providers.
Where it identifies concentration risks, a competent authority will be required to monitor the development of such risks and evaluate both their potential impact on other Outsourcing Institutions and the stability of the financial market. Additionally, a competent authority should inform, where appropriate, the resolution authority about new potentially critical functions that it identifies. In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must notify the EBA that they comply or intend to comply with these guidelines, or otherwise give reasons for non-compliance.
10. Next step
The Guidelines will enter into force on 30 September 2019. At that same date, the CEBS guidelines from 2006 on outsourcing and the EBA's recommendation on outsourcing to cloud service providers published in December 2017 will be repealed.
While the Guidelines evidence a desire on the part of the EBA that the regulatory approach to outsourcing shall be harmonised across all EU jurisdictions, the Guidelines do not purport to restrict the ability of the competent authority for any jurisdiction to impose more onerous requirements on entities under its supervision. They may therefore be viewed more as creating minimum rather than maximum standards.
We expect that the EU jurisdictions will update the applicable local regulation on outsourcing and while the regulators of many EU jurisdictions are likely to following the Guidelines reasonably closely, there are a number of jurisdictions which previously have adopted a more onerous approach. We will follow the "implementation" of the Guidelines throughout the EU jurisdictions closely.