As the deadline for ensuring pre-existing contracts (as defined below) are compliant with the EBA Guidelines (as defined below) draws near, our FinTech team takes a quick look at the approach taken by financial services companies. In particular, we focus on: (i) what the EBA Guidelines are, (ii) who is affected by them and (iii) some of the key strategies to implement to ensure compliance by the deadline, based on our experience advising clients.
The European Banking Authority published a final report on its guidelines relating to outsourcing (the EBA Guidelines) in February 2019. The EBA Guidelines came into force on 30 September 2019 and apply to banks, payment institutions, electronic money institutions and certain types of investment firms (Financial Service Companies) and continues to apply even in a post-Brexit context because the FCA has stated these are principles to which it wishes to see continued adherence by firms under its supervision.
The EBA Guidelines affects contracts entered into after 30 September 2019 and also needs to be reflected in any in-scope contracts entered into prior to 30 September 2019 (pre-existing contracts) by the 31 December 2021 or the first renewal date of such contract (whichever is earlier). However, this deadline does not apply to what is referred to in the EBA Guidelines as “outsourcing arrangements to cloud service providers”.
The EBA Guidelines apply to contracts between Financial Service Companies and suppliers if the service under the relevant contract constitutes an “outsourcing”. This can be a complex question and there are certain minimum requirements in respect of an outsourcing which need to be considered on a case by case basis.
If the services under the relevant contract comprise an outsourcing, then the next question is whether this outsourcing constitutes a “critical or important” outsourcing or not. This distinction is important to make because some of the provisions of the Guidelines only apply to critical or important outsourcings and some of the provisions, although still applied, are only to be applied “proportionately” where the outsourcing is not a critical or important one.
If the services under the relevant contract do not comprise an outsourcing, then the EBA Guidelines do not apply directly. However, the EBA Guidelines does state that Financial Service Companies may also enter into contracts with suppliers where the service does not constitute an outsourcing but is nonetheless mission critical and creates a significant risk for the Financial Service Company’s business and/or its legal or regulatory compliance. In such circumstances the EBA Guidelines suggests that where such contracts are material or high risk then the Financial Service Company should consider applying the relevant provisions of the EBA Guidelines to it where it is feasible and appropriate to do so.
Approach to compliance with pre-existing contracts
There is no “one-size-fits-all” approach to ensuring compliance of pre-existing contracts with the EBA Guidelines. However, here are some strategies to consider based on our experience advising clients:
If you require further information or have any further questions, please contact our FinTech team.
If you would like to receive our regular FinTech alerts in your inbox, click here
If you would like to read Bird & Bird’s previous alerts, please check out our FinTech In Focus webpage here.