In an ever more digitalized and fast-moving world, time to market, cost efficiencies and access to new technology can be achieved by outsourcing to third party suppliers. However, for companies operating in regulated domains there can be specific requirements that need to be complied with. For credit institutions and investment firms, there have already existed requirements relating to outsourcing arrangements for quite some time. On 25 February 2019, the European Banking Authority (“EBA”) published its revised Guidelines on outsourcing arrangements (”Guidelines”). The Guidelines come into force on 30 September 2019, and will replace the CEBS Guidelines on outsourcing from 2006 and the EBA Recommendations on outsourcing to cloud service providers from 2017 - the cloud recommendations being integrated into the new Guidelines.
Part I – The Guidelines in general
In summary, when outsourcing to third parties, the key items to bear in mind are:
- ensuring that an adequate sourcing governance framework is implemented;
- securing resources for being able to execute within the governance framework;
- to identify and document all outsourcing arrangements and classify them as ”critical and important functions” and ”other functions”;
Whereas the earlier guidelines and recommendations were applicable to credit institutions and investment firms, the revised Guidelines also include and apply to payment and electronic money institutions (hereafter jointly referred to as ”Institution”). The aim of the Guidelines is to establish a more harmonized framework for Institutions within the scope of the EBA mandate and to ensure that these Institutions can apply a single framework to all their outsourcing activities. The Guidelines are subject to national implementation, which in Sweden will be carried out by the supervisory authority Finansinspektion. The respective national supervisory authorities must notify EBA that they comply or intend to comply with the Guidelines, or otherwise give reasons for non-compliance. For Sweden’s account, any additions or amendments to the current legislative framework, if required, would most likely be implemented through Finansinspektionen’s regulations and general guidelines.
The Guidelines apply to “outsourcing arrangements”, which can be divided into outsourcing of “functions” and “critical or important functions”. For critical and important functions there are additional, stricter requirements to be complied with. The Guidelines are to be applied with the principle of proportionality in mind, e.g. by taking into account an Institution’s size and internal organization as well as the nature, scope and complexity of its activities. An Institution’s management body will, at all times, remain responsible for the Institution and all of its activities. An outsourcing arrangement must not lead to a situation in which the Institution becomes an “empty shell” that lacks the substance to remain authorized. Furthermore, it must be ensured that there are satisfactory organizational structures and resources available for carrying out effective day-to-day management, monitoring, reporting and oversight of any outsourcing arrangement.
As part of an Institution’s risk management framework, it should maintain an updated register on all outsourcing arrangements and therein distinguish between the outsourcing arrangements concerning critical or important functions and other outsourcing arrangements. The register is to include certain information, e.g. start and end date, and if the outsourcing arrangement concerns a critical or important function, additional information such as governing law and dates of the most recently performed and next scheduled audit should be logged. The register shall, upon request, be made available to the supervisory authority.
An Institution planning to outsource a critical or important function should adequately inform the relevant authorities in a timely manner, or engage in a supervisory dialogue with the relevant authorities about the planned outsourcing. The aforegoing should also be followed if an already outsourced function has become critical or important over time. For outsourcing agreements entered into before 30 September 2019, there will be some flexibility in the application of the requirements during the transitional period, that ends on 31 December 2021.
Part II – The Guidelines in more detail
Before entering into an outsourcing arrangement, an Institution needs to carry out an assessment of the function that is considered for outsourcing. The assessment is to be carried out subject to an adequate sourcing process consisting of at least the following items:
- assess if the outsourcing arrangement concerns a critical or important function;
- assess if the function requires supervisory authorization (and that it is met, if applicable);
- identify and assess all of the relevant risks of the outsourcing arrangement;
- undertake appropriate due diligence on the prospective service provider; and
- identify and assess conflicts of interest that the outsourcing may cause.
Outsourcing is defined as an arrangement where a third party is contracted for carrying out a function that is normally carried out or could realistically be performed by an Institution, even if the individual institution has not performed the function in the past itself. Certain functions shall, however, not be deemed as outsourcing, e.g.:
- a function that is legally required to be performed by a service provider, e.g. statutory audit;
- market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
- global network infrastructures (e.g. Visa, MasterCard);
- clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
- the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect or a legal advisor).
Critical or important functions
Institutions should always consider a function as critical or important in the following situations:
a) where a defect or failure in its performance would materially impair:
i. its continued compliance with the conditions of its authorization or its other obligations under applicable directives;
ii. its financial performance; or
iii. the soundness or continuity of its banking and payment services and activities;
b) when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
c) when it intends to outsource functions of banking activities or payment services to an extent that would require authorization by a supervisory authority.
For functions not covered by the items listed above, an Institution must make a case by case assessment. The case by case assessment should take several elements into consideration, e.g.:
- whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which it is authorized;
- the Institution’s aggregated exposure to a single service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
- the potential impact of any disruptions and the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable.
In the following are some examples of provisions required to be managed within a specific outsourcing agreement:
- audit rights and, regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements should refer to the information gathering and investigatory powers of competent authorities and resolution authorities;
- where relevant (e.g. in the context of cloud or other ICT outsourcing), define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis;
- termination rights and termination support.
For critical or important functions there are additional requirements of what an agreement is to regulate, e.g.:
- the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the Institution;
- the unrestricted right of Institutions and competent authorities to inspect and audit the service provider;
- implementation and testing of business contingency plans.
In conclusion, Institutions need to ensure that outsourcing arrangements are managed in such a way that its own regulatory compliance is complied with. A first logical activity should be to assess all current outsourcing arrangements and to ensure that intended outsourcing arrangements are proactively assessed in relation to the requirements set out in the Guidelines.