Last year there was much talk about the new European Banking Authority (EBA) Guidelines on outsourcing arrangements and the impact they could have on IT and cloud service contracts in the financial sector. This summer new guidelines on information and communication technology (ICT) and security risk management entered into force, complementing the previous outsourcing guidelines. How will these new ICT guidelines affect outsourcing contracts? Will the Swedish application of the outsourcing guidelines have implications also as regards these new ICT guidelines?
The ICT Guidelines
This summer, effective from 30 June 2020, the new EBA guidelines on ICT and security risk management (the ICT Guidelines) entered into force, covering requirements under the Capital Requirements Directive (CRD) and the revised Payment Services Directive (PSD2) regarding ICT and security risk operations. These new guidelines, which has incorporated and replaced previous ICT Guidelines from 2017, address an ever so increasing need for management and mitigation of ICT risks in light of the continuous digitalisation of the European financial sector. Thus, the ICT Guidelines contain several principles and requirements which are important for financial actors and their digital service or infrastructure suppliers in maintaining sufficient ICT and security risk mitigating measures (as well as staying compliant with surrounding rules and regulations). Additionally, the ICT Guidelines are set out to complement and to be read in conjunction with the previous EBA guidelines on outsourcing arrangements (the Outsourcing Guidelines) - thus completing an important package on IT risk and management for outsourcing in the financial sector.
The Swedish Financial Supervisory Authority (FSA) recently announced (in a similar manner as was previously done with the Outsourcing Guidelines) that it considers the ICT Guidelines to be directly applicable in Sweden and that it will apply the guidelines in its supervision of the applicable actors. The ICT Guidelines specifically applies for credit institutions, payment service providers, investment firms and electronic money institutions. However, as is discussed below, the guidelines could also have a broader application for financial actors in Sweden – in line with previous statements made by the Swedish FSA.
On a high level, the ICT Guidelines contain the following main areas of requirements for the management and mitigation of ICT risks:
- ICT governance and strategy: The guidelines sets up requirements for a sound ICT governance and strategy, which shall tie into and align with the organisation’s general business strategy. The guidelines also stipulates the establishment of information security policies and security measures to mitigate the ICT and security risks that financial institutions are exposed to, including organisation and governance, logical security, physical security, ICT operations security, security monitoring, information security review, assessment and testing, and information security training and awareness.
- ICT risk management and control: The guidelines specifies some high level principles for how ICT operations should be managed, including documented and implemented processes and procedures; maintenance of an up to date inventory of ICT assets and incident and problem management processes; ICT project and change management (which also covers any acquisition, development and maintenance of ICT systems and services from third party suppliers); and business continuity. The guidelines also contain requirements for independent and objective control functions and audit functions for the control of ICT operations and risks – where it is increasingly important to maintain a high level of insight and control of any outsourced operations.
- Third party suppliers: An important part of the ICT Guidelines relate to the financial institution’s procurement, negotiation, contracting and management of third party suppliers. These requirements are particularly relevant for what has already been established in the Outsourcing Guidelines – thus both sets of rules must be taken into account for in any outsourcing arrangement. Specifically, the ICT Guidelines stipulate that there must be fully effective (as compared to in house operations) risk mitigation measures in relation to any outsourced activities, setting out security requirements on contracts and service level agreements (including inter alia cybersecurity, data localisation and operational and security incident handling procedures); requirements on acquisition and development management and business continuity; and review, testing and auditing requirements. In practice, much of this translates to additional checks and oversight that the financial organisation’s own ICT risk management remains effective also in relation to its third party suppliers. As a general rule, the ICT Guidelines thus require at least an equal level of control for outsourced activities as for any internal operations.
- Proportionality: The ICT Guidelines provide a general rule of proportionality, according to which the guidelines are to be complied with in a proportional manner taking into account the financial institutions’ size, internal organization, and the nature, scope, complexity, and riskiness of the services and products that the financial institution provides.
The Swedish twist on the Outsourcing Guidelines and implications going forward
When the Outsourcing Guidelines entered into force last year, there were some discussions in Sweden between financial actors and the Swedish FSA regarding the wide scope and some of the strict requirements under the guidelines (particularly regarding auditing rights and obligations). Following these discussions, the FSA clarified that the Outsourcing guidelines must be followed with all available means (i.e. that a risk based or proportional approach cannot mean that requirements under the guidelines are not met). It was also clarified that outsourcing, according to the guidelines, is not limited to strict outsourcing of internal functions but may also cover what generally would be considered procurement of a third party service – which opens up for strict requirements also on some less obvious services (it can, in any case, be difficult to draw a clear line between outsourcing and third party service these days). These statements are likely to apply also to the ICT Guidelines. Thus both the Outsourcing and ICT Guidelines should be considered in almost all IT service procurements, since such services are likely to contain both outsourcing and ICT risk aspects necessary to mitigate for compliance.
One additionally interesting point in relation to the ICT Guidelines is that the Swedish FSA has stated that the Outsourcing Guidelines are not only applicable for the financial actors stated in the scope of the guidelines, but that the FSA considers these guidelines to be good practice also in general. Thus, the Outsourcing Guidelines could be applicable outside of its stated scope – as it could be one way for other financial actors (such as banks, insurance companies and market infrastructure companies) to fulfil other applicable rules, such as the Swedish FSA’s regulations on information security and IT operations (FFFS 2014:5) and on the management of operational risks (FFFS 2014:4). Although the FSA has not made the same statement for the ICT Guidelines, it would not be a wild guess to say that it is likely that they would take the same approach also for the ICT Guidelines, if asked.
Thus, to be diligent as a financial actor on the Swedish market one must consider this new package of requirements in the ICT and Outsourcing Guidelines when making any kind of third party arrangement (whether service procurement or outsourcing). Equally, suppliers to such financial actors must pay regard for the two guidelines when designing your service offering. Particularly, for all parties, there should be sufficient room in the applicable contract to establish and maintain the organisation and management for compliance with these guidelines.