On 30 September 2019 enter into force most provisions of the Final Report on European Banking Authority (EBA) Draft Guidelines on outsourcing arrangements (hereinafter, “the Guidelines”). The Guidelines replace those issued by the Committee of European Banking Supervisors (CEBS) in 2006 and also incorporate the EBA’s 2017 recommendation on outsourcing to cloud service providers which came into effect on 1 July 2018.

The previous CEBS guidelines applied exclusively to credit institutions while the new ones cover all credit institutions and investment firms subject to Directive 2013/36/EU, payment institutions subject to Directive (EU) 2015/2366, and electronic money institutions subject to Directive 2009/110/EC.

Following are listed the most relevant issues from the updated guidelines every credit, payment, electronic money institution and investment firm (hereinafter, “the Institutions”) should be aware of.

Clarified definition of outsourcing

The EBA has fully aligned its definition of outsourcing with that set out in the MiFID II framework. The term ‘outsourcing’ is defined as an arrangement between the Institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the Institution itself. The Guidelines also include a more detailed list of the types of arrangements that will likely fall outside the definition of outsourcing: correspondent banking services, market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch), etc. In addition, for illustrative purposes, architectural services, legal opinions and maintenance of the Institution’s premises are listed as examples of services that would not otherwise be performed by the Institution and are thus not considered to be outsourcing.

Clearer standards for outsourcing of critical functions

The Guidelines apply to all functions that are outsourced externally or internally. A distinction is made between the outsourcing of critical functions, to which certain higher standards apply, and other functions for which the stricter requirements need not be observed. The Guidelines also provide criteria for identifying critical or important functions that have a strong impact on the Institution’s risk profile or internal control framework. For example, a function is assumed to be critical or important where a defect or failure in its performance would materially impair compliance with the conditions of the Institutions’ authorisation, financial efficiency or reliability or the soundness or continuity of their banking and payment services and activities.

Outsourcing policy and outsourcing register – a must

The Guidelines define that the Institutions must adopt a written outsourcing policy defining the principles, responsibilities and processes in relation to the main phases of the life cycle of outsourcing arrangements. The policy must be implemented, regularly reviewed and updated. The Guidelines provide a list of the minimum requirements that the governance framework for outsourcing should ensure. Additionally, Institutions must maintain an up-to-date register of information on all outsourcing arrangements at the Institution and should document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements.

Requirements for agreements between the Institutions and service providers

According to the Guidelines, the rights and obligations of the Institution and the service provider should be clearly allocated and set out in a written agreement. The Guidelines list minimum requirements for agreements on the outsourcing of critical and important functions, including basic information such as: outsourced function description, start and end date, parties’ financial obligations, the reporting obligations of the service provider to the Institution, etc.  Besides that, the agreements must define whether the sub-outsourcing of a critical function is permitted and if so, the location where the critical function will be provided and/or where relevant data will be kept and processed. Finally, some data-focused aspects should also be present in the agreement, including  provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data and provisions ensuring that the data owned by the Institution can be accessed in the event of insolvency, resolution or discontinuation of business operations on the part of the service provider.

The updated guidelines apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. The Institutions should perform a comprehensive review of their outsourcing processes and accordingly review and amend their existing outsourcing arrangements for compliance.

Where the Institution has not completed a review of an outsourcing arrangement which relates to critical or important functions by 31 December 2021, it should notify the relevant competent authority of that fact, also providing an explanation of the measures which the Institution proposes to take to either complete the review or exit the arrangement.

For more detailed information, consult the Guidelines here.