On 22 June 2018, the European Banking Authority (EBA) launched a public consultation on its draft Guidelines on outsourcing. The aim of these Guidelines is to harmonise the framework for outsourcing arrangements of all financial institutions in the scope of the EBA's action.
With these Guidelines, the EBA is updating the CEBS guidelines on outsourcing issued in 2006 that applied only to credit institutions. The Guidelines will now apply to credit institutions and investment firms (jointly "institutions"), as well as payment institutions and electronic money institutions (jointly "payment institutions").
The Guidelines set out specific provisions for these financial institutions’ governance framework with regard to their outsourcing arrangements, and the respective supervisory expectations and processes. The Recommendation on outsourcing to cloud service providers, published in December 2017, has also been integrated into the Guidelines.
The Guidelines take into account and are consistent with the current requirements under the Capital Requirements Directive (CRD), MiFID, E-money directive, PSD2 and the Bank Recovery and Resolution Directive (BRRD), as well as the respective delegated Regulations.
The Guidelines provide comprehensive and detailed requirements relating to outsourcing, covering both the internal governance duties for institutions and payment institutions using external providers, contractual arrangements with an insourcer (outsourcee), and supervision over the outsourced functions, not only by the institutions and payment institutions themselves, but also by relevant supervisory authorities.
Below we summarise the key points of the Guidelines.
Outsourcing to service providers located outside the EEA must be subject to
additional safeguardsthat ensure that they do not lead to an undue increase of risks or impair the ability of competent authorities to effectively supervise institutions and payment institutions. The Guidelines provide the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the
due diligence process and risk assessmentbefore entering in such arrangements. The Guidelines specify that
sub-outsourcing requires ex ante notificationto the institutions and payment institutions in case of outsourcing of critical or important functions. Institutions and payment institutions should only agree to sub-outsourcing if the subcontractor undertakes (i) to comply with all applicable laws, regulatory requirements and contractual obligations; and (ii) grants the institutions, payment institutions and competent authority the same contractual rights of access and audit as those granted by the service provider. Specific guidance is provided on the relationship between institutions, payment institutions and service providers, including on their rights and obligations. The Guidelines specify a
set of aspects that should be encoded within the written outsourcing agreement. Also, institutions and payments institutions are required to maintain
a register of all outsourcing arrangements. Institutions and payment institutions should ensure that service providers, where relevant, comply with
appropriate information security standards. Institutions and payment institutions should ensure that the service provider grants them and their competent authorities complete access to all relevant business premises (
access rights) and unrestricted rights of inspection and auditing related to the outsourcing arrangement (
audit rights).
Here you can read the Guidelines.