EBA consults on Guidelines on outsourcing

With these Guidelines, the EBA is updating the CEBS guidelines on outsourcing issued in 2006 that applied only to credit institutions. The Guidelines will now apply to credit institutions and investment firms (jointly "institutions"), as well as payment institutions and electronic money institutions (jointly "payment institutions").

The Guidelines set out specific provisions for these financial institutions’ governance framework with regard to their outsourcing arrangements, and the respective supervisory expectations and processes. The Recommendation on outsourcing to cloud service providers, published in December 2017, has also been integrated into the Guidelines.

The Guidelines take into account and are consistent with the current requirements under the Capital Requirements Directive (CRD), MiFID, E-money directive, PSD2 and the Bank Recovery and Resolution Directive (BRRD), as well as the respective delegated Regulations.

The Guidelines provide comprehensive and detailed requirements relating to outsourcing, covering both the internal governance duties for institutions and payment institutions using external providers, contractual arrangements with an insourcer (outsourcee), and supervision over the outsourced functions, not only by the institutions and payment institutions themselves, but also by relevant supervisory authorities. 

Below we summarise the key points of the Guidelines.

1. The Guidelines provide a clear definition on outsourcing (that is in line with the related Commission delegated regulation (EU) 2017/565 supplementing MiFID II). 
2. The Guidelines specify the criteria to assess whether an outsourced activity, service, process or function (or part of it) is critical or important. The Guidelines provide criteria to ensure a more harmonised assessment of the criticality or importance of functions.
3. Institutions and payment institutions should have sound internal governance arrangements which include a clear organisational structure. The Guidelines include requirements which aim at ensuring that:
4. there is effective day-to-day management by the management body;
5. there is effective oversight by the management body;
6. there is sound outsourcing policy and outsourcing processes;
7. institutions and payment institutions have an effective and efficient internal control framework, including with regard to their outsourced functions;
8. all the risks associated with the outsourcing of critical or important functions are identified, assessed, monitored, managed, and reported and as appropriate mitigated;
9. there are appropriate plans for exit from outsourcing arrangements of critical or important functions, e.g. by migrating to another service provider or by reintegration of the critical or important outsourced function; and
10. competent authorities remain able to effectively supervise institutions and payment institutions, including the functions that have been outsourced.

Outsourcing to service providers located outside the EEA must be subject to

additional safeguards

that ensure that they do not lead to an undue increase of risks or impair the ability of competent authorities to effectively supervise institutions and payment institutions. The Guidelines provide the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the

due diligence process and risk assessment

before entering in such arrangements. The Guidelines specify that

sub-outsourcing requires ex ante notification

to the institutions and payment institutions in case of outsourcing of critical or important functions. Institutions and payment institutions should only agree to sub-outsourcing if the subcontractor undertakes (i) to comply with all applicable laws, regulatory requirements and contractual obligations; and (ii) grants the institutions, payment institutions  and competent authority the same contractual rights of access and audit as those granted by the service provider. Specific guidance is provided on the relationship between institutions, payment institutions and service providers, including on their rights and obligations. The Guidelines specify a

set of aspects that should be encoded within the written outsourcing agreement

. Also, institutions and payments institutions are required to maintain

a register of all outsourcing arrangements

. Institutions and payment institutions should ensure that service providers, where relevant, comply with

appropriate information security standards

. Institutions and payment institutions should ensure that the service provider grants them and their competent authorities complete access to all relevant business premises (

access rights

) and unrestricted rights of inspection and auditing related to the outsourcing arrangement (

audit rights

). 

Here you can read the Guidelines.