EBA Guidelines On Outsourcing - Financial Services

Summary

The EBA Guidelines on outsourcing arrangements, published February 2019 (the "Guidelines"), have been applicable to credit institutions, certain MiFID investment firms, and payment and electronic money institutions since 30 September 2019. Since publication, firms have been busy identifying changes to their frameworks and the services agreements underpinning their outsourcing arrangements. Please see previous Walkers briefing on the Guidelines here.

In addition to the Guidelines, firms should consider any other legal or regulatory requirements applicable to their business, and the key areas of priority for the Central Bank of Ireland (the "Central Bank"), in reviewing their outsourcing arrangements. For firms to which the Guidelines do not apply, consideration of relevant legal requirements and the Central Bank's increasing focus on outsourcing as a supervisory priority remain relevant, including in respect of the areas set out in this advisory. Further details are set out below.

Guidelines Overview

Key Practical Issues

In assisting firms examine their outsourcing arrangements, focus areas have included:

Chain Outsourcing – ensuring that the firm has visibility of all sub-outsourced service providers and that the necessary rights and obligations (e.g. access and audit rights) are pushed down onto sub-service providers.

Board and Senior Management Oversight – ensuring the appropriate level of board and senior management oversight of the firm's outsourcing arrangements, including: approval of outsourcing; internal reporting; ensuring that individuals with appropriate expertise supervise relevant outsourcing arrangements; identifying the necessary performance metrics and information in respect of each outsourced service and ensuring this is captured in the services agreement.

Pre-Outsourcing and Ongoing Assessment – ensuring that all relevant stakeholders in the firm are integrated into both the pre-outsourcing assessment process (e.g. risk assessment of the outsourcing arrangement, due diligence on the service provider, determination of whether any outsourced services require regulatory authorisation, identification of any potential conflicts of interests, development of business continuity contingencies and exit plans for each outsourced service) and the ongoing monitoring or review of outsourcing arrangements by the firm.

Contractual Requirements – ensuring that the services agreement underpinning the outsourcing arrangement contains all provisions required by the Guidelines, including: agreed service levels and key performance indicators; provisions regarding sub-outsourcing; termination/exit rights; and access and audit rights for both the firm and its regulator. Agreeing escalation procedures (e.g. governance forums, remediation plans, termination rights) will also be important.

Documentation Requirements – drafting and adopting an appropriate outsourcing policy and populating and maintaining a Guidelinescompliant register of all outsourcing arrangements.

Additional Legal and Regulatory Requirements

The first step for any firm assessing its outsourcing arrangements will be to map the legislative framework applicable to their activities – for example, outsourcing requirements that may apply under the European Union (Markets in Financial Instruments) Regulations 2017 (as well as Delegated Regulation (EU) 2017/565) for MiFID investment services, the European Union (Capital Requirements) Regulations 2014, the European Union (Payment Services) Regulations 2018 and/or the European Communities (Electronic Money) Regulations 2011.

Helpfully, the Central Bank's November 2018 discussion paper entitled 'Outsourcing Findings and Issues for Discussion' (the "Outsourcing Paper") includes a non-exhaustive list of current regulations and guidance for firms to consider, and sets out the Central Bank's minimum supervisory expectations. Just over 12 months on from the publication of the Outsourcing Paper, further items can be added the list of rules for consideration, depending on the firm's sector. These include the EBA Guidelines on ICT and security risk management, published on 28 November 2019 and applicable from 30 June 2020, as well as the Guidelines.

Firms should also track the progress of the European Commission consultation on digital operational resilience, (discussed here)

Regulator Focus and Broader Context

The Central Bank has repeatedly emphasised outsourcing as an area of priority, certain examples of which are set out below.

Central Bank Outsourcing Paper

The focus by rule makers and regulators on the management of outsourcing arrangements continues and is put into context by the Outsourcing Paper which notes that:

the median number of outsourcing arrangements across all regulated firms surveyed by the Central Bank was approximately 15 per regulated firm;
a small number of regulated firms reported maintaining in excess of 1,000 outsourcing arrangements; and
40% of regulated firms surveyed planned to undertake additional outsourcing activity over the next 12-18 months.

The Outsourcing Paper notes that increasing reliance on outsourcing has brought the practice into sharp focus for the Central Bank, and it identifies a number of areas where firms are not meeting supervisory expectations. The Outsourcing Paper highlights a number of supervisory expectations and these should be built into the review of outsourcing arrangements required under the Guidelines.

Central Bank Messaging

In addition, firms should have regard to the Central Bank's other industry communications, which may come in the form of speeches or other publications. Throughout the last twelve months, board responsibility for oversight and awareness of outsourcing and the associated risks was emphasised by the Central Bank. The fact that accountability for compliance remains with the firm despite outsourcing arrangements being in place was also consistently flagged.

The Central Bank held an Outsourcing Conference in April 2019 and amongst other things, Derville Rowland, Director General, Financial Conduct identified data risk, concentration risk and offshoring risk as three key evolving risks. We would expect firms to consider these risks carefully in assessing outsourcing arrangements.

To see the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.