Certain financial services firms have until 31 December 2021 to ensure compliance with European Banking Authority (EBA) guidelines. Here's what you need to know.
In February 2019, the EBA published revised guidelines on outsourcing arrangements. They apply to credit institutions and investment firms subject to the EU Capital Requirements Directive (2013/36/EU), and to payment and electronic money institutions. They supplement the existing rules and guidance in the Financial Conduct Authority (FCA) Handbook and Prudential Regulation Authority Rulebook.
The guidelines set out specific provisions for firms' internal governance frameworks concerning outsourcings, including documentation requirements. They came into force on 30 September 2019. All outsourcings entered into, reviewed or amended on or after that date must comply with the guidelines. Firms should review and amend already existing outsourcing arrangements to ensure compliance. Excepting cloud outsourcings, firms have until after first renewal but no later than 31 December 2021 to complete the documentation of all existing outsourcing arrangements in line with the guidelines 1. The guidelines apply regardless of Brexit.
The guidelines were introduced at a time of increased regulatory focus on innovation, data protection, cyber and information security, governance and operational resilience. The EBA recognises that financial institutions are increasingly interested in outsourcing business activities to reduce costs and improve flexibility and efficiency. In the context of digitalisation and the increasing importance of IT and fintech solutions, they are adapting business models to embrace such technologies. However, obvious risks attach to outsourcing functions to third parties, in particular IT and data services. Outsourcings of 'critical or important functions' are, not surprisingly, subject to stricter requirements.
The guidelines restrict the outsourcing of functions that would result in a firm becoming an empty shell that lacks the substance to remain authorised. Firms remain fully responsible and accountable for complying with their regulatory obligations.
All requirements are subject to the proportionality principle and are to be applied taking into account the size and internal organisation of the individual firm and the nature, scope and complexity of its activities.
There are requirements that aim to ensure that:
- There is effective day-to-day management by senior management or the management body;
- There is effective oversight by the management body;
- There is a sound outsourcing policy and there are sound outsourcing processes;
- Firms have an effective and efficient internal control framework, including with regard to their outsourced functions;
- All the risks associated with the outsourcing of critical or important functions are identified, assessed, monitored, managed, reported and, as appropriate, mitigated;
- There are appropriate plans for the exit from outsourcings of critical or important functions, e.g. by migrating to another service provider or by reintegrating the critical or important outsourced functions; and
- Regulators remain able to effectively supervise firms, including the functions that have been outsourced.
An 'outsourcing' is defined under the guidelines as an arrangement of any form between a firm and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the firm itself.
Steps to take now
The requirements are extensive. They include carrying out pre-outsourcing analysis, implementing a written outsourcing policy, maintaining a register of all outsourcings, and ensuring that the parties' rights and obligations are clearly allocated and documented in a written agreement. The guidelines contain lists detailing the minimum requirements for each of these areas.
There are required contractual terms on sub-outsourcing, IT security standards, confidentiality and data protection, access and audit rights, co-operation with regulatory bodies, termination and transfer, among others. Firms will need to ensure consistency across all outsourcing contracts (to align with their outsourcing policy) and may wish to prepare precedent terms to be incorporated into any and all outsourcing contracts.
Firms subject to the guidelines should review their policies, procedures, documentation and internal controls to ensure compliance. They should identify outsourcings entered into prior to 30 September 2019 and establish a timetable for their review and renegotiation/updating. Any new arrangements will be subject to the prescribed pre-outsourcing analysis, which includes undertaking appropriate due diligence and assessing risk to the firm.
Crucially, consideration needs to be given to whether outsourced functions are 'critical or important'. This is where a defect or failure in the performance of the function would materially impair the continuing compliance of the firm with the conditions and obligations of its authorisation or its other obligations, its financial performance, or the soundness or continuity of its services and activities.
Firms should inform/engage with their regulator about planned outsourcings, in particular regarding critical or important functions, and provide the required information. They should have in place, maintain and periodically test appropriate business continuity plans regarding outsourced critical or important functions.
Where the review of outsourcings of critical or important functions is not finalised by 31 December 2021, firms should inform their regulator, including the measures planned to complete the review or the possible exit strategy.
Regulators will use firms' outsourcing registers to manage concentration risk, for example where a firm has multiple outsourcings with a single provider/closely connected providers, or at sector level where multiple firms make use of a single provider or small group of providers (this is particularly relevant for certain forms of IT outsourcing, including cloud outsourcing).
Intragroup outsourcing is subject to the same regulatory framework as outsourcing to providers outside the group. Conflicts of interest need to be taken into account.
Note that firms should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcings.
1 Note that the guidelines cover both cloud and non-cloud outsourcings and replace and incorporate the EBA's earlier recommendations on outsourcing to cloud service providers. FCA-authorised firms that are not subject to the EBA guidelines should follow the FCA's guidance for firms outsourcing to the 'cloud' and other third-party IT services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.