European Banking Authority (EBA) Outsourcing Guidelines
The European Banking Authority (EBA) Outsourcing Guidelines come into force on 30 September 2019. The revised guidelines, which replace the 2006 Committee of European Banking Supervisors Guidelines on Outsourcing, set out specific requirements for all financial institutions within the EBA’s remit, including banks, building societies, designated investment firms, IFPRU investment firms and credit institutions when they outsource functions to a service provider. The Guidelines are designed to provide a single framework for banking and payment activities, and attempt to pull together the requirements on outsourcing within the PSD2 and MiFID II directives, at a time of increased outsourcing activities by firms looking to accesses new technologies. They will apply to all outsourcing arrangements entered into, reviewed or amended on after 30 September 2019; all existing outsourcing arrangements must be updated in line with the Guidelines by 31 December 2021.
They offer welcome clarity, including that outsourcing does not remove the firm’s obligation to comply with and be responsible for regulatory requirements, and that the firm will remain responsible for all activities at all times – outsourcing must not result in a firm becoming an ‘empty shell’.
The Guidelines should be applied proportionately, taking into account the type, size and nature of the firm and of the scale and complexity of the activities and functions to be outsourced, along with the risks arising from the arrangement.
Which parts of the Guidelines will apply to an outsourced function depend on whether the function is ‘critical and important’ – firms must assess whether the function falls into this category before entering into any outsourcing agreement.
The guidelines require firms to have robust internal governance arrangements, including effective day to day management by a senior manager, effective oversight, a comprehensive outsourcing policy and processes and an efficient internal control framework.
The Outsourcing Policy must cover the main phases of the arrangements, and should differentiate between different categories of outsourcing (e.g. whether the function to be outsourced is critical and important, outsourcing to providers that are authorised by an appropriate regulator and those that are not, intragroup outsourcing, outsourcing to providers located in a third country, etc).
Firms are also required to undertake proper due diligence before entering into an agreement, ensuring that service providers can provide the necessary resource, skill, ability, technical and operational factors, and data security appropriate for the outsourced function.
Crucially, intra-group sourcing is not ‘necessarily less risky than external body outsourcing’. Therefore, the Guidelines state that where a firm is looking to outsource critical and important functions to a body within the same group, they must:
Ensure the decision is based on objective reasons
That conditions explicitly deal with conflicts of interest
That the firm identifies all relevant risks
Details mitigation measures in place
Firms could, however, factor the higher level of control likely from such an arrangement into the risk assessment.
There must also be robust exit and termination arrangements, which allow a firm to move, re-absorb or terminate activities without disruption to business activities.
As a guide to the incoming Guidelines, firms looking to enter into an outsourcing arrangement should ensure:
That robust internal governance arrangements, including a clear organisational structure exist
That the firm’s risk framework enables the proper identification and management of all risks, including risks caused by arrangements with third parties
That an Outsourcing Policy exists, and that it is compliant with the Guidelines
The firms identify, assess and manage conflicts of interest
That they assess whether the functions to be outsourced are ‘critical and important’, and where they are, that a business continuity plan is in place, maintained and tested, and the firm conducts enhanced due diligence, risk assessment, and that the agreement allows the firm to terminate the agreement with the service provider.
That business continuity plans cover the eventuality that the quality of provision deteriorates to an unacceptable level or fails
That appropriate due diligence, risk assessment and analysis activities are undertaken prior to entering into an agreement
That the internal audit function’s activities cover the independent review of outsourced activities
That a register of all outsourcing arrangements is maintained and updated, and that all arrangements are appropriately documented, in line with the requirements of paragraphs 54 and 55
That firms undertake an analysis of the supervisory conditions for outsourcing
That rights and obligations of the firm and of the service provider are clearly set out in a written agreement, in line with Guideline requirements
That a documented and tested exit plan is developed and implemented