The EBA’s newly published guidelines on outsourcing arrangements for banks, certain investment firms and payment and e-money institutions will come into force on 30 September 2019. In this briefing, we review the new guidelines and comment on the Central Bank of Ireland’s recent review on outsourcing in the Irish financial sector.
The European Banking Authority (EBA) recently published its Final Report on EBA Guidelines on Outsourcing Arrangements (EBA Guidelines). The EBA Guidelines set out revised provisions for outsourcing by credit institutions and investment firms subject to the Capital Requirements Directive as well as payment and e-money institutions, collectively referred to as “Covered Institutions” for the purposes of this article.
The EBA Guidelines aim to establish a harmonised governance framework for all outsourcing undertaken by Covered Institutions. The EBA Guidelines aim to ensure consistent supervisory practices across the EU and will replace the existing guidelines applying to credit institutions dating from December 2006.
Definition of outsourcing
The definition of outsourcing is taken from MiFID II and is defined as:
“...an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.”
Stricter rules for critical and important functions
Critical and important functions which are outsourced are subject to stricter rules in the EBA Guidelines. The key criteria for identifying if a function is critical or important is whether a defect or failure in the performance of the function would materially impair compliance with certain obligations, financial performance; or the soundness or continuity of the Covered Institutions.
Risk management framework
Outsourcing risk should be included in Covered Institution’s risk management framework. The framework should work to identify and manage all risks to the business and be proportional to its scale and risk profile.
Policy and documentation requirements
The EBA Guidelines oblige management bodies of Covered Entities to approve, regularly review and update a written outsourcing policy. The policy should also comply with the EBA Guidelines on Internal Governance.
Outsourcing Agreements should comply with the outsourcing policy and clearly set out the rights and responsibilities of the Covered Institution and the outsourcing provider.
Register of outsourcing arrangements
Covered Entities are required to establish and actively maintain a register of information on all current outsourcing arrangements.
The latest from the Central Bank on outsourcing
The EBA Guidelines are particularly timely for Covered Institutions based in Ireland given the Central Bank’s Q4 2018 publication Outsourcing - Findings and Issues for Discussion.
The Central Bank’s review found common weaknesses in the areas of governance, risk management and business continuity management in the financial firms reviewed. It notes that significant and proactive action by financial institutions was needed to meet the Central Bank’s minimum supervisory expectations.
The increased reliance on outsourcing by regulated firms has come into sharp focus for regulators both at home and at EU level. The EBA Guidelines oblige Covered Institutions to “make every effort to comply” with their requirements. Accordingly, boards and senior management of Covered Institutions, who remain responsible for all activities undertaken by their firms, regardless of whether the activity has been outsourced, should now begin preparations to comply with the EBA Guidelines ahead of 30 September 2019.
From 30 September 2019, the EBA Guidelines will apply to all outsourcing arrangements entered into, reviewed or amended on or after this date. Covered Institutions are expected to have reviewed and amended their existing outsourcing arrangements to ensure compliance at first renewal or, by 31 December 2021 at the latest. This is with the exception of outsourcing arrangements with cloud service providers as these arrangements should already be compliant with the EBA Recommendations on Outsourcing to Cloud Service Providers.
Covered Institutions should also have implemented a register of all outsourcing arrangements by 31 December 2021. Additionally this deadline applies to respective regulators in the EU and in third countries to agree on cooperation agreements or memorandums of understanding where outsourcing is to a service provider in a third country.
For further information on the new EBA Guidelines on outsourcing arrangements and what your business needs to do to comply, please contact our Financial Regulation team.