New guidelines reflect the rise of outsourcing by financial institutions in a new era of disintermediation and technological change.
6 min read
In February 2019, the European Banking Authority (EBA) published its final guidelines on outsourcing arrangements. The guidelines aim to establish a more harmonized framework for the outsourcing arrangements of financial institutions in the EU.
One of the aims of the guidelines is to ensure appropriate risk management and due diligence as a result of the increasing use of outsourcing by financial institutions, in particular when it comes to payments and fintech companies. The guidelines have also adopted the recommendation on outsourcing to cloud service providers, published in December 2017.
From a German regulatory perspective, the concepts introduced by the guidelines are not entirely new. In part, they restate existing German risk management requirements with respect to outsourcing, which are based on the German Banking Act (KWG), the minimum requirements for risk management (MaRisk), as well as Section 26 of the German Payment Supervisory Act (ZAG).
However, the EBA has significantly increased the level of detail of the risk management requirements and expressed expectations that go beyond what is currently stated by German law or expected by the administrative practice of the supervisors.
In particular, this relates to the governance framework, the preliminary outsourcing risk analysis, contractual requirements, sub-outsourcings and information obligations vis-à-vis the competent supervisory authority. In addition, the number of institutions affected will also be significantly expanded. Overall, the analysis, monitoring and documentation effort involved in outsourcing has increased.
Extended scope of addressees
While the scope of MaRisk is limited to credit and financial services institutions and domestic banking branches of foreign companies, the EBA guidelines have a broader scope that for the first time includes payment institutions (including payment initiation service providers) and electronic money institutions. So-called account information service providers (AISPs) are exempt from the outsourcing requirements.
While the MaRisk link the (non-) applicability of higher risk management requirements to the qualification of an outsourcing arrangement as "material" or "non-material, " the guidelines introduce the concept of "critical and important functions."
Many of the EBA's guidelines only apply to the outsourcing of these functions. In order to enable a uniform classification into "critical" and/or "important" functions, the EBA has specified a detailed catalogue of criteria in section four of the guidance.
For instance, the outsourcing entity must apply due diligence before concluding a contract and ensure that the service provider has the necessary knowledge, skills and resources—both technical and financial—to provide the outsourcing services.
The guidelines also specify other factors that must be taken into account. For example, the service provider must have a sufficient organizational structure and relevant regulatory approvals to perform critical and important functions in a reliable and professional manner.
In case of sub-outsourcing, the service provider must provide certain information to the outsourcer such as how its ability to meet its contractual responsibilities will be affected by the sub-outsourcing.
The EBA guidelines also include requirements on the minimum content for outsourcing agreements, many of which have been controversially negotiated between outsourcing parties in the past years. In this respect EBA now clearly states, for instance, that the contract should contain provisions on the permission of sub-outsourcing, including respective information obligations and notification periods to allow an appropriate risk analysis, termination for regulatory cause—for instance, when instructions are given by the competent authority.
The EBA also requires the establishment of "outsourcing registers". Such registers must be maintained for all outsourcings irrespective of their qualification as "critical and important". However, the contents vary and are prescribed by the guidelines.
For example, outsourcers must determine a reference number for each outsourcing agreement in the register and provide a brief description of the function. In case of outsourcing of critical and important functions, the register must contain the dates of the most recent and next scheduled audits and, where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced. This includes the country where the sub-contractors are registered, where the service will be performed and, if applicable, where the data will be stored. The register will help the outsourcer oversee and manage associated risks but will also help regulators assess concentration risks since the outsourcer should, upon request, make available to the competent authority details of all existing outsourcing arrangements.
The EBA states that the supervisory requirements must also apply to outsourcing within the group of the outsourcing institution. This applies even if the outsourcing only takes place within the same system for institutional protection because the EBA believes these outsourcing operations are no less risky than outsourcing to third parties and are therefore subject to the same regulatory framework as outsourcing to service providers outside the group.
This puts it at odds with BaFin, which states in its MaRisk explanations that in case of group outsourcings a group-wide risk management would have a risk mitigating effect.
Another innovation concerns outsourcing to third countries. For example, it is planned that the relevant supervisory authorities conclude a cooperation agreement, e.g., in the form of a "Memorandum of Understanding," which guarantees that confidentiality and data protection for the company to which the activity is outsourced are equivalent to those of the outsourcing institution.
Countdown to implementation
The guidelines come into force on September 30, 2019, and will apply to outsourcings "entered into, reviewed or amended" after that date, handing institutions a tight time frame in which to make the necessary governance and risk management arrangements.
In addition, institutions and payment institutions should review and amend existing outsourcing arrangements with a view to ensuring that these are compliant with the guidelines by December 31, 2021. Compliance breaches should be reported to the competent authority, including the measures planned to complete the review or the possible exit strategy.
Although the analysis, monitoring and documentation effort required to implement the EBA guidelines is substantial, institutions may also consider the upside:
The review process is comparable to an inventory that will give the institution the chance to rethink its current outsourcing structures and associated risks.
Institutions have a chance to renegotiate existing contracts or consider a change of service providers, to access new innovative technologies and therefore follow supervisors' demand for changes in legacy IT systems.
With the detailed position of EBA on outsourcing arrangements and the respective compliance of competent national authorities, institutions have a substantive position in contract negotiations with respect to the regulatory requirements on outsourcing.