14 March 2019
A new risk assessment model for outsourcing.
In 2006, the Committee of European Banking Supervisors (CEBS) published guidelines on outsourcing of credit institutions' business activities. The aim of the CEBS guidelines was to promote an appropriate level of convergence in supervisory approaches to outsourcing.
In 2017, the European Banking Authority (EBA) supplemented this with cloud outsourcing recommendations. It was felt that the existing guidelines did not take account of the increasing use of outsourcing and the new challenges and opportunities in fintech. The guidelines also required updating to take account of new law including PSD2 and MiFID II and to ensure harmonised definitions.
The EBA has now finalised new outsourcing guidelines. The new EBA guidelines have a wider scope than their 2006 predecessor and apply to all financial institutions within the EBA's mandate including credit institutions, investment firms and payment and electronic money institutions.
The guidelines pull together a revised version of the CEBS 2006 guidelines and the 2017 cloud outsourcing recommendations. They are to be read alongside other applicable guidelines and laws to help create a harmonised framework for relevant institutions.
The guidelines provide a risk assessment model for relevant institutions to follow when considering outsourcing (or sub-outsourcing). The risk assessment focuses on availability, integrity and security of data and the quality and oversight of potential and actual outsourcing arrangements and should be regularly reviewed.
Once a relevant institution has decided to proceed with an outsourcing arrangement, it should take into account the guidelines' recommendations on the importance of internal governance arrangements and the role of competent authorities in reviewing and monitoring compliance.
Crucially, the majority of the guidelines apply only to "critical or important" outsourcings. Cloud outsourcing is not necessarily treated as a critical or important outsourcing, although the guidelines note that the special risks of such arrangements should be considered.
Relevant institutions should familiarise themselves with the updated requirements to ensure compliance and to understand the regulatory framework applying to outsourcing, particularly if the institution is looking at outsourcing or renewing an outsourcing arrangement for any function that falls in the 'critical or important' category.
Service providers providing outsourced services to relevant institutions will benefit from understanding the legal context in which their customers operate, as this may impact on their approach to contractual negotiations, service management and the exercise of rights under the arrangement.
The EBA Guidelines apply from 30 September 2019 (with limited exceptions), in relation to all outsourcing arrangements which are entered into, reviewed or amended from then.
The transitional arrangements provide that relevant institutions should review and, where necessary, amend existing arrangements before 31 December 2021 to ensure compliance with the revised guidelines. If an institution expects not to meet this deadline for revision, it should contact the appropriate competent authority to provide details of the measures to complete the review or the exit strategy.
Do the EBA guidelines apply – what is a "critical or important" function?
Relevant institutions are required to self-assess whether an outsourcing is critical or important. The guidelines set out 13 relevant considerations. Three are mandatory criteria which, if present, will inevitably mean the function is critical or important. The remaining ten factors are risk-based criteria to be applied in context.
The mandatory criteria focus on the institution's ability to keep providing its services in a regulated and authorised manner, namely:
The risk-based criteria require the institution to consider a variety of subjective factors in assessing whether an activity is critical or important. These include:
Part of the risk assessment process requires relevant institutions to maintain an internal register of all outsourcing arrangements. This must distinguish between critical or important and other outsourcings.
The register should hold at least basic factual information about the nature of the outsourced function, the provider and its location, the contractual terms, and information about the assessment of criticality or importance.
In respect of critical or important outsourcing arrangements, greater detail is needed relating to sub-outsourcing information, costs, contract approvals and management and transferability of the service provider.
All outsourcing agreements must be agreed in writing and, to assist with legal and regulatory compliance, the guidelines require that contracts give the outsourcer and the relevant regulator audit rights (including access rights) in respect of their providers of outsourced services "at least" in relation to critical or important outsourcing.
While joint audits and third party audits are generally acceptable, the guidelines also confirm that an institution should not rely solely on joint reports to satisfy its risk assessment.
Where the contract deals with audit and inspection rights, they must be unrestricted. Regulators must be able to exercise the same rights and these must apply to all outsourcing, not only to critical or important outsourcing.
Service providers should generally be given notice of on-site inspections but the contract should leave it open for inspections to be carried out with little or at short notice in emergency or crisis situations or where providing advance notice would mean the audit was no longer effective.
Whether audit and inspection rights should be provided for in non-critical or important situations should be assessed on a case-by-case basis in line with the principle of proportionality.
Contracts for critical or important outsourcing need to deal with permitted sub-outsourcing. Prior permission to sub-contract must be given but this can be general or specific. Contracts must be specific about the types of activities which cannot be sub-outsourced and should stipulate whether sub-outsourcings are permitted by service provider.
Institutions must ensure the contract gives them a right of termination in the event of undue sub-outsourcing. Any sub-outsourcing of critical or important functions must be recorded in the outsourcing register. The outsourcing institution must retain rights of audit and inspection in respect of sub-outsourcers.
Ending an outsourcing – termination and exit
The EBA guidelines specify minimum grounds for terminating an outsourcing arrangement. Along with termination for material breach and for weakness in managing data, an institution should be able to terminate the arrangement where it identifies impediments or material changes in the outsourced function or the provider, or where it is instructed to do so by a competent authority.
The outsourcing agreement should specify what happens on termination through documented exit provisions. The exit provisions should aim to provide for an orderly transition of services without undue disruption to services, whether to the outsourcer or another service provider.
The guidelines state that the exit strategy should cover the parties' responsibilities in winding down and transferring the services, the transition timeframe, how material risks are to be managed, monitoring arrangements, and treatment of data.