The European Banking Authority (EBA) launched today a public consultation on its draft Guidelines on outsourcing. These Guidelines, which review the existing CEBS Guidelines on outsourcing published in 2006, aim at establishing a more harmonised framework for outsourcing arrangements of all financial institutions in the scope of the EBA’s action. The draft Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important. In particular, the revised Guidelines cover credit institutions and investment firms subject to the Capital Requirements Directive (CRD), but also payment institutions subject to the revised Payment Services Directive (PSD2) and electronic money institutions subject to the e-money Directive. The consultation runs until 24 September 2018.
Over the recent years, there has been an increasing tendency by institutions to outsource activities in order to reduce costs and improve flexibility and efficiency. In the context of digitalisation and increasing importance of information technology (IT) and financial technologies (FinTech), financial institutions are adapting their business models, processes and systems to embrace such technologies. Outsourcing to cloud service providers gained rapidly importance in many industries. Overall, IT has become one of the most prevalent outsourced activities. Outsourcing is also relevant in the context of gaining or maintaining access to the EU financial market. In particular, third country institutions may set up subsidiaries or branches in the EU in order to get or maintain access to EU financial markets and infrastructures, while the parent institution would provide a material part of the business activities.
The revised Guidelines deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements. The Guidelines also clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities.
Against this background, the Guidelines specify that the responsibility of the institution’s management body can never be outsourced. Outsourcing must not lead to a situation where an institution becomes a so-called ‘empty shell’ that lacks the substance to remain authorised. Institutions must remain able to oversee all risks and to manage outsourcing arrangements. Institutions should be able to effectively control, challenge the quality and performance of outsourced processes, services and activities, and carry out their own risk assessment and ongoing monitoring.
The Guidelines set up a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers so that the ongoing provision of services and compliance with regulatory requirements is ensured. Institutions must ensure audit and access rights in written outsourcing agreements both for themselves and for competent authorities and are required to maintain a register of all outsourcing arrangements.