Callum Sinclair: What you need to know about changes to the European Banking Authority outsourcing guidelines

The European Banking Authority (EBA), has published new outsourcing guidelines to replace the 2006 Committee of European Banking Supervisors (CEBS) guidelines, with effect from the end of September 2019. We are already working with financial sector clients to ensure that their arrangements with service providers are compliant, so what do you need to do to ensure you are ready?

Callum Sinclair, partner and head of Technology and Commercial at Burness Paull, by Lisa Ferguson
Callum Sinclair, partner and head of Technology and Commercial at Burness Paull, by Lisa Ferguson

The current guidelines, and the EBA 2017 outsourcing to cloud service provider recommendations, will be replaced, with the current terms being harmonised and implemented into the new guidelines.

They apply to all financial institutions within EBA’s remit, including banks, building societies and certain investment firms, and they will include fintech businesses engaged in certain payment and e-money activities.

Outsourcing arrangements to cloud service providers remain subject to the current rules in the meantime.

The guidelines apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019.

Institutions are required to make “every effort” to comply with the guidelines on all new and existing arrangements by 31 December 2021, or face penalties, and so now is the time to act.

Under the new guidelines, stricter rules apply to the outsourcing of critical or important functions.

However, all outsourcing will be covered by the new guidelines, including intra-group arrangements.

Specific provisions for governance of outsourcing arrangements are provided for, including supervisory expectations and processes.

Each institution’s management body remains responsible for that institution and all of its activities at all times.

Outsourcing cannot lead to a situation where an institution becomes an ‘empty shell’ lacking the substance to remain authorised.

There is a requirement for institutions to produce an Outsourcing Policy, which is to be reviewed and revised on a regular basis in order to provide a high level of governance.

Regulators must be readily able to access all outsourcings, which are to be documented in a register.

The principle of proportionality applies. Institutions must apply the guidelines in a manner that is appropriate, taking into account the institution’s size and internal organisation, and the nature, scope and complexity of its activities.

Arrangements with third parties considered as outsourcing are also defined. While the EBA acknowledges some remaining relevance in distinguishing between “outsourcing” and “purchasing”, the guidelines have not adopted a definition of purchasing specifically – careful consideration and appropriate advice is recommended.

What actions should financial institutions take to ensure compliance?

Before entering into, reviewing or amending outsourcing arrangements, institutions should ensure that:

- Sufficient resources are available to appropriately support outsourcing arrangements;

- Whoever is performing audits of outsourcing arrangements has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively

- They are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes

- The service provider implements appropriate technical and organisational measures to protect data.

In addition, institutions should assess whether:

- the outsourcing arrangement concerns a critical or important function

- the supervisory conditions for outsourcing are met

- Outsourcing arrangements will potentially impact their operational risk

- There are any relevant risks and conflicts of interest with regard to the outsourcing agreement.

Outsourcing arrangements should expressly allow the institution to terminate and exit the outsourcing arrangements without undue disruption to their business activities, and facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution.

All existing outsourcing arrangements should be reviewed as soon as possible, and an updated register of information maintained which distinguishes between outsourcing of critical or important functions and other outsourcing arrangements. Whilst this may seem burdensome, it can be used as an opportunity to review and, if appropriate, renegotiate outsourcing contracts currently in place, with the new rules as leverage.

A failure to act could soon result in some unwanted regulatory attention.

Callum Sinclair is a partner and head of Technology & Commercial at Burness Paull