New regulatory guidelines on outsourcing by UK banks could harm competition and hamper digital innovation unless significant changes are made.
The European Banking Authority (EBA) is currently weighing up submissions made in a consultation exercise which will shape the drafting of new outsourcing guidelines. In consultation submissions, our finance services technology team argued that some technology service providers could be persuaded not to enter the financial services market due to the onerous obligations banks could be required to place on them.
Banks too might develop an overly cautious approach to outsourcing and miss out on innovative digital solutions available in the market as a result of a lack of clarity in the EBA’s guidelines. The new EBA guidance will be an important document as, when finalised, it will update the existing outsourcing guidelines that have been in place since 2006, as well as separate cloud outsourcing recommendations which only came into effect in July.
Our response highlighted a number of deficiencies with the EBA’s draft guidance, including in relation to requirements around audit rights and sub-contracting arrangements the regulator has proposed. However, more fundamental issues were identified, including the broad scope of the proposed new guidelines and it is our view that the new guidelines should only apply to “critical or important outsourcings” engaged in by financial institutions.
We have called on the EBA to disapply the guidelines with regard to the outsourcing of non-critical or non-important functions. If they follow our recommendation, this would provide more clarity and enable institutions to focus their resources on applying the guidelines to arrangements in a proportionate and risk-based manner to critical or important outsourcings.
It is also unclear why an institution would need to maintain detailed records of non-critical or non-important outsourcings, as this will not enable authorities to monitor operational and concentration risk in the banking industry in any meaningful way.
We feel this broad application of the guidelines will stifle competition, as smaller technology providers will lack financial or operational resources to meet the requests of institutions seeking to implement the guidelines to their arrangements with those providers. In turn, this may create an uneven playing field by making it more challenging for small providers to meet these requests, meaning they are forced to focus on clients outside financial services. This cannot be in the interests of the banking industry as it leaves institutions with less choice.
The EBA’s proposed definition of “outsourcing” is also too broad and does not reflect the reality of how institutions in the market now operate. As IT services continue to evolve, particularly cloud-based ones, there are many activities which, in a practical sense, would never be undertaken by the institution. Accordingly, we recommend the EBA clarify that, where an IT service is not critical for the provision of continuous and satisfactory service to clients, it should not be considered one that “would otherwise be undertaken by the institution” and, consequently, fall outside the definition of outsourcing.
The Financial Conduct Authority has announced that its cloud computing guidance no longer applies to banks, who should follow the EBA’s recommendations on cloud outsourcing. We have been here before.
In May 2017, the EBA published its draft cloud recommendations for consultation. That prompted a significant response from industry and led to improvements and clarifications being made when the finalised cloud recommendations were issued in December. Let us hope the EBA are again listening to legitimate concerns.
- Luke Scanlon, senior technology lawyer and head of fintech propositions, Pinsent Masons.