EBA Final Guidelines on Outsourcing

On 25 February 2019, the European Banking Authority (EBA) published revised (final) guidelines on outsourcing arrangements (Guidelines) for credit institutions and certain investment firms (institutions) as well as payment and electronic money institutions (payment institutions). The Guidelines amend and finalise previously published draft guidelines in light of extensive consultation responses from the industry and industry bodies.

Introduction

Subject to each national regulatory authority incorporating the Guidelines into national regulatory frameworks, the Guidelines will take effect on 30 September 2019. There is also a backstop date for upgrading pre-existing contracts to comply with the Guidelines by 31 December 2021.

The Guidelines support harmonisation of existing regulation and guidance applicable to different types of financial services firms. The entry into force of the Guidelines will be simultaneous with the repeal of the CEBS guidelines on outsourcing and the EBA recommendations on outsourcing to cloud providers (the latter have been folded into the Guidelines).

Although there has been significant refinement of the Guidelines further to consultation, all key requirements remain broadly intact (relative to the prior consultation draft).

Summary

The Guidelines provide a detailed framework of requirements relating to outsourcing, which take into account or are consistent with current requirements for relevant financial services firms, such as the Capital Requirements Directive and MiFID II.

In essence, the Guidelines set out obligations in respect of end to end governance over an organisation’s outsourcings and contractual arrangements with outsourcers. These obligations must be complied with for new outsourcing arrangements and/or the renewal of existing arrangements on or after 30 September 2019 (with a backstop date for upgrading pre-existing contractual arrangements to comply with the Guidelines by 31 December 2021). The Guidelines introduce the following key changes:

  • more examples of when an arrangement comprises an outsourcing and guidance as to how to assess when it will be
    considered to be related to an activity or function that is “critical or important” (to which a broader set of obligations apply)
  • requirements for more thorough internal governance arrangements which, for example, include:
    • a comprehensive outsourcing policy
    • an emphasis on the required monitoring of outsourced service providers’ performance
    • designation of a senior member of staff with overall responsibility for oversight of outsourcing, who will report to the
      management body
    • enhanced expectations with regard to intra-group outsourcings and arrangements (to be treated equivalently to
      external third party outsourcings)
    • arrangements and information flows to be in place where one group entity exercises group wide management
      functions in relation to outsourcing.
  • more prescriptive termination rights that should be included in a written outsourcing agreement (eg a right to terminate
    if there is: a breach of law; an identified impediment capable of altering the performance of the outsourced services; material changes affecting the outsourcing arrangement or the service provider; information security breaches; and/or an instruction from a competent authority)
  • the requirement for exit management plans for all outsourcings (which must be documented if an outsourced activity or
    function is “critical or important”)
  • additional assessment criteria to be considered in relation to an outsourcing, including assessment of concentration risks
    and aggregate risks from outsourcing a large number of functions across the institution or payment institution
  • increased access and audit rights for institutions/payment institutions, competent authorities and any other person
    appointed by them, which includes access rights to the service provider’s offices and operations centres, the full range of devices, systems, networks, information and data used for providing the outsourced process, service or activity. The Guidelines also provide more detail around types of audit (or alternatives to formal audit) that might satisfy regulatory requirements in certain circumstances (eg the use of pooled audits or service provider certifications), and
  • requirements for outsourcing registers (covering all outsourcings but splitting out critical and important from other
    outsourcings), parts of which are required to be provided to competent authorities on request.

Key Revisions

  • Effective Date and Transitional Period
    The EBA has delayed implementation of the Guidelines by 3 months (previously scheduled for the end of June 2019, now scheduled for the end of September 2019) and extended a transitional period by a year (up to the end of 2021) during which all relevant pre-existing contractual arrangements are required to be remediated as necessary to conform with the Guidelines.

  • Differentiating “critical or important” outsourcings
    The revised Guidelines reduce, but do not eliminate, obligations applicable to any outsourcing agreement that is not related to a “critical or important” function, although it is fair to say that regulatory expectations in respect of this category of less material outsourcings have also increased (particularly with regard to governance and inclusion in the outsourcing register). The EBA has now given further helpful guidance within the Guidelines as to certain types of contract that it would not consider to be outsourcings at all.

  • Documentation
    The Guidelines include the obligation for institutions and payment institutions to appropriately document the assessments they make as part of due diligence, risk assessments and analysis of whether the outsourced function qualifies as “critical or important”.

  • Outsourcing Register
    The final Guidelines have further built out requirements in respect of information to be included in a register of outsourcings (such that the register provides a broader representation as to whether other aspects of the Guidelines (particularly with regard to Governance) are being observed for each contract).

Action List

  • create or update existing outsourcing policy for all relevant entities - to align with the Guidelines
  • create or update ancillary documentation supportive of the outsourcing policy and compliance with
    the Guidelines, eg:
    • vendor due diligence questionnaire
    • business continuity plans
    • Title IV assessments (which will be required to cover a range of matters. eg pre-contractual due diligence and
      performance monitoring), and
    • exit strategies and/or exit plans.
  • develop and/or update a register of all outsourcing arrangements which meets all of the requirements specified in the Guidelines
  • develop and/or update template outsourcing contractual terms (and guidance for negotiation of these terms in light of the Guidelines) and use these in all outsourcing contracts (whether third-party or intra-group) to be entered into after 30 September 2019
  • refresh internal governance arrangements to ensure compliance with requirements under the Guidelines, eg:
    • a senior member of staff should be designated to oversee outsourcing arrangements
    • a sound outsourcing policy and outsourcing processes should be put in place, and
    • a process for identifying, assessing and managing risks should be implemented.
  • carry out due diligence on and remediate (by end of 2021 at the latest) any existing outsourcing arrangements (whether third-party or intra-group) to ensure compliance with the Guidelines. This exercise may also reveal deficiencies against requirements which pre-existed the Guidelines but which are attracting more regulatory scrutiny and therefore should be revisited. There should be a focus not only on contractual terms but related documents and governance (eg with regard to exit management, business continuity, risk assessment, audit and monitoring etc).

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.