In a rapidly evolving digital world, financial and payment institutions are trying to work more efficiently by outsourcing certain parts of their activities to (third party) service providers. It is a way to get quick access to new technology and be more cost efficient. The EBA is now updating the outsourcing framework for financial institutions to ensure a better functioning of the activities. What will actually change for you as a financial institution? The new requirements and guidelines ensure better arrangements with (third party) service providers so that financial institutions can better control and mitigate the risks and performance of working with service providers.
Although the guidelines apply from 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended, institutions have time until 31 December 2021 to inform their competent authority of the arrangements, including the measures planned to complete the review or the possible exit strategy from an outsourcing arrangement.
Feeling overwhelmed to go through the whole EBA paper of 71 pages? No worries, we’ve summarized the biggest changes for you in this article, which are built up around 5 specific topics.
1. Proportionality: groups and institutional protection schemes
The guidelines are subject to the principle of proportionality which means that the governance arrangements should be in line with risk profile, business model, scale and complexity of the outsourced business function. The fact that outsourcing occurs intra-group or between parties who fall under the same protection scheme doesn’t affect the applicability of the guidelines.
2. Assessment of outsourcing arrangements
Outsourcing is defined as an arrangement between institutions and a service provider to perform a process, service or activity that is normally undertaken by the institution. The criticality or importance of the activity or service also determines whether or not the arrangements should comply to the guidelines.
3. Governance framework
The guidelines require the setup of a risk management framework and don’t allow institutions to outsource their management responsibilities and accountabilities. Proper policies should be in placein line with EBA guidelines on internal governance. Conflicts of interests, business continuity plans and the possibility to have internal audits should guarantee an all-encompassing governance framework. It is required to keep and report a central register of outsourcing arrangements to the authorities, including non-critical or important functions.
4. Outsourcing process
The process to follow when agreeing a compliant outsourcing arrangement is also described in the guidelines. The contract should follow an initial pre-outsourcing analysis and set out a number of contractual aspects especially if the outsourced function is critical and important. A contract also needs to set out the obligation to have solid data and IT systems security, together with defined access, information and audit rights. Some termination rights are expressly allowed in a number of situations. The institution always needs to keep an oversight of the outsourced functions and prepare exit strategies in case of reduced service levels or termination of the contract.
5. Guidelines on outsourcing addressed to competent authorities
In addition to guidelines for institutions, the EBA guidelines also address the competent authorities. They should make sure they can effectively supervise both institutions and service providers who are obliged to grant audit and access rights to the competent authority and the institution. Among others, they also have the right to ask for more detailed information than reported in the register so that they can monitor overall risks and take appropriate action such as agreement restrictions or exits from a certain contract. This also applies to outsourcing outside the EU/EEA.
The complete EBA paper can be found via the button below. For more information, don’t hesitate to contact our team.