With the release of the EBA's updated outsourcing guidelines for financial institutions on 26 February 2019, a single regime encompassing both outsourcing and cloud outsourcing has been introduced. This regime is one that is far more expansive, detailed and prescriptive for financial institutions caught within its remit.
Rather than only applying to credit institutions, as the previous 2006 guidelines did, the new guidelines also apply to investment firms and payment and e-money institutions. Thus, not only will institutions already covered by the 2006 guidelines need to step up compliance to reflect the 2019 guideline's more rigorous framework, but also a number of financial institutions not caught by the previous regime will need to ensure compliance with the heightened requirements right from the outset.
What's the purpose of the new guidelines?
The EBA released its new outsourcing guidelines for financial institutions on 26 February 2019. These guidelines will replace both the EBA's previous 2006 guidelines and the EBA's recommendations on cloud outsourcing released in 2017 (as these have been integrated into the 2019 guidelines).
The 2019 guidelines reflect the underlying need identified by the EBA to update the 2006 guidelines to take into account the continued and increasing use of IT and FinTech solutions by financial institutions, particularly in respect of cloud solutions. While the outsourcing of activities is often seen as a way to reduce costs and improve efficiencies within a business, the EBA's focus is on ensuring financial institutions retain an appropriate level of control and oversight of their outsourced functions.
The 2019 guidelines will come into force on 30 September 2019, although there will be a transitional period until 31 December 2021 (mostly to allow financial institutions to complete their internal assessments of current outsourcing arrangements and to document these in a register).
The 2019 guidelines: key areas to note
The previous 2006 guidelines only applied to credit institutions. The 2019 guidelines will apply to all financial institutions within the EBA's mandate, namely: credit institutions, investment firms, and payment and e-money institutions.
Consequently, a number of new categories of financial institutions will now fall within the scope of the 2019 guidelines and so will need to ensure they are capable of applying this more rigorous framework from the outset.
2. Critical or important outsourcings
The 2019 guidelines draw a distinction between the outsourcing of "critical or important functions" and the outsourcing of those that are not (drawing upon the wording of MiFID II in respect of that term).
The EBA has decreased the number of guidelines that are directly applicable to non-critical or important outsourcings following criticism of the draft guidelines published last year. However, institutions are still required to take a risk-based approach in assessing each outsourcing activity. Thus, in certain circumstances, a non-critical/-important outsourcing could be within scope of the more stringent requirements that always apply to the outsourcing of critical or important functions.
Institutions need to have regard to the principle of proportionality in applying the 2019 guidelines and so should be acting in an appropriate manner that takes into account the relevant circumstances of an outsourcing, such as an institution's size, its internal organisation, and the nature, scope and complexity of its activities.
Ultimately, it is for the institution to identify whether a function being outsourced is critical or important. However, there are certain deemed critical or important functions, and guidelines as to indicators of a critical or important function in Section 4 of the guidelines.
3. Intra-group arrangements
The 2019 guidelines are as applicable to intra-group outsourcing arrangements as they are to outsourcing arrangements with external service providers. As the EBA highlights, intra-group outsourcings are not necessarily less risky and institutions still need to ensure that all relevant risks are identified and areas of mitigation and control are put in place.
However, the EBA understands that institutions are more likely to have a higher level of control over group activities and so this would be something that can be taken into account in an institution's risk assessment of an intra-group outsourcing.
4. Existing arrangements
Institutions need to review and, where required, amend their existing outsourcing arrangements to ensure that these are compliant with the 2019 guidelines. Where an institution is unable to finalise this review and amendment exercise in respect of the outsourcing of its critical or important functions by 31 December 2021, it will need to inform its competent authority, including providing measures as to how it plans to complete the exercise.
5. Outsourcing policy
One of the main aims of the 2019 guidelines is to ensure that the outsourcing of functions by institutions does not result in the delegation of the management body's responsibility for the activities of the institution and compliance with its regulatory obligations. Management bodies need the ability to appropriately oversee and manage the outsourcing of functions by the institution.
As such, the guidelines require management bodies to have in place, and regularly review and update, an outsourcing policy that deals with the main phases of the life cycle of an outsourcing arrangement: planning, due diligence, risk assessments, implementation, monitoring and management, record-keeping, and exit strategies and termination processes. The 2019 guidelines also specify a number of areas of internal governance that institutions should have regard to, including how to identify and manage conflicts of interest and maintaining business continuity plans in respect of outsourced functions.
6. Maintaining a register
Institutions need to keep an updated internal register of all their outsourcing arrangements (including in respect of sub-levels of outsourcing where subcontractors etc. are used). The register must distinguish between outsourcings of critical or important functions, and other outsourcings. Where requested to do so, institutions must make their register available to their competent authority and may also be required to provide such authority with a copy of outsourcing arrangements they have in place if requested by the authority so as to enable it to execute effective supervision. Drawing up such a register, with the required level of detail, may be a significant undertaking for such institutions.
7. Access and audit rights
For critical or important functions, institutions need to ensure that their outsourcing agreements allow for the institution (and its competent authorities) to have full access to relevant information, systems, data, personnel and premises used in providing the outsourced function, as well as "unrestricted" rights of inspection and audit that enable the institution to monitor the arrangement and to ensure compliance with regulatory and contractual requirements.
For non-critical/-important outsourcings, institutions should apply a risk-based approach as to whether the inclusion of such information, access and audit rights are required, including taking into account whether the outsourced function might become critical or important over time.
Institutions can use "pooled" audits that are organised jointly with other customers of the same service provider or audit reports provided by the service provider. However, in respect of a critical or important outsourcing, institutions should consider whether reports of the service provider are sufficient for compliance with their regulatory obligations (and they should not be solely relying on such reports over time). Thus, for these outsourcings, some form of external audit its effectively essential.
8. Contractual requirements and sub-outsourcings
Similarly to the 2006 guidelines, a written agreement is required for all outsourcings by institutions.
For critical or important outsourcings, the 2019 guidelines include a number of specific provisions that need to be included in the outsourcing agreement, such as:
- whether sub-outsourcings are permitted and, if so, any parameters applicable;
- the location of data (by country/region);
- agreed service levels;
- obligations on the service provider to cooperate with applicable authorities;
- unrestricted rights of inspection and audit; and
- specific termination rights.
All outsourcing agreements should make clear whether sub-outsourcing is permitted under the agreement. However, where a critical or important function is being outsourced, the institution must also include specific requirements on the service provider, including, for example:
- requiring the service provider to obtain written consent from the institution before any sub-outsourcing of data (although this can be a general consent, as well as prior specific consent);
- an obligation to notify the institution of any planned sub-outsourcings or material changes to any sub-outsourcings; and
- rights for the institution to object to a sub-outsourcing "where appropriate".
9. Security of data and systems
Where relevant, but particularly in respect of ICT or cloud outsourcing, institutions need to ensure that service providers comply with appropriate IT security standards and that there are defined data and security requirements within the outsourcing agreement. When dealing with outsourcing arrangements that involve the transfer of personal data or confidential data or involve cloud providers, institutions should also be taking a risk-based approach when considering data processing and storage locations.
This may well be an area of focus for the EBA considering its involvement in the ESA's April 2019 advice notes highlighting the risks of security failures in ICT use and the potential for increased cyber threats.
10. Exit strategies
For critical or important outsourcings, institutions must have a documented exit strategy that aligns with their outsourcing policy and business continuity plans. However, in all circumstances institutions should ensure that they can exit outsourcing arrangements without undue disruption to their business activities or the continuity and quality of service provision to their customers and without limiting their regulatory compliance. This might, for example, include developing sufficiently comprehensive and tested exit plans and having identified appropriate alternative solutions and developing transition plans in respect of outsourced functions.
Continued regulatory concern
The EBA's new guidelines reflect a growing concern amongst European financial regulators with the potential for cross-border cyber threats due to the continued reliance on outsourced technologies. As noted in the Joint European Supervisory Authorities (ESAs) April 2019 advice notes, tackling cybersecurity risks is fundamental to protecting the stability of the EU financial system, but this will need to be undertaken as a coherent framework across the EU financial sector if it is to create cross-border cyber resilience.
In particular, the ESAs propose that the risks posed by the provision of critical services by third party ICT service providers needs to be more clearly managed through a cross-border oversight framework. Issues with operational resilience of third party providers can cause significant disruption to services, leaks of sensitive customer and corporate information, and an overall erosion in the trust placed in financial institutions.
For the ESAs, these risks are amplified through the popular use by the financial sector of a relatively limited number of cloud service providers. This concentration of use could mean that if any one such cloud service provider was subject to a serious security failure, there could be substantial impacts across the European financial system.
The ESAs suggest in their April advice notes to the European Commission that a legislative solution could be considered to put in place an appropriate oversight framework to monitor activities of those third party service providers that act as "critical service providers" (but this should particularly be considered for cloud service providers). While the focus of this article is on the 2019 outsourcing guidelines (above), further reading on the ESAs April advice notes is available here and here.
In light of financial institutions' growing use and embrace of new technologies, and the increased concern of the European regulators over the cross border risks posed by reliance on third party ICT providers, the aim of the EBA with the 2019 guidelines was to establish a more harmonised framework for outsourcing. With that aim in mind, it is no surprise that the 2019 guidelines are rather more detailed and expansive than the 2006 guidelines, with a more prescriptive approach to how financial institutions should be approaching outsourcings.
Osborne Clarke comment
Overall, the 2019 outsourcing guidelines represent a much more expansive, detailed and prescriptive regime for financial institutions caught within its remit – a remit that in itself is far broader than the 2006 regime. Credit institutions, investment firms and payment and e-money institutions will now all need to take note of the heightened requirements within the 2019 guidelines.
Firms operating in the FinTech space will feel the impact of this tighter, more robust outsourcing framework from the EBA. The following types of firms or businesses, in particular, should familiarise themselves with the 2019 guidelines:
- e-money institutions and payment institutions;
- challenger banks;
- ICT providers; and
Existing outsourcing arrangements will need to be reviewed and assessed against the 2019 guidelines. All new requirements must be implemented in terms of outsourcing procedures, policies and outsourcing agreements. A significant additional compliance burden will be involved, particularly in relation to the sub-contracting of critical or important functions. Going forward, sub-contractors will find they are subject to much greater control. Osborne Clarke can assist you in understanding how the 2019 guidelines apply and with your implementation plans.