The European Banking Authority (EBA) published the final version of the “EBA Guidelines on outsourcing arrangements” (hereafter Guidelines) on 25 February 2019.
The Guidelines describe the way in which financial institutions enter into, monitor and control outsourcing relationships and entered into force on 30 September 2019. All outsourcing agreements entered into on or after this date must comply with the new Guidelines. Existing outsourcing agreements are subject to a transitional regime, whereby the agreements must be adapted in accordance with the Guidelines on the next occasion which the contract can be awarded, but in any case before 31 December 2021.
Outsourcing is a proven way to gain access to (technological) innovations and economies of scale. However, outsourcing also creates new risks for financial institutions, third parties and regulators. The new Guidelines aim to identify, address and mitigate these risks.
Comprehensive outsourcing guidelines at European level
The Committee of European Banking Supervisors (CEBS), the predecessor of the EBA, published outsourcing guidelines in 2006. These guidelines expired when the Guidelines entered into force on 30 September 2019. The new Guidelines also replace the EBA recommendations for outsourcing to cloud service providers published in 2018. With the new Guidelines, the EBA is introducing comprehensive outsourcing guidelines, which will set a new standard for financial institutions within the EU. This is in line with the call from supervisory authorities for more overarching regulations instead of a complex collection of separate and local directives.
Financial institutions fall within the scope of application of the General Data Protection Regulation (EU) 2016/679 and must comply with it.
The Guidelines require that the outsourcing policy of financial institutions be consistent with the outsourcing life cycle, with risks and responsibilities being addressed on a stage-by-stage basis.
In order to clearly indicate the requirements for each phase, the Guidelines consist of the following components:
See the full article in the PDF for a detailed explanation per section.
While, the new Guidelines not only affect financial institutions, but also regulators and service providers, the impact of the new regulations on outsourcing activities and the associated risk will vary from one party to another.
Supervisors should monitor a new form of concentration risk
The National Bank of Belgium (NBB) issued circular BNB_2019_19 on 19 July 2019, integrated in their regulatory practice, which specifies the practical arrangements for reporting and communication to the supervisory authority when outsourcing certain activities to third parties.
On 31 December 2021 the circular will replace:
In addition to the supervision of financial institutions, the new Guidelines make the NBB responsible for monitoring concentration risk. This risk arises when certain business activities are outsourced by different financial institutions to the same service provider. This can jeopardize the continuity and operational resilience of financial institutions if the service provider runs into (financial) problems. As outsourcing agreements are currently not, or not fully, registered centrally, there is currently no complete picture.
The Guidelines stress that financial institutions should include a clause in the outsourcing policy and agreement that gives the NBB and other supervisory authorities the right to carry out inspections as and when deemed necessary. Although this clause was already made mandatory in previous EBA guidelines, in practice, it appears that the clause is often not included in outsourcing agreements.
Financial institutions are reminded of their duty of care
The new Guidelines will have a major impact on financial institutions, allowing for a broad distribution of issues and challenges:
See the full article in the PDF for a detailed explanation per section.
The new Guidelines will have a major impact not only on financial institutions, but also on service providers. Although they do not directly fall within the scope of the Guidelines, financial institutions are expected to impose the requirements on service providers in order to comply with the new Guidelines. As a result, FinTech companies and other entrants will face the challenge of remaining innovative and competitive in a rapidly changing market, while at the same time confronting the administrative challenges of (indirectly) complying with the Guidelines. In particular, implementing robust management processes and meeting (internal) documentation requirements can significantly increase the burden on emerging service providers.
The Guidelines have a far-reaching impact on the financial sector and on banks and their service providers, in particular. The governance framework of the institutions should be reviewed and possibly revised regarding several aspects to ensure compliance with the new regulations. In addition, with the rise in outsourcing, it is becoming increasingly important for financial institutions to have good internal control. Built-in controls play an important role in this, such as the “three lines of defense” model in which segregation of duties and monitoring by independent departments are maintained. Adapting the governance framework, outsourcing policy, processes, outsourcing agreements, etc. is time-consuming and needs to be done thoroughly, but above all, in a timely manner in order to avoid sanctions by supervisory authorities.
The Guidelines entered into force on 30 September 2019. It is therefore important that financial institutions and service providers carry out a detailed review of, among other things, the outsourcing policies and agreements and revise them where necessary in order to comply with the new Guidelines.
In practice, we see that financial institutions often underestimate the detailed review and that the necessary adjustments to comply with the Guidelines prove to be more complex than initially thought. Reviewing and adjusting the outsourcing policy is often not possible without an update of the governance policy, which creates the risk that parts are overlooked and inconsistencies occur between the various documents. It is therefore important that institutions carry out a timely and thorough review in order to avoid challenges due to time pressure and complexity.
In addition, we would like to stress that financial institutions must be careful not to become an “empty shell” due to the increasing degree of outsourcing. As described above, the institution must retain ultimate responsibility. With the new Guidelines, there will be a renewed regulatory focus on this area, with potentially far-reaching consequences if the conditions of the licenses are no longer met.
KPMG can assist with every phase of the outsourcing life cycle. Our team has the right expertise, experience and sector knowledge to help with detailed risk analysis and the approach for effective management of outsourcing risks. The KPMG control framework ensures that all aspects of the Guidelines are considered and that you comply with the requirements of the new regulations.
We will keep you informed by email. Please sign up here.