Share with your friends
EBA revised guidelines on outsourcing

EBA revised guidelines on outsourcing

EBA revised guidelines on outsourcing

On 25 February 2019, the European Banking Authority (EBA) published its final revised Guidelines on outsourcing arrangements.

The Guidelines will apply from 30 September 2019 and are addressed to competent authorities - including the European Central Bank (ECB) - as well as credit institutions, payment institutions and electronic money institutions.Once applied, the final Guidelines will repeal the 2006 guidelines on outsourcing and the EBA’s recommendation on outsourcing to cloud service providers.

These Guidelines echo the ECB’s supervisory priorities for 2019, which focus on IT and cyber risks via targeted on-site inspections and the continuation of the SSM cyber reporting process. They are also consistent with the PRA’s supervisory expectations on outsourcing and on operational resilience more generally. Furthermore, they are complementary to other related regulatory requirements such as the recent EBA Guidelines on ICT and security risk management or the EBA recommendations on outsourcing to cloud service providers. This mounting volume of ICT-related publications demonstrates the increasingly strong regulatory and supervisory focus on all aspects of operational resilience.

Background of the Guidelines

The final revised Guidelines come at a time when the fast changing technological landscape is already challenging the banking sector in a low interest rate environment in which outsourcing can be an opportunity for banks to reduce costs and improve their efficiency.

The EBA thus acknowledges the continued importance of new financial technology providers that are leading financial institutions to adapt their business models. This change in traditional banking business models has triggered the need for updated guidance on governance, risk management and other security measures related to outsourcing.

Implications for firms

The final revised Guidelines have kept many of the main themes that the draft Guidelines specified, such as providing additional guidance on which arrangements with third parties should be considered as “outsourcing” and which criteria should be taken into account for the identification of critical or important functions. Furthermore, for the outsourcing arrangements in scope, the final revised guidelines have kept the more detailed requirements regarding the governance framework of the outsourcing process (conflict of interest policy, business continuity plans, role of the Internal Audit function, etc.)

However, the main changes and updates that banks will need to be aware of and keep in mind between the draft and the final version are outlined below:

  • Change in date of application: The date of application has been changed to 30 September 2019 and the period for transitional arrangements has been prolonged to 31 December 2021.
  • Clarification regarding scope of the guidelines and their application to third countries: The guidelines clarify that they are applicable to subsidiaries, including subsidiaries located in third countries that are not directly subject to the guidelines, but are covered by its requirements on a consolidated basis.
  • Definition of outsourcing arrangements: When a function is normally performed by institutions and is provided by a service provider, the arrangement should usually be qualified as outsourcing, even if the individual institution has not performed it itself or would also not be able to perform it. With this in mind, an element of time and duration has been added to the Guidelines; outsourcing arrangements should be recurrent or ongoing services.
  • Non-recurrent activities: The Guidelines have been amended to take into account the concept of non-recurrent activities. Purchases of goods (including software licences) are therefore not considered as outsourcing arrangements.
  • Central monitoring body to oversee outsourcing arrangements: The Guidelines have confirmed that the management of outsourcing arrangements should follow the three lines of defence approach, i.e. first, monitoring by the business, control by the second line of defence and, third, the internal audit.
  • Audit rights and criticality of the outsourced function: The Guidelines clarified that audit rights are required for critical or important functions at a minimum.

Facing the reinforcement of the supervisors’ weaponry (thematic reviews, onsite inspections, ex-ante supervisory approval for material activities), banks should continue to be aware of the regulatory focus on outsourcing. Banks should also be ready to support joint initiatives with the authorities on information sharing and on the identification of best practices.

Pierre Guerineau
EMA Financial Services
T: +49 69 9587-1224

Clive Briault
Senior Advisor
EMA Financial Services
Risk & Regulatory Insight Centre (RRIC)
T: +44 20 76948399