On 25 February 2019, the European Banking Authority (EBA) published its final revised Guidelines on outsourcing arrangements.
The Guidelines will apply from 30 September 2019 and are addressed to competent authorities - including the European Central Bank (ECB) - as well as credit institutions, payment institutions and electronic money institutions.Once applied, the final Guidelines will repeal the 2006 guidelines on outsourcing and the EBA’s recommendation on outsourcing to cloud service providers.
These Guidelines echo the ECB’s supervisory priorities for 2019, which focus on IT and cyber risks via targeted on-site inspections and the continuation of the SSM cyber reporting process. They are also consistent with the PRA’s supervisory expectations on outsourcing and on operational resilience more generally. Furthermore, they are complementary to other related regulatory requirements such as the recent EBA Guidelines on ICT and security risk management or the EBA recommendations on outsourcing to cloud service providers. This mounting volume of ICT-related publications demonstrates the increasingly strong regulatory and supervisory focus on all aspects of operational resilience.
The final revised Guidelines come at a time when the fast changing technological landscape is already challenging the banking sector in a low interest rate environment in which outsourcing can be an opportunity for banks to reduce costs and improve their efficiency.
The EBA thus acknowledges the continued importance of new financial technology providers that are leading financial institutions to adapt their business models. This change in traditional banking business models has triggered the need for updated guidance on governance, risk management and other security measures related to outsourcing.
The final revised Guidelines have kept many of the main themes that the draft Guidelines specified, such as providing additional guidance on which arrangements with third parties should be considered as “outsourcing” and which criteria should be taken into account for the identification of critical or important functions. Furthermore, for the outsourcing arrangements in scope, the final revised guidelines have kept the more detailed requirements regarding the governance framework of the outsourcing process (conflict of interest policy, business continuity plans, role of the Internal Audit function, etc.)
However, the main changes and updates that banks will need to be aware of and keep in mind between the draft and the final version are outlined below:
Facing the reinforcement of the supervisors’ weaponry (thematic reviews, onsite inspections, ex-ante supervisory approval for material activities), banks should continue to be aware of the regulatory focus on outsourcing. Banks should also be ready to support joint initiatives with the authorities on information sharing and on the identification of best practices.