The EBA outsourcing guidelines came into effect on 30 September 2019. They are more prescriptive than the previous guidance and have a broader scope, applying to payment and e-money companies for the first time. All new outsourcing agreements entered into, reviewed or amended after 30 September 2019 should follow the guidelines taking into account questions of proportionality and the nature of each business. With respect to existing outsourcing arrangements, organisations have until their next contract renewal, or 31 December 2021 at the latest, to bring them into line.
The purpose of the guidelines is to provide greater harmonisation to financial institutions with one set of rules for all outsourcing arrangements (including cloud outsourcing), whether to third party service providers or intra-group. The guidance replaces previous outsourcing rules published in 2006 by the Committee of European Banking Supervisors, (which applied to credit institutions only) and integrate the EBA's cloud outsourcing guidance from July 2018. Although these guidelines will not be incorporated into UK law, the FCA has said it expects firms to continue to apply them to the extent that they remain relevant post-Brexit.
Who does the guidance apply to?
The revised guidelines apply to the organisations below ("Regulated Institutions"):
- credit institutions (i.e. banks);
- certain categories of investment firm, in particular those with permission to hold client money or deal on their own account (broadly, those that are subject to the Capital Requirements Regulation - in the UK, IFPRU firms); and
- payment and electronic money institutions, which will be caught by the requirements for the first time.
The guidelines do not directly apply to investment firms which are solely authorised to provide the services of arranging, advising, portfolio management or dealing as agent, and which are unable to hold client money or custody assets, although they will continue to be subject to the MiFID outsourcing regime. The guidelines also do not apply to credit intermediaries and certain non-bank creditors (e.g. non-bank consumer lenders), or to registered AISPs under PSD2. In addition, the guidelines do not apply to insurance companies, which are subject to a different set of outsourcing rules (under Solvency II) and which will need to continue to comply with the existing Solvency II and - in the UK - PRA rules (although note that earlier this year, the EIOPA issued a consultation on draft guidance on the use of cloud services in insurance and reinsurance and the proposed guidance closely mirrors the EBA guidelines), or to insurance intermediaries.
The EBA defines "outsourcing" as "an arrangement…between a [Regulated Institution] and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the [Regulated Institution] itself". Each institution must determine whether an arrangement constitutes "outsourcing" or not. Stricter rules apply to the outsourcing of "critical or important functions" ("critical outsourcing"). The guidelines include criteria to help firms identify critical outsourcing and these are broadly aligned with the definitions under MiFID II, including where a defect or failure in the outsourcing services may materially impair the continuing compliance of firms' activities and obligations, financial performance, soundness or continuity of services. There are additional requirements for different scenarios e.g., where the outsourcing involves cloud services, the service provider uses sub-contractors, the service provider is located in a third country or where there is a potential concentration risk.
In broad terms, the requirements under the Guidelines for critical and non-critical outsourcing fall into two categories: (i) Governance requirements, which relate to a firm's preparedness for the entering into and ongoing management of outsourcing arrangements; and (ii) Process requirements, which require specific steps to be taken in connection with a proposed outsourcing.
Governance requirements. These include:
- Firms must have a written outsourcing policy: the guidelines include specific requirements for governance frameworks, emphasising that regulatory obligations can never be outsourced. In particular, Regulated Institutions must prepare a written outsourcing policy that documents, amongst other things, management responsibilities, monitoring, record keeping, and exit. Further governance measures are required in respect of conflicts of interest, business continuity and audit.
- Firms must maintain a written register: firms must record all outsourcing arrangements in a register. Where the outsourcing is a critical outsourcing, or involves cloud outsourcing, additional information needs to be recorded. The register must be made available to the regulator where required.
- Requirement for cooperation agreement: firms outsourcing to a service provider located in a third country, which will include the UK after Brexit, should ensure from 31 December 2021, that there is a cooperation agreement in place with respect to supervision arrangements (whether a MoU or supervisory college agreement) between their supervisors and the outsourcers'. The FCA entered into a multilateral MoU with EU and EEA supervisors in February this year.
Process requirements. These include:
- Firms must carry out pre-outsourcing analysis - Regulated Institutions must perform certain activities prior to engaging in an outsourcing, including assessing whether the outsourcing is a critical outsourcing, undertaking appropriate due diligence and identifying relevant risks.
- Firms have a duty to inform - when a Regulated Institution is planning to enter into a critical outsourcing, it must give the regulator prior notice. This involves providing certain information to the authority, including the reasons why the outsourcing is considered to be critical or important, information about the service provider, and, if a cloud outsourcing, certain information about the proposed agreement.
- Contractual requirements - the guidelines detail certain contractual requirements for critical outsourcing arrangements. These are described at quite a high level, allowing for some flexibility, and many Regulated Institutions would already include many, if not all of these, as a matter of course in their traditional outsourcing agreements (e.g. data privacy and security provisions, service levels and performance monitoring, insurance requirements, business continuity plan testing, appropriate termination rights and exit support). However, some requirements are more challenging in the context of cloud services, in particular:
- Sub-contracting - the contract must include provisions on whether or not "sub-outsourcing of critical or important functions" is permitted. If so, additional obligations regarding oversight and risk management will apply, including ensuring that the Regulated Institution has the right to object to any sub-outsourcing (or a right to expressly approve such sub-outsourcing) and a right to terminate the agreement in case of "undue sub-outsourcing" (e.g. where this materially increases the risks to the Regulated Institution or the provider sub-outsources without notification).
- Audit - the guidelines state that for critical outsourcings, the outsourcing agreement must include the right of "full access to all relevant business premises" and an "unrestricted right" of Regulated Institutions and competent authorities to "get any information needed with regard to the outsourcing and to access and audit the service provider". With a nod to the potential challenges with cloud services, the EBA acknowledges that audit rights could be exercised via pooled audits where multiple parties are given access to a provider's premises on a single visit and that certifications or internal audit reports may satisfy the audit rights requirements, but also states that firms should not solely rely on these reports over time.
What do you need to do?
- If not in hand already, given that the new guidelines were published in February 2019, Regulated Institutions will need to ensure that their outsourcing governance frameworks are made compliant with the new rules. Firms will also need to update their outsourcing templates and contract checklists to ensure new contracts that they enter into are compliant with the guidelines. There is also the laborious task of identifying, reviewing and maintaining a register of all existing outsourcing agreements and negotiating any required amendments by the applicable renewal dates and in any case by the 31 December 2021 deadline.
- Service providers to Regulated Institutions should also consider whether their service offerings meet the new requirements. In any event, we expect that the providers will need to brace themselves to receive yet another set of updates to their existing outsourcing agreements over the coming months, following the recent rounds of BRRD and GDPR-related addenda from the banks.