What is the EBA?
The European Banking Authority (EBA) is an independent EU authority that aims to harmonise and supervise regulation in the banking sector across the EU.
Financial Services (FS) firms commonly outsource services and business functions, in particular IT and technology, and given that the majority of outsourced services are provided by a select few providers, the EBA has identified that there is a risk to the stability of financial institutions and markets if there are no safeguards in place to regulate the outsourcing process. A reminder of what can go wrong for financial institutions in outsourcing is the case of Raphaels Bank, which was fined by the FCA due to failures to comply with outsourcing rules.
What is new?
The EBA has issued the ‘EBA Guidelines on Outsourcing Arrangements’ (the Guidelines) which came into effect 30 September 2019. Other than an update for cloud service providers, this is the first EU-wide update to outsourcing guidelines for financial institutions since the CEBS Guidelines on outsourcing in 2006.
The Guidelines apply to financial institutions but because the Guidelines cover the outsourcing procedure and mandate certain issued to be addressed in outsourcing agreements, suppliers will be indirectly affected by the new Guidelines. Under the Regulation that established the EBA (Article 16(3) of Regulation (EU) No 1093/2010), FS firms must make every effort to comply with the Guidelines.
We summarise below what both FS firms and outsourcing suppliers need to know about the new Guidelines.
What do FS firms need to know about the new Guidelines?
- For a start, the new Guidelines have extended the scope of institutions covered by EBA rules. As well as traditional banks and building societies, payment institutions and electronic money institutions must now make every effort to comply. Expanding the scope is intended to future proof the Guidelines as financial institutions embrace new technology and adapt their business models, most notably through the utilisation of FinTech (see here for our recent post about the role suppliers are playing in the new wave of FinTech innovation).
- The Guidelines now distinguish between critical and non-critical functions for FS firms. Services are deemed critical if failure of the service could lead to impaired financial performance, regulatory non-compliance or a decrease in the soundness or continuity of the firm’s services. For the outsourcing of critical functions, there are stricter contractual and procedural requirements due to the higher risks involved should they fail.
- For all outsourcing agreements, contractual requirements include audit rights for the outsourced functions, agreeing appropriate IT and data security levels and detailing whether sub-outsourcing is permitted or not. For critical functions, increased requirements include full access and on-site audit rights for firms and their regulators. A FS firm outsourcing a critical function should ensure it has the right to approve its supplier to sub-outsource and require oversight of any sub-outsourcing agreed to in order to ensure contractual compliance by all parties.
- FS firms must also have in place a holistic outsourcing policy that is kept up-to-date and covers areas including risk assessment, implementation procedure, service monitoring and exit management. For critical functions, there should be documented processes for dealing with deterioration, failure and termination of the service to minimise the risk of disruption.
- Firms are now required to keep and maintain a record of all outsourcing agreements. This record can be accessed by financial authorities to monitor if institutions are becoming overly reliant on one supplier and gives financial authorities the power to intervene to manage risk in the sector.
- By 31 December 2021, FS firms must make every effort to ensure that all existing contracts have been updated to be compliant with the Guidelines. This could be a substantial task for large firms that must analyse all of their outsourcing agreements, make any amendments required, create a register of outsourcing agreements and produce an extensive outsourcing policy.
What do suppliers need to know about the new Guidelines?
- Outsourcing suppliers need to be aware that their FS customers will be reviewing their outsourcing agreements and should be prepared for requests to provide information and co-operate with institutions as they carry out this process. It is worth account teams balancing the desire to assist for the benefit of the overall account relationship, with the cost and time impact of providing such assistance. While some suppliers might be able to develop a template response, there may be contractual rights suppliers may have in these situations, including to charge for such assistance. Ultimately, this will be dependent on a combination of provisions in the contract including the audit clause, and whether definition of “Laws” with which the supplier is required to comply would include these guidelines and how changes in law are dealt with.
- They will also need to be aware that FS firms might request amendments to existing terms of outsourcing agreements in an effort to comply with the Guidelines and firms may take more rigid stances on areas such as regulator access rights in order to comply. Given the need for a sophisticated outsourcing policy, suppliers should also be prepared for the possibility of more rigid processes on entering into new outsourcing agreements.
A good understanding of the scope of these Guidelines will ensure FS firms are not in breach of their regulatory obligation to make every effort to comply. For suppliers, a good understanding will ensure they are well placed to understand the needs of their FS clients going forward.