The EBA published ‘Draft Guidelines on Outsourcing Arrangements’ in June 2018. These replace the ‘CEBS guidelines on outsourcing’ issued in 2006 and increase the scope to cover not only credit institutions and investment firms, but also payment and electronic money institutions.
What is changing?
The draft guidelines integrate the EBA’s ‘Recommendations on outsourcing to cloud service providers’ issued in December 2017 which will be repealed when the guidelines come into force.
The guidelines will apply to all outsourcing arrangements entered into/renewed on or after 30 June 2019.
What does this mean?
The proposed guidelines would mean firms need to increase their focus on:- Identifying critical or important outsourcing, considering the ‘substitutability’ of the outsourced arrangement.
- Protecting the confidentiality, integrity and availability of data, including personal data. Also protecting the systems and arrangements for processing, particularly for IT outsourcing, including FinTech and cloud outsourcing.
- Third country outsourcing and the importance of effective supervision. Competent authorities must ensure that institutions are not operating as ‘empty shells’, including when they use back-to-back or intra-group transactions to transfer market/credit risk outside the EU.
- Concentration risk (by important service providers and critical or important functions), including through use of ‘dominant, non-easily substitutable services providers’.
- Considering human rights, environmental protection and appropriate workers’ conditions as part of the due diligence process of outsourcing.
- Documentation requirements for the outsourcing registers. Firms will need to share these with PRA/FCA at least every three years.
- The role of internal audit as an effective Third Line of Defence.
Our approach
We intend to review our existing outsourcing arrangements to assess compliance with the draft guidelines, including revisiting our criticality criteria and the structure of our outsourcing register. We encourage partners to do the same. We will be looking how we can support our clients with their due diligence, performance management, business continuity planning and testing for services we provide.
The impact of Brexit is unpredictable and this will be the case until the very last moment. However, it is our view that regardless of the outcome of Brexit, the outsourcing arrangements will remain a regulatory requirement as PRA and FCA see ‘outsourcing’ as a key component of the 3rd wave of supervision covering Operational Resilience.
