On 25 February 2019, the European Banking Authority (EBA) published its final guidelines on outsourcing arrangements (the Guidelines).

The Guidelines will replace the existing CEBS Guidelines on Outsourcing published in 2006. The EBA has also "integrated" its recent Recommendations on outsourcing to cloud service providers into the Guidelines.

10 things you need to know

The Guidelines represent a significant extension in the scope of existing EBA materials on outsourcing

The Guidelines apply not only to credit institutions and investment firms, but to authorised payment institutions (APIs) and e-money institutions (EMIs) which, up to now, have not been subject to detailed requirements related to outsourcing. 

The Guidelines also cover a broad spectrum of arrangements beyond critical and material outsourcings, including outsourcings which are not critical or material and even other service provision arrangements. The Guidelines provide a list of requirements that apply to all outsourcings and some requirements which apply to arrangements with third parties. 

The Guidelines specify that outsourcing must not lead to an institution becoming an "empty shell" lacking the substance to remain authorised. Sufficient resources must be in place to support and ensure performance of responsibilities. 

The Guidelines are more prescriptive than current outsourcing regulation

The Guidelines would go beyond the outsourcing requirements of current EU law (e.g. MiFID Org Regulation (EU 2017/565)). For example, the Guidelines contain specific documentary requirements, including: 

• maintaining a written outsourcing policy;
• maintaining a register of all outsourcing arrangements, with additional information requirements for critical or important functions, which should be available to the competent authority upon request; 
• mapping and recording all outsourcing risks; and
• providing a list of matters which should be covered in the contract governing the outsourcing including "the agreed service levels which should include precise quantitative and qualitative performance targets".

The Guidelines require firms to ensure that the firm, its auditors and its regulators are able to have "full access" and "unrestricted rights of inspection" in relation to the service provider, i.e. full access to premises, systems or data. 

The Guidelines highlight particular types of outsourcing risk

The EBA expects firms to factor into their risk assessments and establish additional safeguards where:

• service providers are located in third countries (i.e. the UK post 29 March 2019, subject to any transitional provisions) are inherently more risky than service providers located in Member States; 
• the firm is receiving IT services, even when those arrangements are not in fact outsourcings or are not categorised as critical or material; and
• service providers are subject to concentration risk. The need to monitor and manage this concentration risk is particularly relevant to certain forms of IT outsourcing, including cloud outsourcing, which are dominated by a small number of highly dominant service providers. 

Outsourcing registers need to cover all outsourcings, not just those that are critical/material

Firms will need to share these with their competent authority in a common database format on request. The Guidelines are prescriptive in the requirements which need to be maintained for the existing outsourcing arrangements, with additional information to be provided for the outsourcing of critical or important functions. 

Where outsourcing is provided by a service provider that is part of a group or an institutional protection scheme, the conditions, including financial conditions, should be set at arm's length, but there are limited exceptions where the same or similar services are provided to several institutions within a group or an institutional protection scheme.

Specific guidance for digital outsourcings

One of the key ways in which firms access and trial innovative technologies is through an outsourcing arrangement. The EBA set out additional guidance specific to technology outsourcings, for example for cloud services.

An individual in senior management must be accountable for outsourcing arrangements

For credit institutions, outsourcing is a PRA prescribed responsibility under the Senior Managers and Certification Regime. However, for APIs, EMIs, and investment firms which are not authorised by the PRA, this will be a new requirement with the expectation a senior member of staff will be responsible for managing and overseeing risks of outsourcing arrangements. 

There are new requirements for sub-contracting

EBA advises that firms explicitly set out in their outsourcing agreements whether or not they allow the sub-outsourcing of critical or important functions, or material parts of those functions. Where they do, there are additional obligations, which should be documented, around ensuring their oversight and management of the risks associated with sub-contracting arrangements. One of those obligations is to ensure, where appropriate, that the firm has the right to object to an intended sub-outsourcing or that an explicit written approval is required in order for it to go ahead. 

For outsourcing of functions of banking or payment services, where performance of the function requires authorisation or registration by a competent authority, then certain conditions must be met before services can be provided by a service provider located in a third country.

Integration with the Recommendations on outsourcing to cloud service providers 

Unlike other competent authorities, the Financial Conduct Authority (FCA) currently requires “banks, building societies, designated investment firms and IFPRU investment firms" to comply with the Recommendations rather than the FCA's domestic guidance. As the Recommendations are not faithfully reproduced in the Guidelines, this means a two-step implementation exercise.

30 September 2019 is the key date

If adopted by the UK regulators, the date of application is 30 September 2019 (with the exception of Guideline 63(b) which applies from 31 December 2021), which does not leave firms with much time to set up the governance and internal monitoring required by the Guidelines. 

The EBA expects firms to amend existing outsourcing arrangements to comply with the Guidelines by 31 December 2021 and there are no transitional/grandfathering provisions

Firms are expected to "complete" the documentation of all existing outsourcing arrangements (other than those to cloud service providers) in line with the Guidelines following either the first renewal date of the arrangement or 31 December 2021, whichever is earlier. Given that many outsourcing agreements can be for a 5 year term, this period would be inadequate and would require firms to initiate change in the control procedures and/or bring forward contract negotiations. If a review of outsourcing arrangements of critical or important functions is not concluded by 31 December 2021, the competent authority should be informed with the firms' planned measures or exit strategy to be implemented. 

10 things you need to do

• Revisit governance arrangements for outsourcing to consider them against the detail offered in the Guidelines. 
• Review existing outsourcing classifications to assess compliance with the Guidelines, including criticality criteria.
• Review and amend internal audit function's responsibilities to reflect the EBA's directions as to what the internal audit function should be looking at in the context of outsourcings.
• Design, review and/or update the outsourcing register (and management information flow used to populate it) to ensure that it records all current outsourcing arrangements and distinguishes the outsourcing of critical or important functions from other outsourcing arrangements and include the comprehensive information prescribed by the Guidelines. 
• Update the outsourcing policy to reflect the Guidelines, in particular, to include a compliance framework for each stage of the outsourcing from the decision to outsource to termination and exit.
• Update the business continuity plan to factor in outsourcing arrangements and include critical or important outsourcings into stress testing.
• Ensure there is a senior executive with responsibility for outsourcing arrangements. 
• Reconsider intra group outsourcings and whether the controls around them are robust enough to meet the Guidelines.
• Put in place a plan for the review of existing contracts based on their renewal date. This will need to factor in time to renegotiate elements of the contractual arrangement if they are non-compliant with the Guidelines.
• Consider the Guidelines in the context of Brexit planning.