Are your Third-Party Arrangements Compliant with EBA Outsourcing Guidelines already?
Are you a compliance professional at a credit institution, a payment institution and electronic money (e-money) institution, or a third-party provider to such institution?
If so, have a quick look at this compliance reminder with a view of the forthcoming deadline on 31 December 2021.
On 30 September 2019, the European Banking Authority’s (“the EBA”) revised guidelines[1] regarding outsourcing arrangements (“the Outsourcing guidelines” or “the Guidelines”) entered into force. Pursuant to the Guidelines, regulated institutions will be obliged to comply with the relevant governance frameworks regarding outsourcing arrangements, rules concerning the contractual requirements for outsourcing arrangements and any related supervisory expectations and processes. Specifically, the Guidelines relate to contractual requirements for matters like termination of contracts, subcontracting, audit procedures, etc.
The requirements are mandatory for all outsourcing agreements executed after 30 September 2019, while existing agreements have to be revised. As of 31 December 2021, the EBA Outsourcing Guidelines will apply fully to all existing outsourcing arrangements, irrespective of their entry into force.
Unless you have already completed the assessment exercise on your existing outsourcing arrangements, you should red flag the expiring six months’ period until 31 December 2021 to negotiate, amend and align your contractual arrangements along with your governance set of rules and policies to be compliant with the EBA Outsourcing guidelines.
The name of the game – scope of application
The Guidelines are applicable to all credit institutions[2], payment institutions[3] and e-money institutions[4] (hereinafter referred to as “the Addressees”) who outsource key functions to third-party service providers. The service providers must in turn meet the higher qualitative criteria within the Guidelines, as a means of ensuring the protection of the regulated entities & their clients from operational failures and risk exposure.
The fundamental objective of the Guidelines is to safeguard the operational viability of Addressees against deficiencies stemming from third-party supplier risk assessment, weak corporate governance or contractual disbalances. Each of these issues may expose the smooth business operation of the regulated entities or their service providers, if not adequately addressed on a contractual and organizational level.
What do the EBA Outsourcing Guidelines stand for?
The Guidelines provide a complete set of tools to ensure mitigation of the risks arising out of outsourcing arrangements between regulated institutions and third-party service providers. However, they do not contain specific provisions or ready-made procedures per se, and it is necessary for each regulated institution to evaluate its own business activities, operational structure, association policy and third-party partnerships, and subsequently implement the Guidelines through an individual approach.
Key in this regard is the so-called proportionality principle. Each existing or new outsourcing agreement between an Addressee and a third-party service provider must be renewed or executed by following a self-developed compliance-oriented approach on part of the institution. As a minimum, it shall contain a detailed assessment on the following aspects of a proposed outsourcing agreement with a service provider: (1) the complexity of the tasks or functionalities that are being outsourced; (2) their importance as part of the operational process of the institution; (3) the risk allocation; and crucially (4) the potential impact of the outsourcing arrangement on their critical or important functions.
In short, regulated institutions must develop a comprehensive risk-governance framework in alignment with the Guidelines with respect to their outsourcing arrangements.
Risk-Governance Framework
The risk-governance framework allows the Addressees to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented.
The framework is developed and applied by the management body of the regulated institution. It must extend through all business lines & internal corporate structure and provide a specific set of rules, procedures and guarantees for the operational capacity of the institution. Specific measures in this regard include the establishment of a clear corporate management chain, adoption of a written outsourcing policy, assessment of potential conflicts of interest and development of business continuity plans.
Accordingly, these safeguards underpin the manner, in which each institution engages with an external third-party service provider. With respect to their internal governance, Addressees must also take action for the mitigation of risk. Particular attention should be given to audit and documentation requirements.
The internal audit unit of the regulated institution must assess whether the risk-governance framework has been adequately applied. Evaluation is performed with respect to the Addressees’ relation to the potential third-party association, the proper involvement of management bodies, as well as the alignment with the outsourcing policy. Furthermore, the audit unit must perform a detailed impact assessment with regard to the critical and important functions of the institution.
In terms of documentation, Addressees shall adopt a designated policy addressing the processing, organization & archiving of documents, along with registries in relation to the outsourcing agreement. The latter are discussed further below.
Risk assessment and identification of critical and important functions
The assessment has to cover the scenarios of possible risk events, along with the potential impact of failed and inadequate provision of services and operational impediments caused by processes/systems/people or external events. Institutions have to consider the benefits and costs of the proposed outsourcing arrangement. The identified risks should be grouped into categories and evaluated by the level of hazard they pose to the operational capacities of Addressees.
Examples of such categories include concentration risks[5], risks that may result from the need to provide financial support to a service provider in distress or to take over its business operations, and crucially, potential risks to what the Guidelines define as “critical or important functions” of the institutions.
The criteria for the evaluation of whether a function is critical or important is based on ensuring that regulated institutions meet a set of minimal operational requirements. For instance, where a defect or failure of a certain function materially impairs their continuing compliance with the applicable authorisation conditions or other specific regulatory legislation[6], the function in question shall always be rendered as “critical”. Other examples in this regard include functions related to the financial performance or the soundness or continuity of their banking and payment services and activities.
Finally, upon identifying the critical and important functions, institutions have to perform a further impact assessment regarding any existing or proposed third-party outsourcing agreement. Addressees must consider whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorized, the effects of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis, the potential impact on the services provided to their clients, as well as other relevant factors.
Register of outsourcing agreements
Addressees are obliged to maintain a register containing information about all outsourcing arrangements into which the institution has entered. The register is to include extensive information regarding the totality of the outsourcing process, such as business information regarding the service provider, the outsourced functions, their classification, as well as the data that is being outsourced to the service provider and whether it constitutes or is partly comprised by personal data.
The Guidelines also contain a set of minimum information requirements in cases, where the outsourced function is classified as critical or important. Regulated institutions must observe these requirements and make available upon request to any competent authority either the full register of all existing outsourcing arrangements or sections specified thereof. In addition, they must also observe specific information obligations, such as the planned outsourcing of critical or important functions.
Outsourcing Policies
Pursuant to the Guidelines, Addressees are obliged to develop and implement written outsourcing policies regarding all prospective outsourcing arrangements. The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities, and processes in relation to outsourcing. Among other considerations, the outsourcing policy must also contain the business requirements regarding outsourcing arrangements, procedures for due diligence checks on prospective service providers, as well as the criteria & processes for identifying critical or important functions.
In addition, the outsourcing policy has to be extensive enough to provide sufficient guidance beyond the execution of certain agreements. It is necessary to cover issues such as subcontracting outsourced functionalities by service providers (including developing comprehensive rules in case of outsourcing of critical functions), information and audit rights, termination rights and exit strategies. Different scenarios, including the likelihood of complete termination of services, must be taken into account and appropriated within the policy in order to guarantee the operational stability of the regulated institutions.
Review and re-negotiating outsourcing agreements
As mentioned before, the Outsourcing Guidelines will become mandatory for all relevant institutions as of 31 December 2021. By that date, all existing outsourcing agreements have to be aligned with the requirements of the Guidelines. The majority of these requirements are aimed at mitigating risks through placing safeguards at an organizational level. Thus, any potential changes would affect not only specific agreements with service providers but would impact the operational sanity of the regulated institution as a whole. Consequently, compliance with the Guidelines and potential organizational changes must be assessed and planned in a timely manner by both institutions and service providers.
A useful tool for ensuring alignment with the Guidelines may be the development of a compliance checklist or matrix through the use of which Addressees may easily assess and evaluate the viability of individual outsourcing agreements.
What to watch out for?
Critical and important functions
The implementation of the Guidelines requires a detailed and holistic approach on part of regulated institutions in order to create an independent internal ecosystem for the mitigation of risk. In this regard, it is crucial for regulated institutions to properly analyse and ascertain their critical and important functions pursuant to the definitions within the Guidelines.
Only once these are clearly identified should institutions proceed with the development and implementation of the Guidelines’ set of procedures and requirements. Furthermore, the developed risk-governance network should be periodically examined and revised to reflect external changes in the business environment or internal restructuring.
Intra-group outsourcing
Intra-group outsourcing and adequate management of potential conflicts of interest shall follow a sound conflict of interest policy aimed at mitigating group exposures.
Security in ICT outsourcing agreements
Particular importance is also given to the implementation of proper security measures for the computer systems and data of the institutions. In this regard, the EBA has issued a separate set of guidelines[7] regarding ICT and security risk management (“the ICT Guidelines”), which became mandatory as of 30 June 2020. These guidelines introduced a complete set of new obligations with respect to computer security. Both the Outsourcing and ICT Guidelines are mandatory and must be observed by regulated entities.
Securing uninterrupted and undisturbed continuation
The review of the contractual documentation shall be made with a special focus on the termination, successorship, and party substitution clauses.
It is strongly recommended to cover the risk of business interruption of a service provider by respective insurance and/or adequate guarantees.
Clear and documented audit trail and secured auditors’ access
While it is obviously in the best interest of the Addressees’ smooth business operation to align their contractual relations with third-party service providers with the EBA Outsourcing Guidelines, institutions should also address the possibility of a potential audit by regulatory authorities. Consequently, they have to put in place clear & precise documentation policies and corporate practices regarding the application of the risk-governance framework and adherence to pertinent legislation. Detailed documentation of business activities and internal processes will further mitigate risk and help to demonstrate regulatory compliance in cases of internal or external audits by competent regulatory authorities.
To that end, any relevant contractual documentation shall be thoroughly reviewed and re-negotiated, if necessary. It should be complemented with well-documented performance and reporting procedures and output, which would enable the Addressees to face any regulatory assessment or inspection with minimum exposure and prevent regulatory intervention.
So far, so good – just be ready and mind the deadline of 31 December 2021.
Footnotes:
[1] EBA Guidelines reference No. EBA/GL/2019/02.
[2] As defined within Regulation (EU) No. 573/2013 of the European Parliament and the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms.
[3] As defined within Directive EU) No. 2015/2366 of the European Parliament and the Council of 25 November 2015 on payment services in the internal market.
[4] As defined within Directive No. 2009/110/EC of the European Parliament and the Council of 16 September 2009.
on the taking up, pursuit and prudential supervision of the business of electronic money institutions.
[5] Such as outsourcing to a dominant service provider that is not easily substitutable.
[6] Directive 2013/36/EU; Regulation (EU) No 575/2013; Directive 2014/65/EU; Directive (EU) 2015/2366 and Directive 2009/110/EC.
[7] EBA Guidelines Reference No. EBA/GL/2019/04.