Three months ago, the European Banking Authority (EBA) opened a public consultation on new draft outsourcing guidelines (Draft Guidelines) which expires on 24 September 2018. The main purpose of the Draft Guidelines is to provide financial institutions with a harmonized framework for the management of risks and regulatory responsibilities when outsourcing the performance of their functions to third parties.
These guidelines are intended to replace the existing outsourcing rules published in 2006 by the Committee of European Banking Supervisors (CEBS), which apply to credit institutions only. As well as modernizing the CEBS guidelines, the aim of the Draft Guidelines is to “establish a more harmonized framework for all financial institutions that are within the scope of the EBA’s mandate.” The new rules will apply to credit institutions, and, for the first time, investment firms, payment institutions, and electronic money institutions (together, Regulated Institutions).
Regulated institutions and their suppliers take note
We encourage Regulated Institutions to review the consultation paper and Draft Guidelines closely. Whilst a number of its concepts will be familiar for credit institutions who are already covered by the CEBS Guidelines, investment firms, payment institutions and electronic money institutions may need to consider implementing additional governance mechanisms to ensure that they can meet the requirements of the Draft Guidelines.
Suppliers of outsourcing and cloud services would also be well advised to consider whether their standard offerings to Regulated Institutions meet the requirements set out in the Draft Guidelines. Although the Draft Guidelines are subject to this consultation process, it’s worth noting that for the most part, the responses that the EBA received on its previous draft guidance on cloud outsourcing did not result in material changes to the guidance.
Business continuity a given with the EBA
It’s clear from the Draft Guidance that the EBA expects financial institutions to take seriously their obligation to ensure operational continuity throughout their supply chains. In this regard, the EBA’s consultation is consistent with the UK Financial Conduct Authority’s 2018/19 Business Plan, which identifies data security, resilience and outsourcing as a cross-sector priority and emphasizes that a key area of focus is ‘outsourcing arrangements where the service provider supports many firms and so the impact of any disruption is magnified.’ It is also consistent with an operational resilience discussion paper published in July 2018 by the FCA, PRA, and Bank of England which recognized that while the outsourcing of certain functions has some benefits for Regulated Institutions, it can also give rise to new risks.
The Draft Guidelines will also “integrate” the EBA’s cloud outsourcing recommendations which were finalized in December 2017 and have applied since the start of July 2018. As with the CEBS guidelines, the cloud outsourcing recommendations will be repealed when the Draft Guidelines come into force.
On that topic, it’s a little surprising that, having only completed the cloud guidance in December 2017 and with the recommendation having only come into force on 1 July 2018, the EBA has decided to incorporate cloud services into the Draft Guidelines. Although there are obvious benefits to having a single set of principles which governs all outsourcing activities, it remains to be seen whether the Draft Guidelines are appropriately tailored to address the specific practical issues associated with the use of cloud technologies (e.g. competing tensions around the scope of audit rights) which have to date inhibited the financial services sector’s uptake of cloud services.
Final guidelines are up next
Following the conclusion of the consultation process, the EBA intends to publish the final guidelines which will apply to outsourcing arrangements entered into on or after 30 June 2019. Although the date proposed at present is indicative and may change, after recent extensive exercises to amend contracts for General Data Protection Regulation (GDPR) compliance, we expect that Regulated Institutions will at least welcome the fact that these guidelines will not have retrospective effect.