New EBA Outsourcing Guidelines Come Into Effect

header image

The European Banking Authority outsourcing guidelines came into effect on 30 September 2019. They are more prescriptive than the previous guidance and have a broader scope, applying to payment and e-money companies for the first time. As before they cover banks and certain categories of investment firm that are subject to the Capital Requirements Regulation – in the UK, IFPRU firms. All new outsourcing agreements entered into, reviewed or amended after 30 September 2019 should follow the guidelines taking into account questions of proportionality and the nature of each business. For existing outsourcing arrangements, organisations have until their next contract renewal, or 31 December 2021 at the latest, to bring them into line.

Their purpose is to provide greater harmonisation to financial institutions with one set of rules for all outsourcing arrangements (including cloud outsourcing), whether to third party service providers or intra-group. The guidance replaces previous outsourcing rules published in 2006 by the Committee of European Banking Supervisors, (which applied to credit institutions only) and integrate the EBA’s cloud outsourcing guidance from July 2018. Although these guidelines will not be incorporated into UK law, the Financial Conduct Authority has said it expects firms to continue to apply them to the extent that they remain relevant post-Brexit.

Stricter rules apply to the outsourcing of “critical or important functions.” The guidelines include criteria to help firms identify critical outsourcing and these are broadly aligned with the definitions under MiFID II, including where a defect or failure in the outsourcing services may materially impair the continuing compliance of firms’ activities and obligations, financial performance, soundness or continuity of services. There are additional requirements for different scenarios e.g., where the outsourcing involves cloud services, the service provider uses sub-contractors, the service provider is located in a third country or where there is a potential concentration risk.

Broadly, the requirements under the Guidelines for critical and non-critical outsourcing fall into two categories: (i) Governance requirements, which relate to a firm’s preparedness for the entering into and ongoing management of outsourcing arrangements; and (ii) Process requirements, which require specific steps to be taken in connection with a proposed outsourcing.

For governance requirements these include: having a written outsourcing policy, maintaining a written register of all outsourcing arrangements and, after 31 December 2021, firms outsourcing to a service provider located in a third country (which will include the UK after Brexit), should check that there is a cooperation agreement in place over supervision arrangements – the FCA entered into a multilateral MoU with EU and EEA supervisors in February this year.
As for process requirements these include: carrying out pre-outsourcing analysis including appropriate due diligence and identifying relevant risks, giving the regulator prior notice in the case of critical outsourcing, and satisfying certain contractual requirements for critical outsourcing arrangements, in particular for sub-contracting and audit rights.

If not in hand already, given that the new guidelines were published in February 2019, firms in scope will need to check that their outsourcing governance frameworks are compliant. Firms will also need to update their outsourcing templates and contract checklists to ensure new contracts that they enter into are compliant. There is also the laborious task of identifying, reviewing and maintaining a register of all existing outsourcing agreements and negotiating any required amendments by the applicable renewal dates and in any case by the 31 December 2021 deadline. In turn, service providers to outsourcing firms should also consider whether their service offerings meet the new requirements. In any event, we expect that the providers will need to brace themselves to receive yet another set of updates to their existing outsourcing agreements over the coming months, following the recent rounds of BRRD and GDPR-related addenda from the banks.

Sue McLean
Sue McLean is a partner in Baker McKenzie's Technology practice in London. Sue advises clients on a wide range of technology matters, including outsourcing, cloud computing, technology procurement, licensing and distribution, digital and disruptive technologies including AI and blockchain. Sue has significant experience in advising clients in the financial services sector and is a member of the firm's FinTech group.
Mark Simpson is a partner in Baker McKenzie's Financial Services Group in London, specializing in advising financial institutions on regulatory and compliance matters.
Caitlin McErlane advises asset managers, banks, major corporates, exchanges, clearing houses and payment institutions on navigating UK and EU financial services regulation. She has particular experience in advising clients on operating in compliance with ongoing regulatory developments, including MiFID II, EMIR, the Investment Firms Regulation, ESG reforms, AIFMD and the Market Abuse Regulation.