The European Banking Authority outsourcing guidelines came into effect on 30 September 2019. They are more prescriptive than the previous guidance and have a broader scope, applying to payment and e-money companies for the first time. As before they cover banks and certain categories of investment firm that are subject to the Capital Requirements Regulation – in the UK, IFPRU firms. All new outsourcing agreements entered into, reviewed or amended after 30 September 2019 should follow the guidelines taking into account questions of proportionality and the nature of each business. For existing outsourcing arrangements, organisations have until their next contract renewal, or 31 December 2021 at the latest, to bring them into line.
Their purpose is to provide greater harmonisation to financial institutions with one set of rules for all outsourcing arrangements (including cloud outsourcing), whether to third party service providers or intra-group. The guidance replaces previous outsourcing rules published in 2006 by the Committee of European Banking Supervisors, (which applied to credit institutions only) and integrate the EBA’s cloud outsourcing guidance from July 2018. Although these guidelines will not be incorporated into UK law, the Financial Conduct Authority has said it expects firms to continue to apply them to the extent that they remain relevant post-Brexit.
Stricter rules apply to the outsourcing of “critical or important functions.” The guidelines include criteria to help firms identify critical outsourcing and these are broadly aligned with the definitions under MiFID II, including where a defect or failure in the outsourcing services may materially impair the continuing compliance of firms’ activities and obligations, financial performance, soundness or continuity of services. There are additional requirements for different scenarios e.g., where the outsourcing involves cloud services, the service provider uses sub-contractors, the service provider is located in a third country or where there is a potential concentration risk.
Broadly, the requirements under the Guidelines for critical and non-critical outsourcing fall into two categories: (i) Governance requirements, which relate to a firm’s preparedness for the entering into and ongoing management of outsourcing arrangements; and (ii) Process requirements, which require specific steps to be taken in connection with a proposed outsourcing.
If not in hand already, given that the new guidelines were published in February 2019, firms in scope will need to check that their outsourcing governance frameworks are compliant. Firms will also need to update their outsourcing templates and contract checklists to ensure new contracts that they enter into are compliant. There is also the laborious task of identifying, reviewing and maintaining a register of all existing outsourcing agreements and negotiating any required amendments by the applicable renewal dates and in any case by the 31 December 2021 deadline. In turn, service providers to outsourcing firms should also consider whether their service offerings meet the new requirements. In any event, we expect that the providers will need to brace themselves to receive yet another set of updates to their existing outsourcing agreements over the coming months, following the recent rounds of BRRD and GDPR-related addenda from the banks.