The Ukrainian legislature and regulators consistently work on improvements to the legal framework, applicable to engagement of technology providers by incumbent financial institutions. Given this, the Ukrainian central bank (NBU) has adopted a new risk management regulation for Ukrainian banks containing a chapter on outsourcing a couple of years ago. The NBU indicated that banks must adopt internal policies on outsourcing companies’ engagement process to manage operational risk. This evidenced that incumbents increasingly engaged third parties to assist with their internal IT and business processes.
It comes as no surprise, because Ukraine is emerging as a tech savvy nation with its IT industry recently recognized as among the top three in terms of GDP contribution. Many Ukrainian companies have been listed among the top 100 of the best outsourcing providers by IAOP. This is also mentioned in a 2018 industry research paper, where financial services organizations have been observed as continuing to be the largest buyers of outsourcing services, accounting for ~20% of the total market.
This year, the Ukrainian legislature aims to improve the legal framework further. The NBU recently commenced a public consultation with respect to a draft law on financial services (available in Ukrainian), designed as a general legal framework for the industry. The objective is for this framework to be adopted, together with a set of detailed “deep dive” laws on particular financial services sectors. This draft defines both “outsourcing” and “out staffing.” It indicates that financial services firms can outsource certain types of its activity, as well as its key processes and functions, which facilitate its business. Moreover, the detailed rules for such outsourcing will be provided in the aforementioned laws and secondary legislation. This means that a financial services firm will need (i) to inform a regulator about its intention to outsource its internal processes and (ii) to make sure that outsourcing agreement meets the requirements set out by the same regulator.
The NBU also published, for public consultation, one of the aforementioned “deep dive” draft laws on payment services (available here in Ukrainian). This draft contemplates implementing a number of EU legislative instruments, including certain aspects of the Second Payment Services Directive. Thus, the draft indicates that a payment services provider (PSP) may engage a third party to carry out certain internal operational functions.
That said, a PSP must ensure that this does not affect the quality of its services. Importantly, such third party may render similar services to many PSPs at the same time, which indicates that legislature recognizes that rather mature outsourcing industry working with the payments market already exists. In terms of application of technology in the financial sector, Ukrainian legislature and regulators appear to follow the global regulatory trends. In particular, they seem to adopt the EU’s approach to outsourcing, with stricter rules applying to critical or important functions. Thus, the draft payment services law indicates that in case PSPs intend to outsource an important function, they must ensure proper internal controls and the ability of the NBU to control rendering of its services. Likewise, the draft financial services law indicates that outsourcing should not prevent the regulator to oversee the activity of the firm. However, it remains to be seen how the regulatory framework will evolve in a number of other envisaged draft laws concerning the other financial services sectors.