As of today, credit institutions, MiFID investment firms, e-money institutions and payment institutions must maintain a register of outsourcing agreements that can be made available to the FCA on request and new arrangements must meet the European Banking Authority (‘EBA’) Guidelines. Existing arrangements must be made compliant by the end of 2021.
Mindful of the increased use of outsourcing, and keen to bring payment and e-money institutions into scope, the EBA has published guidelines that will give the regulators more clout in enforcement, something we have seen the FCA is keen to do as evidenced by the £1.9m fine imposed on one of the UK’s oldest lenders, Raphael’s Bank before the summer.
We have been helping firms bake in good practice and this blog will help you understand what is expected of you by answering some of the questions our clients are asking us.
So, what has changed?
In recent years, outsourcing to a third party, in order to reduce costs and improve efficiency and flexibility, has become very popular. We have seen this practice widely adopted among our clients and across the industry, especially in relation to IT and data services.
Despite its benefits, outsourcing IT and data services poses security issues and challenges to the governance framework of institutions, particularly internal controls as well as to data management and protection.
Who is impacted by the guidelines?
The EBA has cast a wide net to bring payment and e-money institutions in alongside credit institutions and those providing or performing investment activities. For simplicity, I will refer to the entities mentioned collectively as “institutions.”
The new guidelines will repeal the outsourcing guidelines previously issued by the Committee of European Banking Supervisors, the predecessor to the EBA, in 2016 (which only applied to credit institutions) and they also repeal the recommendations on cloud outsourcing published in March 2018 by the EBA (which only applied to credit institutions and MiFID investment firms.).
I will outline some of the requirements of the guidelines next, but first, let’s cover a few definitions.
Outsourcing is an arrangement of any form between an institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution itself.
Critical or important function means any function that is considered critical or important in a situation where a defect or failure would “materially impair” their continuing compliance with the conditions for authorisation, financial performance, or the soundness or continuity of the banking or payment service. A firm should decide whether a function is critical or not by considering, for example:
- whether the outsourcing agreement is directly connected to the provision of banking activities or payment services; or
- the significance of any disruption to the outsourced function or failure of the service provider to the short- and long-term financial resilience of your firm.
Finally, a service provider is a third party that is undertaking an outsourced process, service or activity under an outsourcing agreement.
So, what practical steps do I need to take?
You should have already an enterprise-wide risk management framework extending across all business lines and internal units in place. Under that framework, institutions should identify and mitigate the risks posed to their business which should include the risks inherent in arrangements with third parties.
The outsourcing of such functions cannot result in the delegation of the management body’s responsibilities. Whilst firms can delegate the function, they cannot delegate their responsibility and accountability for complying with their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions.
The EBA also states that as part of this enterprise-wide risk management framework, institutions should establish an outsourcing function or designate a senior staff member who is directly accountable to the management body with respect to outsourcing but measures should be proportionate to the nature, scale and complexity of your firm. For small and less complex institutions, for example, they may assign the outsourcing function to a member of their management body.
- Outsourcing Policy
The management body must approve, regularly review and update a written outsourcing policy. The guidelines stipulate that the outsourcing policy should define the principles, responsibilities and processes in relation to outsourcing and should cover, for example, the responsibilities of the management body, the involvement of business lines, the planning of outsourcing arrangements, including risk identification, assessment and management and due diligence checks on potential service providers.
The policy should differentiate between the outsourcing of critical or important functions and other outsourcing arrangements. A clear distinction must also be made between authorised service providers and non-authorised.
With intragroup outsourcing arrangements, the EBA is particularly concerned institutions take into account conflicts of interest that may be caused by outsourcing arrangements.
- Outsourcing Register
You will also need to maintain an updated register of information on all current outsourcing arrangements, distinguishing between critical, important and other outsourcing arrangements. If you are part of a wider group, a register can be maintained centrally.
The EBA guidelines outline the information requirements, such as the start date and the next renewal date, the identity of the service provider, the country or countries where the service is going to be performed.
- Outsourcing process
Institutions should carry out a pre-outsourcing analysis, basically sensible checks, before entering into the outsourcing agreement.
In the outsourcing agreement, the rights and obligations of the institution and the service provider should be clearly allocated and set out in a written agreement.
How fscom can help you
This is a summary of some of the more potentially burdensome requirements, but if you would like help to understand the implications of the Guidelines on your firm, please get in touch with our experts today.