In previous articles, we informed banks and payment institutions about the implementation of the EBA’s new guidelines on outsourcing arrangements. These guidelines introduce new requirements and have a significant impact. You can read the articles here and here.
The old European guidelines on outsourcing date back to 2006. Those guidelines briefly set out general requirements for outsourcing arrangements. In recent years, outsourcing has played an increasingly important role in banks’ business operations. This is partly due to changing business models, technological advances and the need for corporate agility, which has also led to material activities being outsourced more often. In response to these developments, specific recommendations on outsourcing of cloud activities were issued in 2018. In 2019, the EBA issued new general guidelines on outsourcing arrangements. Financial institutions that have been granted a banking authorisation must comply with these guidelines by the end of December 2021.
The new requirements and conditions
The new guidelines impose stricter requirements on the outsourcing arrangements of banks and payment institutions. One of the main aims of the new guidelines is to avoid situations in which a financial institution becomes an ‘empty shell’ and to ensure that responsibility for the activities cannot be transferred.
In order to achieve this aim, the existing requirements concerning outsourcing have been fleshed out in the new guidelines. A number of new requirements have also been added. The new, tighter requirements are outlined in the tables below.
Some of the new guidelines
|Principle of proportionality||The individual risk profile, the nature and business model, and the scale and complexity of the activities must be taken into account when implementing the new guidelines. The complexity of the outsourced function and its criticality must also be taken into account.|
|Outsourcing function||Every institution is required to establish an outsourcing function or designate a senior staff member who is directly accountable to the management body and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institution’s internal control framework and for overseeing the documentation of outsourcing arrangements.|
|Register of contracts||Every institution will have to maintain a register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels. The guidelines indicate which aspects need to be recorded in such a register. In this context, a distinction is made between the outsourcing of critical functions and the outsourcing of non-critical functions.|
|Business continuity||The guidelines explicitly mention the continuity requirements. Institutions and payment institutions must have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions.|
|Role of internal audit function||The new guidelines set explicit requirements concerning the role and activities of the internal audit function with regard to outsourcing arrangements.|
|Risk assessment prior to outsourcing||The new guidelines contain clear, explicit requirements regarding the risk assessment and due diligence performed before an outsourcing arrangement starts.|
|Exit strategy||Institutions are required to prepare a documented exit strategy that is in line with their outsourcing policy and business continuity plans.|
Tightened and/or amended guidelines
|Old guidelines||New guidelines||Note|
|Material outsourcing||Critical function||The new guidelines refer to ‘critical’ outsourcing arrangements. This wording replaces the definition of “material activities” used in the old guidelines. The criteria for determining whether an outsourcing arrangement can be considered critical are explained in the guidelines. Stricter requirements apply to outsourcing arrangements that are considered critical.|
|Policy on outsourcing||Tightened outsourcing policy||The new guidelines impose additional requirements for the content of the outsourcing policy.|
|Written outsourcing contract||Tightened outsourcing contract||The new guidelines impose additional requirements regarding precisely what needs to be laid down in the outsourcing contract.|
|Ongoing risk monitoring and performance monitoring||More extensive requirements regarding regular risk monitoring and performance monitoring||Periodic updates to the risk assessment, and ongoing monitoring of supplier’s compliance with agreed performance and quality standards.|
Read the original article here