Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EBA Guidelines on Outsourcing


Published on

Presentation on the guidelines Creobis Regtech event

Published in: Law
  • Be the first to comment

  • Be the first to like this

EBA Guidelines on Outsourcing

  1. 1. What are the consequences of the EBA Guidelines on the outsourcing arrangements for your digitalisation process? Regtech for compliance Johan Vandendriessche Brussels, 13 June 2019
  2. 2. Introduction • Financial landscape • Traditional banking business model is under pressure • Challenge of digitalisation • New (disruptive) financial technology (fintech) • Outsourcing is a potential solution to obtain access to new technologies, cost reductions (economies of scale) and increased efficiency • Outsourcing risk = loss of control
  3. 3. Introduction • Outsourcing framework on a European level (EBA) • 2006 Guidelines on outsourcing • 2017 Guidelines on cloud computing • 2019 Guidelines on outsourcing • Outsourcing framework on a national level (NBB) • Circular letter on outsourcing (2004) • Circular letters on cloud computing (2012) (2018) • Data protection may be an important issue as well • Contractual requirements governed by the GDPR depending on the qualification of the parties
  4. 4. Scope • Material scope: outsourcing arrangements, including cloud services • “an arrangement of any form […] by which a service provider performs a process, a service or an activity that would otherwise be undertaken by the [financial] institution […] itself” • Cloud services: NIST definition • NOT (non-exhaustive) • Function that is legally required to be performed by a service provider, e.g. statutory audit • Global network infrastructures • Clearing and settlement • Services not normally undertaken by the financial institution, e.g. cleaning, gardening, legal advice, clerical services, delivery of goods or utilities
  5. 5. Scope • Critical or important functions • Defect or failure would materially impact • Continuing compliance with authorisation or regulatory obligations • Financial performance • Soundness or continuity of banking and payment services and activities • Outsourcing of operational tasks or internal control functions (except if no impact) • Outsourcing of banking activities or payment services requiring an authorisation • Based on MiFID II/Solvency II/PSD2 wording • Criteria are provided in the Guidelines • To be combined with the risk assessment
  6. 6. Application and transitional measures • Entry into effect: 30 September 2019 • Execution, review or amendment • Transitional measures • Review existing outsourcing arrangements by 31 December 2021 • If not finalised for outsourcing arrangements of critical or important functions: inform supervisory authority • Document all outsourcing arrangements (other than cloud) following first renewal date, but no later than 31 December 2021 • In practice: • Review pending outsourcing arrangements • Plan amendment of existing arrangements • Reviews and amendments of outsourcing arrangement will trigger the immediate application of the guidelines
  7. 7. General principles • Responsibility of the management body may not be outsourced • E.g. Risk strategy and policy, oversight by the management body • Proportionality • Guidelines should be applied in a manner consistent with a.o. the risk, nature, scale and complexity, as well as the criticality and impact on continuity • Group compliance • Application on sub-consolidated and consolidated level • No distinction between intra-group and extra-group outsourcing?
  8. 8. Governance • Governance requirements • Third party risk management, in particular cyber risks and requirements under the GDPR • Outsourcing arrangements • Management body remain fully responsible and accountable • Business decisions and day to day management • Oversight • Assignment of responsibilities • Documentation, management and control • Allocation of sufficient resources • Appointment of a senior staff member for reporting purposes • No ‘empty shells’
  9. 9. Governance • Differentiated outsourcing policy • Critical or important functions and other outsourcing • Authorised service providers or not • Intragroup and extra-group outsourcing • Outsourcing within a member state and third countries • Policy must include all main phases of the outsourcing arrangement • Responsibility of the management body • Involvement of business lines, internal control functions • Planning • Implementation, monitoring and management of the outsourcing arrangement • Documentation • Exit strategies
  10. 10. Governance • Management of conflicts of interest • Particular attention in case of intra-group outsourcing • Business continuity planning should take into account potential impact of outsourcing arrangements • Internal audit must remain intact (outsourcing remains in scope of their mission) • Documentation duty • Register of outsourcing arrangements (existing and ended): contract management tool • May be centralised
  11. 11. Governance • Documentation duty for all outsourcing arrangements • Contract details • Service provider identification and location of service delivery and data • Criticality and assessment date • In case of cloud, details of the cloud service • For critical or important functions (o.a.) • Service recipients • Whether or not the outsourcing is intragroup • Decision-making body • Additional contract details • Audit details • Additional service provider details and alternative providers • Financial details • Risk assessment
  12. 12. Outsourcing process • Pre-outsourcing process • Assess if the outsourcing arrangement concerns a critical or important function • Assess if supervisory conditions are met • Identify and assess all relevant risks • Undertake appropriate due diligence • Identify and assess conflicts of interest
  13. 13. Outsourcing process • Due diligence • Suitability review of the service provider • Reinforced suitability review for critical and important function • Particular attention, where relevant, to information security and data protection requirements • Focus and values and codes of conduct • Service provider • Subcontractors
  14. 14. Outsourcing process • Contractual phase: written outsourcing agreement • Minimum content for outsourcing arrangements for critical or important functions • Description of the outsourced function • Duration and termination modalities • Governing law • Financial obligations • Rules on subcontracting • Localisation of the functions and/or data • Provisions on information security and data protection
  15. 15. Outsourcing process • Minimum content for outsourcing arrangements for critical or important functions • Right to continuously monitor performance • Agreed service levels (quantitative and qualitative), effective remedies • Reporting obligations and pro-active reporting for issues with material impact • Insurance • Obligation to implement business contingency plans • Provisions on data ownership and access in case of insolvency or discontinuation • Obligation for the service provider to cooperate with supervisory authorities • Unrestricted right to inspect and audit
  16. 16. Outsourcing process • Broad termination possibilities • Breach of contract • Impediments capable of altering the performance of the outsourced function • Material changes to the service provider • Information security related issues • Instructions from the supervisory authority • Appears less strict compared with NBB guidelines • Termination compensation?
  17. 17. Outsourcing process • Exit strategies must exist and be documented • Large approach • Classical case of termination • Failure of the service provider • Deterioration of quality and actual or potential business disruption • Material risk for the appropriate and continuous application of the function • Exit arrangements • Comprehensive exit plans • Alternative solutions (“step-in”)
  18. 18. Supervisory authorities & supervision • Risk assessment based on risk based approach • Outsourcing register • Ad hoc information requests and on-site inspections • Risk analysis • Business continuity plans • Exit strategies • Monitoring and audit • Priority risks • Operational risk • Reputational risk • Concentration risks • Conflicts of interest
  19. 19. Conclusion • EBA Guidelines contains more precise guidance building on previous guidance • Governance requirements • Outsourcing process • Contractual requirements • Supervisory authority assessment criteria • Adoption should be more swift • Outsourcing maturity • Service providers are more aware of prudential supervision issues • Guidelines may serve as bargaining tool • Concentration risks?
  20. 20. Regulatory compliance can also be a negotiation tool … Johan Vandendriessche Partner |Affluo Visiting Professor ICT & Data Protection Law | UGent | HoWest Visiting Professors Information Security Law | Solvay Brussels School +32 486 366 234