The revision of the 2006 CEBS Guidelines was needed because the scope and nature of outsourcing arrangements have changed over time. Outsourcing of IT processes and infrastructures, in particular, have become more common. If no additional safeguards are implemented, the concentration of IT services into a limited number of service providers could jeopardise the stability of the financial markets. Moreover, the CEBS guidelines covered credit institutions only, whereas the new draft guidelines aim to provide a more harmonised framework for all financial undertakings in the EBA’s regulatory perimeter and therefore include investment firms subject to CRD IV, payment institutions and electronic money institutions (the EBA refers to these four undertakings together as ‘institutions and payment institutions’).
Key areas addressed in the EBA’s draft guidelines:
- A definition of outsourcing has been introduced.
- Guidance on the criticality or importance of the outsourced function has also been added. Outsourcing of these critical or important functions is subject to stricter requirements, such as the obligation to notify the competent authority in advance.
- The guidelines apply on a solo, sub-consolidated and consolidated basis.
- The management body remains responsible at all times for the outsourcing. Institutions and payment institutions should ensure that sufficient resources are available to appropriately support and ensure the performance of that responsibility. This includes resources to oversee risks and manage the outsourcing arrangements; outsourcing may not be used to such an extent that it would lead to “empty shells” which no longer have the substance to remain authorised.
- The draft guidelines aim to clarify the supervisory expectations regarding outsourcing to service providers located in third countries – also relevant in view of a looming Brexit. In these situations, the same “no empty shell rule” applies. The outsourcing arrangements may not otherwise impede effective supervision, and institutions and payment institutions must take particular care to ensure compliance by third country service providers with EU legislation and regulatory requirements.
- Institutions and payment institutions should document, record and maintain a register of all current outsourcing arrangements, distinguishing the outsourcing of critical or important functions from other outsourcing arrangements. The guidelines prescribe rather comprehensive information requirements for this documentation.
- The EBA has flagged a concentration risk at single service providers. The need to monitor and manage this concentration risk is particularly relevant to certain forms of IT outsourcing, including cloud outsourcing, which are dominated by a small number of highly dominant service providers. To reduce risks to the stability of the financial system, the draft guidelines aim to enable competent authorities to identify concentrations of outsourcing arrangements at service providers. This means that institutions and payment institutions should adequately inform competent authorities about planned outsourcing of critical or important functions; the documentation requirements mentioned above serve the same risk identification purposes.
For the press release and consultation paper, please click here.
The Dutch Central Bank (DNB) and the European Central Bank (ECB) have also recently given attention to outsourcing:
- On 25 June 2018, DNB published good practices for the management of outsourcing risks, for example in case of cloud computing. Additionally, following its 2017 stocktaking exercise on outsourcing and on managing outsourcing risks at insurers and pension funds, DNB also consulted the public on draft good practices for insurers (the consultation period closed on 30 June 2018).
- The ECB announced in its press release of 14 February 2018 that, in close cooperation with the EBA, it intends to complete the work on the thematic review on outsourcing with an ECB guide applicable to significant institutions. The ECB expects to launch a consultation on the draft guide in 2018.
We expect outsourcing to remain a hot topic from both a business and a regulatory perspective.