Outsourcing business functions, including IT and data services, can have many benefits, such as reduced costs, more efficiency and the ability to quickly scale; however, outsourcing poses security risks to financial institutions’ internal controls, data management and data protection. 

Euro flagThe rise of outsourcing IT services, including the rapidly increasing use of cloud service providers, led the European Banking Authority (EBA) in 2019 to issue updated guidelines on outsourcing activities for various financial institutions. This oversight from the EBA applies particularly when important or critical functions are outsourced. 

In this blog series, we discuss these updated guidelines and how they apply to institutions with the ultimate goal of enabling you to gain a fundamental understanding of how these new guidelines apply to your organization. That said, don’t rely solely on this article when implementing these guidelines at your organization. While this article contains a thorough review of the guidelines, the specifics of how they apply will vary from organization to organization. Be sure to consult with your organization’s legal counsel and appropriate experts prior to implementing EBA/GL/2019/02. 

Rationale and Objective of the Guidelines

Objective

  • This Directive updates, and supersedes, the EBA’s guidelines issued in 2006 on outsourcing arrangements 

Scope

  • All requirements set out in this Directive are subject to the principle of proportionality. Requirements are to be applied in a manner that is appropriate, taking into account, in particular, an institution’s size and internal organization and the nature, scope and complexity of its activities 
  • This Directive covers the following entities (referred to throughout as “institutions” in this article, unless specified otherwise):
    • Credit institutions and investment firms subject to the Capital Requirements Directives (CRD)
    • Payment and electronic money institutions (sometimes singled out as “payment institutions” in this article)
    • Outsourcing arrangements between institutions when such entities act as an outsourcing service provider
  • Parent undertakings and subsidiaries subject to this Directive must meet the governance requirements not only on a solo basis but also on a consolidated or sub- consolidated basis, unless waivers for the application on a solo basis have been granted under Article 21 CRD or Article 109(1) CRD in conjunction with Article 7 of Regulation (EU) No 575/2013 (Capital Requirements Regulation; CRR)
    • Governance arrangements, processes and mechanisms must be consistent and well integrated and those subsidiaries not subject to the CRD must also be able to produce any data and information relevant for the purpose of supervision.
  • This Directive does not directly cover:
    • Credit intermediaries and non-bank creditors subject to Directive 2014/17/EU6
    • Account information service providers that are only registered for the provision of service 8 of Annex I of the PSD2

Relationship to Other Regulations

  • This Directive takes into account and is consistent with the current requirements under the CRD, Directive 2014/65/EU7 (MiFID II), Directive 2009/110/EC8 (Electronic Money Directive; EMD), the PSD2 and Directive 2014/59/EU9 (Bank Recovery and Resolution Directive; BRRD) and the respective delegated regulations adopted by the European Commission

A Summary of the General Requirements

This Directive requires institutions to: 

  • Implement these guidelines in conjunction with the EBA Guidelines on internal governance, on common procedures and methodologies for the supervisory review and evaluation process (SREP) and the EBA Guidelines on information and communication technology (ICT) risk assessment under the SREP
    • For payment institutions, implement these guidelines conjunction with the EBA Guidelines on the information to be provided for the authorization of payment institutions under Directive 2015/2366/EU3 (PSD2)
  • Never outsource to the point that the institutions become an “empty shell,” lacking the substance to remain authorized in the EU. 
  • Have robust internal governance in place, including a clear organizational structure
  • Determine which functions are critical or important and which are not
    • This Directive provides criteria to ensure that this determination is consistent across the EU and institutions subject to the EBA
    • Institutions should be aware that outsourcing of critical and important functions can have a strong impact on an institution’s risk profile
  • Conduct an initial risk assessment and ongoing monitoring. In these assessments, institutions must: 
    • Consider the following risks:
      • “Concentration risks” caused by:
        • Outsourcing multiple functions to the same service provider
        • Outsourcing critical or important functions to a limited number of service providers
      • Risks associated with:
        • The institution’s relationship with the service provider
        • An overreliance on outsourcing critical or important functions, including the:
          • Impact the conditions for authorization
          • Heightening of concentration risks
          • Risk of creating “empty shells” that would not be able to remain authorized
      • The risk caused by allowing for sub-outsourcing (i.e., fourth-party risk)
    • Effectively control and challenge the quality and performance of outsourced functions
      • Solely undertaking formal assessments of whether or not outsourced functions meet regulatory requirements is not sufficient
      • Additionally, relying solely on certifications (e.g., ISO 27001) is not appropriate when conducting risk assessments & ongoing monitoring of outsourced functions
  • Ensure that:
    • The election of a group entity is based on objective reasons
    • Effective day-to-day management by senior management or the management body (“management”) is in place
    • Management has effective oversight of the institution
    • Sound outsourcing policies and processes are in place
    • An effective internal control framework is in place and includes an outsourcing portion
    • All risks associated with outsourcing critical or important functions are:
      • Identified
      • Assessed
      • Monitored
      • Managed
      • Reported
      • Mitigated (as appropriate)
    • Appropriate plans exist for exiting from outsourcing arrangements of critical or important functions
      • e.g., plans for migrating to another service provider or bringing those functions in-house
    • Conditions of outsourcing arrangements and contracts:
      • Are set at arm’s length
      • Explicitly deal with conflicts of interest that such an outsourcing arrangement may entail
      • Guarantee the right to audit (i.e., guarantee the rights of resolution authorities, right to inspections and right to access to information, accounts and premises)
    • Competent authorities are engaged in a dialogue regarding planned outsourcing arrangements, particularly when critical or important functions are to be outsourced
    • When critical or important functions are outsourced to service providers that are located in third countries (i.e., outside of the EU), these service providers must be subject to additional safeguards that ensure that this outsourcing does not:
      • Increase in risk
      • Impair the ability of EU authorities to effectively supervise the institution
  • Include outsourcing concerns in business continuity and disaster recovery planning. The operational continuity of critical functions must be ensured even when in financial distress or during financial restructuring or resolution
  • Carefully pay attention to human rights and take into account the impact of their outsourcing on all stakeholders; this includes taking into account their social and environmental responsibilities
    • Such aspects are of particular relevance when service providers are located in third countries

Institutions should also be aware that:

  • Intragroup outsourcing is subject to the same regulatory framework as outsourcing to service providers outside the group
  • Outsourcing does not lower institutions’ obligation to comply with regulatory requirements and internal corporate values
  • While this Directive focuses on the outsourcing of critical or important functions, institutions need to assess and manage the risks (especially operational and reputational risks) involved in the outsourcing of all functions
    • Accordingly, this Directive provides some requirements that apply to all outsourcing arrangements and more generally to all arrangements with third parties, taking into account the application of the proportionality principle

Additional Requirements when Outsourcing IT, including to Fintech and Cloud Service Providers

Data loss, especially of trade secrets and personal data, can have a significant impact on an institution’s reputation and profits. Therefore, additional requirements are necessitated to ensure outsourced functions involving data don’t pose an undue risk to the institution or the EU as a whole. 

When outsourcing IT functions, regardless of if they’re critical or important functions, the Directive requires institutions to (and in addition to those mentioned above):

  • Ensure that:
    • This includes complying with the General Data Protection Regulation (GDPR). GDPR has its own requirements on outsourcing. We cover these requirements here
    • Security expectations should take into account the need, on a risk-based approach, to protect the data and systems
    • Personal data is adequately protected and kept confidential. 
    • They and their outsourced IT infrastructure and services meet internationally accepted information security standards (e.g., ISO 27001)
    • Some service providers, such as those who are outsourcing critical or important functions, have business continuity and contingency arrangements in place
    • The performance and quality of the services provided by cloud service providers are largely determined by the ability of the cloud service provider to appropriately protect the confidentiality, integrity and availability of data (in transit or at rest) and of the systems and processes that are used to process, transfer or store those data
  • Appropriately consider business continuity and data protection, not solely to outsourced IT functions but in general as well

Fourth-party Risk Management Related to EBA Guidelines

Increasingly, EU regulations require organizations to consider not just the risks posed by their vendor but also their vendors’ vendors. This Directive is no different. In particular, institutions must: 

  • Obtain ex ante notification from third-parties whenever a third-party plans to outsource critical or important functions
  • Obtain greater certainty about the conditions under which service providers can sub-contract
    • Because cloud service providers are more dynamic in nature than traditional outsourcing, this is particularly important when outsourcing functions to cloud service providers
  • Always have the right to terminate outsourcing contracts if planned changes to services, including such changes caused by sub-outsourcing, would have an adverse effect on the risk assessment of the outsourced services

Our next piece will discuss how organizations can oversee outsourced functions and exit strategies that can be used to halt the outsourced work.