25 February 2019
The European Banking Authority (EBA) published today its revised Guidelines on outsourcing arrangements setting out specific provisions for the governance frameworks of all financial institutions within the scope of the EBA's mandate with regard to their outsourcing arrangements and related supervisory expectations and processes. The aim of the Guidelines is to establish a more harmonised framework for these financial institutions, namely credit institutions and investment firms subject to the Capital Requirements Directive (CRD), as well as payment and electronic money institutions. The recommendation on outsourcing to cloud service providers, published in December 2017, has also been integrated into the Guidelines.
In the context of digitalisation and given the increasing importance of new financial technology (Fintech) providers, financial institutions are adapting their business models to embrace such innovations. Some have intensified the use of Fintech solutions and have launched projects to improve their cost efficiency also in response to the intermediation margins of the traditional banking business model being put under pressure by the low interest rate environment. Outsourcing is a way to get relatively easy access to new technologies and to achieve economies of scale.
The new Guidelines, which are consistent with the requirements on outsourcing under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II) and the Commission's Delegated Regulation (EU) 2017/565, aim at ensuring that institutions can apply a single framework on outsourcing for all their banking, investment and payment activities and services. Such a framework also ensures a level playing field between different types of financial institutions.
In particular, the Guidelines clarify that the management body of each financial institution remains responsible for that institution and its activities at all times. To this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell' that lacks the substance to remain authorised.
Particular challenges to ensure the effective supervision of institutions and payment institutions exist when functions are outsourced to service providers located in third countries. Financial institutions are expected to ensure compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) in particular regarding critical or important functions outsourced to service providers.
In this respect, the Guidelines specify which arrangements with third parties are to be considered as outsourcing. The Guidelines differentiate between requirements on critical and important outsourcing arrangements and other outsourcing arrangements Outsourcing of critical and important functions has a higher impact on the institutions' and payment institutions' risk profile. Hence, the requirements are stricter as compared to the requirements for other less risky outsourcing arrangements.
Finally, competent authorities are required to effectively supervise financial institutions' outsourcing arrangements, including identifying and monitoring risk concentrations at individual service providers and assessing whether or not such concentrations could pose a risk to the stability of the financial system. To identify such risk concentrations, competent authorities should be able to rely on comprehensive documentation on outsourcing arrangements compiled by financial institutions.
Article 74 (1) of CRD requires that institutions must have robust governance arrangements, which include a clear organisational structure. Outsourcing arrangements are one aspect of institutions' and payment institutions' organisational structure. Paragraph (3) of that Article mandates the EBA to issue Guidelines on those arrangements, processes and mechanisms.
Under Article 16 of Regulation (EU) No 1093/2010 (the EBA Regulation), the EBA is also required to issue guidelines and recommendations addressed to competent authorities and financial institutions with a view to establishing consistent, efficient and effective supervisory practices and ensuring the common, uniform and consistent application of Union law. In particular, the conditions for outsourcing of functions of banking activities by institutions are not harmonised to the same extent as for institutions and payment institutions subject to MiFID II and PSD2.
The EBA Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the requirements of the guidelines can otherwise not be met.
 Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive
 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12).