Response to consultation on draft Guidelines on outsourcing
Go back
Mandate of the EBA
The mandate given by Article 74(3) of the CRD to the EBA to issue guidelines is explicitly limited to the arrangements, processes and mechanisms referred to in Article 74(1) and (2) of the CRD which only cover the internal governance processes of an institution on solo-level. With regard to Article 3(1), point (3) of the CRD with reference to Article 4(1), point (3) of Regulation (EU) No 575/2013 (CRR), “institutions” are defined as credit institutions or investment firms. This definition does not include investment management companies in the meaning of the AIFMD or UCITS Directive.
In view of the financial stability, there may be a need for further developments of a common under-standing of outsourced business activities in the banking sector and for issuing EBA guidelines on internal governance processes regarding the risks banks are or might be exposed to, also in the group context. However, the legal mandate given to the EBA does not involve issuing guidelines with regard to the application of CRD rules to subsidiaries of banks for which sector-specific requirements apply, for which the EBA is not competent and the competent European authority ESMA is not involved and consulted.
Therefore, we request the EBA to explicitly clarify in their guidelines that investment manage-ment companies licensed under the UCITS Directive or AIFMD and being part of a banking group are out of the scope of the proposed guidelines and are not required to implement all these requirements drafted in the guidelines on solo-level.
To be distinguished from the question of the application of the CRD requirements is the responsibility of a parent company to ensure group-wide consistency as stated in Article 109 of the CRD. In particular, according to Article 109(2) of the CRD, the consolidating institution shall ensure that subsidiaries not subject to the CRD implement arrangements, processes and mechanisms set out in Section II of Chapter 2 of the CRD in a consistent and well integrated manner. This does not mean that such subsidiaries are required to “apply” the CRD requirements. The rule only seeks to ensure that subsidiaries which themselves are not subject to the CRD “implement” consistent processes and arrangements relevant to the purpose of supervision.
Moreover, it must be noted that the group approach under Article 109 of the CRD is currently under discussion and clarifications for subsidiaries of banks for which sector-specific requirements apply are expected in the course of the CRD review. These developments must be taken into account, in particular, the European Parliament has proposed to clarify Article 109(2) CRD in such a way that sector-specific requirements shall apply for these subsidiaries on solo-level. This approach would cover all internal governance processes required under Section II of this Chapter 2 of the CRD, and is not limited to questions of remuneration as indicated erroneously by the EBA at the hearing.
However, we do not agree with the rationale and objective of the guidelines given in the summary of the background under paragraph 18, page 9 of the consultation paper. According to this paragraph the EBA highlights that it should be ensured that parent undertakings and subsidiaries subject to the CRD implement the arrangements, processes and mechanisms in their subsidiaries not subject to this Di-rective, e. g. AIFMD and UCITS firms. The EBA reiterated this approach under section 4, paragraph 18 of the draft guidelines. These provisions could be misunderstood in the sense that asset managers shall implement the proposed measurements, proposed contents also for services provided with sector-specific requirements. This would lead to the situation that asset management companies which are part of a banking group would be required to implement two different sets of regimes on solo level, the regime of the UCITS Directive/AIFMD and the CRD. These requirements differ in key aspects such as functions which could be outsourced, including specific conditions for delegation of functions into third countries and, in particular, the outsourcing process including the content of outsourcing agreements and controlling process. Moreover, the outsourcing requirements proposed by the EBA in its guidelines are not designed to reflect these sector-specific requirements and specific business models of asset management companies.
Furthermore, extending the scope of the guidelines also to entities which do not qualify as “institutions” in the meaning of the CRD would substantially expand the scope of the EBA recommendation on outsourcing to cloud service providers published in 2017 which entered into force in July 2018. These recommendations are clearly limited to institutions in the meaning of the CRD. Applying the group approach as proposed by the EBA would lead to the situation that asset managers being part of a banking group would be required to fulfil these requirements without considering their special business models and legal requirements and without any kind of transition period.
Therefore, the responsibility of a parent company to ensure group-wide consistency as stated in Article 109 of the CRD should not lead to an inappropriate double regulation for internal governance processes of asset managers being part of a banking group. In our understanding, the parent company has the task to ensure that the management company complies with its own specific requirements on solo-level. Therefore, it is important to ensure that the requirements of the AIFMD and UCITS Directive are applicable by priority in a group context. Moreover, because the requirements of the UCITS Directive and the AIFMD are consistent with the requirements under the CRD, there is no need to extend the scope of the CRD to non-bank entities such as entities subject to the AIFMD or the UCITS Directive.
At the very least, we explicitly request the EBA to add the following clarification:
- Under paragraph 9 of the draft guidelines:
“Without prejudice to Directive 2014/65/EU (MiFID II), Directive 2009/65/EG (UCITS Directive) and Di-rective 2011/61/EU (AIFMD), […] institutions should also comply with these guidelines on a solo basis, sub-consolidated basis and consolidated basis as set out in Articles 21, and Article 10 to 110 of Directive 2013/36.”
- Under paragraph 18:
“Subsidiary undertakings, not themselves subject to this Directive, shall comply with their sector-specific requirements on solo level.”
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
Our members are asset managers providing management services to collective investment undertak-ings such as UCITS or AIF. Most of them are investment management companies within the meaning of Directive 2009/65/EC (“UCITS Directive”) or Directive 2011/61/EU (“AIFMD”) for which the CRD does not apply. However, for some of them the consultation at hand can be relevant if they are part of a banking group. We are very concerned about the wide scope of the draft guidelines with a very deep impact on our members. In particular, we strongly disagree with extending the scope of these guidelines without a legal mandate of the EBA about activities provided by entities such as as-set managers for which sector-specific requirements under the responsibility of ESMA apply, also as far as they are part of a banking group. Therefore, we would like to focus our response to question 1 regarding the subject matter, scope, including the application of the guidelines, definitions and implementation as well as to question 2 regarding the group application that we summarise as follows:Mandate of the EBA
The mandate given by Article 74(3) of the CRD to the EBA to issue guidelines is explicitly limited to the arrangements, processes and mechanisms referred to in Article 74(1) and (2) of the CRD which only cover the internal governance processes of an institution on solo-level. With regard to Article 3(1), point (3) of the CRD with reference to Article 4(1), point (3) of Regulation (EU) No 575/2013 (CRR), “institutions” are defined as credit institutions or investment firms. This definition does not include investment management companies in the meaning of the AIFMD or UCITS Directive.
In view of the financial stability, there may be a need for further developments of a common under-standing of outsourced business activities in the banking sector and for issuing EBA guidelines on internal governance processes regarding the risks banks are or might be exposed to, also in the group context. However, the legal mandate given to the EBA does not involve issuing guidelines with regard to the application of CRD rules to subsidiaries of banks for which sector-specific requirements apply, for which the EBA is not competent and the competent European authority ESMA is not involved and consulted.
Therefore, we request the EBA to explicitly clarify in their guidelines that investment manage-ment companies licensed under the UCITS Directive or AIFMD and being part of a banking group are out of the scope of the proposed guidelines and are not required to implement all these requirements drafted in the guidelines on solo-level.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
Group contextTo be distinguished from the question of the application of the CRD requirements is the responsibility of a parent company to ensure group-wide consistency as stated in Article 109 of the CRD. In particular, according to Article 109(2) of the CRD, the consolidating institution shall ensure that subsidiaries not subject to the CRD implement arrangements, processes and mechanisms set out in Section II of Chapter 2 of the CRD in a consistent and well integrated manner. This does not mean that such subsidiaries are required to “apply” the CRD requirements. The rule only seeks to ensure that subsidiaries which themselves are not subject to the CRD “implement” consistent processes and arrangements relevant to the purpose of supervision.
Moreover, it must be noted that the group approach under Article 109 of the CRD is currently under discussion and clarifications for subsidiaries of banks for which sector-specific requirements apply are expected in the course of the CRD review. These developments must be taken into account, in particular, the European Parliament has proposed to clarify Article 109(2) CRD in such a way that sector-specific requirements shall apply for these subsidiaries on solo-level. This approach would cover all internal governance processes required under Section II of this Chapter 2 of the CRD, and is not limited to questions of remuneration as indicated erroneously by the EBA at the hearing.
However, we do not agree with the rationale and objective of the guidelines given in the summary of the background under paragraph 18, page 9 of the consultation paper. According to this paragraph the EBA highlights that it should be ensured that parent undertakings and subsidiaries subject to the CRD implement the arrangements, processes and mechanisms in their subsidiaries not subject to this Di-rective, e. g. AIFMD and UCITS firms. The EBA reiterated this approach under section 4, paragraph 18 of the draft guidelines. These provisions could be misunderstood in the sense that asset managers shall implement the proposed measurements, proposed contents also for services provided with sector-specific requirements. This would lead to the situation that asset management companies which are part of a banking group would be required to implement two different sets of regimes on solo level, the regime of the UCITS Directive/AIFMD and the CRD. These requirements differ in key aspects such as functions which could be outsourced, including specific conditions for delegation of functions into third countries and, in particular, the outsourcing process including the content of outsourcing agreements and controlling process. Moreover, the outsourcing requirements proposed by the EBA in its guidelines are not designed to reflect these sector-specific requirements and specific business models of asset management companies.
Furthermore, extending the scope of the guidelines also to entities which do not qualify as “institutions” in the meaning of the CRD would substantially expand the scope of the EBA recommendation on outsourcing to cloud service providers published in 2017 which entered into force in July 2018. These recommendations are clearly limited to institutions in the meaning of the CRD. Applying the group approach as proposed by the EBA would lead to the situation that asset managers being part of a banking group would be required to fulfil these requirements without considering their special business models and legal requirements and without any kind of transition period.
Therefore, the responsibility of a parent company to ensure group-wide consistency as stated in Article 109 of the CRD should not lead to an inappropriate double regulation for internal governance processes of asset managers being part of a banking group. In our understanding, the parent company has the task to ensure that the management company complies with its own specific requirements on solo-level. Therefore, it is important to ensure that the requirements of the AIFMD and UCITS Directive are applicable by priority in a group context. Moreover, because the requirements of the UCITS Directive and the AIFMD are consistent with the requirements under the CRD, there is no need to extend the scope of the CRD to non-bank entities such as entities subject to the AIFMD or the UCITS Directive.
At the very least, we explicitly request the EBA to add the following clarification:
- Under paragraph 9 of the draft guidelines:
“Without prejudice to Directive 2014/65/EU (MiFID II), Directive 2009/65/EG (UCITS Directive) and Di-rective 2011/61/EU (AIFMD), […] institutions should also comply with these guidelines on a solo basis, sub-consolidated basis and consolidated basis as set out in Articles 21, and Article 10 to 110 of Directive 2013/36.”
- Under paragraph 18:
“Subsidiary undertakings, not themselves subject to this Directive, shall comply with their sector-specific requirements on solo level.”