Response to consultation on draft Guidelines on outsourcing
Go back
“Definitions: Outsourcing means an arrangement on an ongoing and permanent basis of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself”.
At least, one-off or occasional arrangements with service providers should be excluded.
Paragraph 5 confirms that the outsourcing of “functions” in general and “critical or important functions” in particular are the subject matter of these Guidelines. In paragraph 11, the latter term is defined as “any outsourcing of a function which is considered as critical or important including any operational tasks performed by the internal control functions”.
At first sight, it appears to us that both the scope and the definitions proposed are too vague and that they may lead to divergent and uneven implementations; either at company or national level. Therefore, we consider the regulation should include an example of a critical or an important function in the following way or similar:
“Critical or important functions can be such as services whose incorrect provision for a period exceeding 3 days interrupts or distorts the capacity of the entity to meet the obligations of its business or may lead to a sensible operational, economical or reputational impact for the entity, their clients or stakeholders according to the institution’s risk appetite"
In addition, in order to help harmonize the supervision of outsourcing arrangements, it is necessary that the Guidelines adequately limit the scope of the functions whose outsourcing falls under the scope of the Guidelines. The considerations including “any arrangements” and “that would otherwise be undertaken by the institution”, can be interpret that all third-party arrangements can be considered outsourcing, except for the very few exemptions mentioned in paragraph 23 (“The acquisition of services (e.g. advice of an architect regarding the premises, legal representation in front of the court and administrative bodies, servicing of company cars, catering), goods (e.g. purchase of office supplies, or furniture) or utilities (e.g. electricity, gas, water, telephone line) that are not normally performed by the institutions or payment institutions”).
Therefore, it is necessary that the EBA includes an annex to the Guidelines, including a non-exhaustive but more detailed list of examples that shall not be considered outsourcing. For instance, we propose adding the following cases: (i) consulting or advisory services, (ii) acquisition of projects for developing new software (we understand that the maintenance of the software is to be included); (iii) execution of advertising campaigns (media, advertising, promotional products…); (iv) management (not acquisition or purchase) of facilities (rebuilding works, management of immovable property, offices, maintenance works…); and (v) personnel administration.
Furthermore, paragraph 12 sets an “indicative date” of application: 30 June 2019. Our concern is that ESBG members will not have enough time to properly set up the global governance dedicated to the all types of outsourcing as required by the Guidelines. We thus suggest extending the date of application at least for six months for this specific topic.
ESBG believes that the requirement to ensure compliance of the existing stock of outsourcing contracts with the content of the guidelines within 18 months from the date of application of the guidelines (31 December 2020 – the transitional deadline in paragraph 13), would weaken not only the ongoing outsourcing activities but also the relationship of institutions with existing service providers.
Indeed, the existing stock of contracts of outsourcing of a given ESBG member might have a termination date or renewal date after the Transitional Deadline (typical duration is 3-5 years). Therefore, such a requirement would put in difficulty the institutions which, in view of the compliance with the rules of contracts and contractual law, will have to renegotiate quickly without being able to impose the new provisions on the providers. There will therefore be a risk of non-renewal or contractual termination of the outsourced service as soon as the service provider refuses to accept the new conditions which were not provided at the time of the call for tender and are binding to the parties. The only choice for institutions, in the event of failure of renegotiations with a provider, will be to take the risk of ending business continuity. Moreover, in the case of a contractual breach, this may be considered as resulting from a fault of the institution in the absence of a legal basis (even more if the breach takes place before the end of the contract or renewal date). Therefore, ESBG believes that the alignment of the existing outsourcing contracts with the requirements of the Guidelines would represent an infringement of the legal certainty since it imposes on the contractual parties obligations which at the time of concluding the contracts were unknown and not legally binding. We therefore suggest to completely remove this requirement in the final version of the Guidelines.
We would like to make sure that, as we understood, there is no specific deadline for the stock of long term contracts other than their termination date or renewal date. Therefore, it would be very useful if paragraph 13 would make this clear as to avoid confusion. Finally, in order to avoid confusion, it would be appropriate to replace the word “documentation” with the word “register” in paragraph 13. Furthermore, we would also propose an additional transition period for one additional year. This would, in our view, meet the objectives of securing outsourcing operations, preferably by modifying paragraph 13 in the way described below.
13. Institutions, payment institutions and electronic money institutions should complete the Register of all existing outsourcing arrangements, other than outsourcing arrangements to cloud services providers, in line with these guidelines following the first renewal date of each existing outsourcing arrangement, but not later than by 31 December 2021.””
ESBG welcomes the definition of sub-outsourcing. However, we notice that the guidelines do not always treat it in a coherent way. We therefore suggest that the guidelines should specify that the different obligations related to subcontracting should only apply to critical or important services."
We therefore propose that the spirit of the EBA Guidelines from 2006 is retained in Title 1, point 2. This specified that intra group outsourcing should be allowed for lighter controls. You can find the proposed text below.
“Intragroup outsourcing and outsourcing according to Guideline 4.1(i) can be material. Outsourcing institutions should be aware that supervisory authorities may take specific circumstances into consideration, such as the extent to which the outsourcing institution controls the service provider or has the ability to influence its actions, and the extent to which the service provider is included in the consolidated supervision of the group, when assessing the risks associated with an intragroup outsourcing arrangement and the treatment to apply to such arrangements.”
“The policy should recognise that the management of non-material and intra-group outsourcing should be proportionate to the risks presented by these arrangements.”
In this context, we would also suggest that some requirements are exempted or proportionally applied to intra group outsourcing arrangements as well as to outsourcing among entities of a financial network related to an IPS. Specific examples are: section 9.2 due diligence, paragraphs 59 and 86 on concentration risks and section 12 on exit strategies.
We appreciate the application of the principle of proportionality to this issue, but we do feel that it has to be applied in a way that does not hinder the level playing field among the different types of entities competing in the same market. If all activities that a credit institution performs are affected by these Guidelines, there is no reason to exclude account aggregators or credit intermediaries from the application of these guidelines; as, on the contrary, more lenient regulatory requirements would confer exempted companies a competitive advantage. In case these guidelines are not extended to apply to those institutions, any third party arrangement related to aggregation services or credit intermediation made by credit, payment and e-money institutions should not be considered outsourcing.
In relation to paragraphs 19 and 20, ESBG welcomes the fact that some facilitations shall be available for outsourcing within groups and institutional protection schemes (IPS). We believe that this is generally justified because such groups and groupings are focused on long-term cooperation and a rational division of tasks and responsibilities. As stated above, the requirements in the outsourcing guidelines should be broken down further and supplemented.
The governance and ownership structures in an IPS can be different to those of a consolidated group within the meaning of Article 11ff. of the CRR (Regulation (EU) 575/2013). Based on paragraph 35c) of the Draft Guidelines, we are requesting that, for an IPS, all outsourcing to other entities affiliated with the corresponding financial network should be covered (as well as outsourcing arrangements between the member institutions).
With regard to IPSs, we suggest to include a reference to Article 113(7) of Regulation (EU) 575/2013 and to ensure consistency with the IPS definition mentioned therein.
The EBA Draft Guidelines on Outsourcing provide a set of rules which will remove the current advantages of intra group outsourcing and treat it basically from a risk perspective in the same way as external outsourcing. In our view, this needs to be avoided. As long as the reporting and impact assessments are fulfilled, the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. More precisely, paragraph 20 a should be adjusted in order to reflect the proposed changes:
“a. where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised (e.g. as part of a master agreement for the outsourcing arrangements), those institutions and payment institutions should ensure that there is independent monitoring of the service provider and an appropriate oversight by each institution or payment institution, including by receive from the centralised monitoring function reports covering the institution’s or payment institution’s outsourcings. Those institutions and payment institutions should also ensure that their management body will be duly informed of relevant changes being planned regarding the centralised service providers in order for them to assess the impact of these changes and ensure compliance with all regulatory requirements; as long as the reporting and impact assessments are fulfilled the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements;
With regard to the wording of paragraph 20b (“where those institutions and payment institutions (…) rely on a central pre-outsourcing assessment (…)”) we believe that it needs to be aligned with the wording in Title IV Section 9 where a pre-outsourcing analysis is mentioned. We therefore recommend replacing the term “pre-outsourcing assessment” with “pre-outsourcing analysis”.
“b. where those institutions and payment institutions within the group, institutions affiliated to a central body or part of an institutional protection scheme rely on a central pre-outsourcing analysis of the outsourcing arrangements as referred to in Section 9, each institution and payment institution should receive the respective analysis and ensure it takes into consideration its specific structure and risks within their decision making. “
For outsourcing activities within groups the Draft Guidelines foresee several conditions to ease the requirements especially on the level of a single entity belonging to a central body, groups or members of an institutional protection scheme (IPS). It allows that by establishing uniform arrangements and centralized operational tasks.
We acknowledge the systematics of the conditions within paragraph 21 of the Draft Guidelines as comparable to a waiver, whereas Article 10 CRR demands a high level of integration and control mechanisms of institutions affiliated to a central body. However, we question the understanding of other (sometimes similarly and/or) highly integrated groups, with centrally executed control and enforcement mechanisms. The major differences between these groups are the organisational structure and the capital participation. To give an example, an IPS has to prove that there is no current or foreseen material practical or legal impediment to the prompt transfer of own funds or repayment of liabilities from the counterparty to the institution and that the institutional protection scheme disposes of suitable and uniformly stipulated systems for the monitoring and classification of risk, which gives a complete overview of the risk situations of all the individual members and the institutional protection scheme as a whole, with corresponding possibilities to take influence.
We therefore suggest that the EBA reconsiders the approach for the chapter “Outsourcing within group application and institutional protection scheme” (paras 17-21 of the Draft Guidelines) and enabling IPSs a similar centrally organized outsourcing regime as groups where waivers have been granted. We would like to reiterate the fact that some IPSs face a situation of certain ownerships like foundations without a proprietor (e.g. in Austria), that want to cooperate and act as one group but have no other opportunity than to arrange themselves by an IPS-structure, that tries to achieve group-effects but cannot become a (usual) group such as by equity participation.
“it is not relevant whether or not … or it would be able to perform it by itself on the basis of current resources and capabilities.”
Moving on to paragraph 24, ESBG opposes a requirement to perform a risk assessment in accordance with section 9.3 of the Draft Guidelines for all of an institution’s contractual relationships. The analyses and assessments required there are likely to be excessive for almost all other contractual relationships, and this is not something that can be remedied by a general reference to the principle of proportionality. The requirement for other contractual relationships should be limited to their inclusion in the management of operational risk and ensuring compliance with the legal provisions to be observed by the institution.
The intention of paragraph 26 is to put in place agreements between the competent authorities of EU Member States and the competent authorities of non-EU countries concerning regulated banking activities or payment services with a view to securing the outsourcing of these activities located outside the EU is in the interest of the institutions. In practice, we believe that it should be ensured that the negotiated agreements will be both protective and effective for the institutions.
However, ESBG believes that the guidelines should specify that the requirements of paragraph 26 only apply in case of complete outsourcing of authorised activities and do not concern e.g. the outsourcing of cloud services outside EU (which is often the case in practice). We would like to point out that these provisions were not in the EBA’s Recommendations on outsourcing to cloud service providers dated December 20 2017.
“29. Outsourcing should not lower the suitability requirements applied to the members of an institution or payment’s institution’s management body, persons responsible for the management of the payment institution and its key functions holders. Institutions and payment institutions should retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. Where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised, it shall be sufficient that those institutions and payment institutions should ensure independent monitoring and appropriate oversight.”
ESBG thinks that the guidelines requirement to form new functions dedicated to outsourcing or to designate Key Function Holders would generate very significant costs and implementation time which is not necessary in all cases. Moreover, ESBG members consider that their internal control functions are already competent to verify the accuracy of the implementation process of outsourcing arrangements. We are of the opinion that institutions s should be given freedom of choice on the means.
We therefore propose the following changes to paragraph 30.c.
“ ensure a clear division of task and responsibilities for the monitoring of outsourcing arrangement”.
Concerning paragraph 34, we are of the view that some of the requirements are too detailed for such a policy document adopted by the management body. For instance, the exit strategies and termination processes of paragraph 34 are too specific and different depending on the type of services that could be too detailed for such a policy. We consider that those aspects should be in lower corporate level documents or included as an annex.
Therefore, it needs to be understood that even though banks need to assess the risks of conflicts of interest, especially in cases of intra group outsourcing, as stated in paragraph 38, banks should not be required to take any additional measures in order to appropriately balance conflicts of interest. We believe that the issue should be left to auto-regulation through, for example, internal codes of conduct and policies on conflicts of interest.
In relation to the internal audit function, particularly paragraph 42, we consider that the revision of outsourced activities should be set at an institution level and should be performed under a risk based approach plan, based on the internal control framework and mechanisms of the entity following the EBA’s Guidelines on Internal Governance. Therefore, the revision of the outsourced activities can be undertaken either by the second line of defence, specialized functions (IT, legal, compliance, etc.), outsourced specialist (third party certifications, external auditors, etc.) or a combination of these.
Paragraphs 74 and 75 allow third-party certifications and reports and pooled audits to be used complementary to audits of the institution’s internal audit function. These options should also be mentioned in section 7. In addition, many service providers themselves have an internal audit function that meets national and international professional standards. In this case too, it should be clarified that their audit activities and outcomes may be used.
In particular, when the service provider is a supervised institution or works for a large number of clients, inappropriate multiple audits should be avoided. These would not generate any appreciable additional benefits, but rather operational burden and higher costs.
We therefore propose that for clarity purposes paragraphs 49 and 50 are moved from Section 9.1 Assessment of the criticality or importance” to section 2. ”Subject matter, scope and definitions” which concerns the definition of the concept critical and important.
We also believe that paragraph 51 should be moved into the section on risk assessment (9.3 Risk Assessments of outsourcing arrangements) because we think that the criteria listed do not fall under the evaluation of the critical or important nature but the assessment of the risk borne by the service (business continuity and data among others). For example, paragraph 51(e) currently contemplates that “when assessing whether or not an outsourcing arrangement is critical or important, i.e. it concerns a critical or important function, institutions and payment institutions should take into account: […] (e) other outsourcing arrangements, in accordance with Section 9.3, the institution’s and payment institution’s aggregated exposure to the same service provider or the cumulative impact of outsourcing arrangements in the same business area”. Outsourced activities should be considered critical or not independently of who the service provider is. It is true that the provider needs to be accounted as a risk factor on the outsourcing agreement, but the criticality of most activities should not, as a general rule, depend upon the identity of the service provider. Paragraph 59a requires taking into account concentration risks, which should be sufficient in this respect."
Paragraph 56 constitutes, compared with paragraph 94 of EBA’s governance guidelines, an unreasonable expansion and cannot actually be implemented in this extent. ESBG therefore urges for the modifying of this paragraph in the following manner: “Institutions and payment institutions should take into account whether appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct”
In the case of some service providers (for instance the examples covered by paragraph 60), it is almost impossible to obtain all the information requested by the Draft Guidelines on sub-contractors of these service providers (sub-outsourcing). For some outsourced services, subcontractors are numerous and it is difficult for institutions to go down the chain. We would like to draw your attention to the fact that one way to comply would be to contractually oblige the provider to ensure the compliance of its subcontractor and to provide the financial institution with the necessary documents. This way would fulfil the Guidelines’ requirements that the financial institution keeps all of the responsibilities toward the customers."
ESBG would furthermore suggest the following actions to facilitate access to cloud solutions and the development of the cloud in the banking industry:
• Cloud services providers should be required to offer cloud solutions certified as conforming to technical, legal and security standards defined by the European authorities (prior approvals would be difficult to obtain, especially from cloud service providers);
• A reference framework should be established to facilitate contractual negotiations of banks with cloud service providers and to allow banks to be reassured on the fact that they have met the technical, legal and security standards when adopting cloud services (standardized contracts terms and conditions);
• We also believe that the comparison of cloud services offered should be facilitated by requiring more transparency from cloud service providers (standardization of services offered).
Additionally, in relation to the obligations of paragraph 66 we consider that they should be undertaken by the provider on behalf of its subcontractor. Therefore, the provider would have by contract the obligation to require to the subcontractor to comply with the requirements of that paragraph.
Developing clearly defined exit strategies for such outsourcing arrangements would require an unreasonably high and unnecessarily burdensome effort. ESBG is therefore calling for the addition of an exemption for intra group outsourcing and outsourcing within an IPS, including all entities that are members of the respective network.
We further believe that the term “tested” could be misinterpreted in a way that a successful transfer or in-housing of outsourced functions could be requested which would in fact be very burdensome and very counterproductive (this would be connected with major risks as some outsourcings usually require several years of preparation, e.g. outsourcing of core-banking systems or move of services from captive providers to external providers). Therefore, we propose the rewording of paragraph 90a of the Draft Guidelines as follows:
“90. Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients. To achieve this, they should:
a. develop and implement exit plans for the outsourcing of important or critical functions which address the main considerations (e.g. potential costs, impact, resource and timing implications of transferring an outsourced service to alternative provider) relevant to a potential exit;”
In ESBG’s opinion, the register to be made available to the competent authorities should not be understood to mean all of the internal documentation to be maintained internally by the institutions in accordance with section 8 and Annex I. ESBG is calling for this to be explicitly clarified. Providing basic information such as the brief description of the outsourced function, whether it is considered critical or important, and the name and the registered address of the service provider is sufficient (paragraphs 47a) i), ii) and iii); b) i) and ii). If they need to, the competent authorities can obtain a more detailed insight at any time in an on-site inspection or through inquiries.
According to paragraph 93, “institutions and payment institutions should adequately inform competent authorities in a timely manner of planned outsourcing of critical or important functions, including the outsourcing of critical or important cloud services, before they intend to enter into the new outsourcing agreement”. In relation to the process for informing of planned outsourcing and the register of the outsourcing agreement within the remit of the competent authority, we would like to raise a few considerations. On one hand, it is not clear whether the competent authority has “veto powers” or not. The option for competent authorities to intervene is only mentioned in the accompanying documents to the Draft outsourcing guidelines. This may cause uncertainty for the institutions about when the contract with a service provider can be effectively entered into. A clarification is deemed necessary. The institution is responsible in the first instance for assessing the admissibility of an outsourcing arrangement. Any supervisory intervention rights would curtail the management powers and responsibility of the governing body.
Furthermore, the requirement for advance notification from CEBS GL02 was also not implemented by many competent authorities in the past for good reasons.
Such advance notifications would cause additional effort at the institutions. And, at the same time, generate a flood of information at the supervisors’ side. This applies in particular to LSI supervision within the SSM.
In general, the provision of the regular overview by the institutions in accordance with paragraph 92 should be sufficient. For the reasons shown above, ESBG is calling for the requirements in paragraphs 93 and 94 to be deleted without replacement.
Paragraph 95 states that “institutions and payment institutions should inform without undue delay competent authorities of material changes and severe events regarding their outsourcing arrangements which could have a material impact on the continuing provision of the institutions and payment institutions’ business activities”. From this statement it could be derived that banks need to monitor the solvency and liquidity of the service provider, which would require a sort of supervision from banks over the providers. However, at the meeting with ESBG representatives of the EBA confirmed that this was not its intention, hence, it could be helpful in order to clear any future misinterpretation if this section includes a sentence stating that an institution’s responsibility on this issue will be limited to the information it receives from the service provider.
It should be explicitly allowed to keep a different structure of the outsourcing register, as long as it contains the required information. Applying structural changes to existing outsourcing registers would require a lot of time and effort, without real added value."
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
The absence of a notion of duration makes the definition too broad. ESBG thinks that the criterion on an ongoing and permanent basis” should be added to the definition of outsourcing as follows (additions highlighted):“Definitions: Outsourcing means an arrangement on an ongoing and permanent basis of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself”.
At least, one-off or occasional arrangements with service providers should be excluded.
Paragraph 5 confirms that the outsourcing of “functions” in general and “critical or important functions” in particular are the subject matter of these Guidelines. In paragraph 11, the latter term is defined as “any outsourcing of a function which is considered as critical or important including any operational tasks performed by the internal control functions”.
At first sight, it appears to us that both the scope and the definitions proposed are too vague and that they may lead to divergent and uneven implementations; either at company or national level. Therefore, we consider the regulation should include an example of a critical or an important function in the following way or similar:
“Critical or important functions can be such as services whose incorrect provision for a period exceeding 3 days interrupts or distorts the capacity of the entity to meet the obligations of its business or may lead to a sensible operational, economical or reputational impact for the entity, their clients or stakeholders according to the institution’s risk appetite"
In addition, in order to help harmonize the supervision of outsourcing arrangements, it is necessary that the Guidelines adequately limit the scope of the functions whose outsourcing falls under the scope of the Guidelines. The considerations including “any arrangements” and “that would otherwise be undertaken by the institution”, can be interpret that all third-party arrangements can be considered outsourcing, except for the very few exemptions mentioned in paragraph 23 (“The acquisition of services (e.g. advice of an architect regarding the premises, legal representation in front of the court and administrative bodies, servicing of company cars, catering), goods (e.g. purchase of office supplies, or furniture) or utilities (e.g. electricity, gas, water, telephone line) that are not normally performed by the institutions or payment institutions”).
Therefore, it is necessary that the EBA includes an annex to the Guidelines, including a non-exhaustive but more detailed list of examples that shall not be considered outsourcing. For instance, we propose adding the following cases: (i) consulting or advisory services, (ii) acquisition of projects for developing new software (we understand that the maintenance of the software is to be included); (iii) execution of advertising campaigns (media, advertising, promotional products…); (iv) management (not acquisition or purchase) of facilities (rebuilding works, management of immovable property, offices, maintenance works…); and (v) personnel administration.
Furthermore, paragraph 12 sets an “indicative date” of application: 30 June 2019. Our concern is that ESBG members will not have enough time to properly set up the global governance dedicated to the all types of outsourcing as required by the Guidelines. We thus suggest extending the date of application at least for six months for this specific topic.
ESBG believes that the requirement to ensure compliance of the existing stock of outsourcing contracts with the content of the guidelines within 18 months from the date of application of the guidelines (31 December 2020 – the transitional deadline in paragraph 13), would weaken not only the ongoing outsourcing activities but also the relationship of institutions with existing service providers.
Indeed, the existing stock of contracts of outsourcing of a given ESBG member might have a termination date or renewal date after the Transitional Deadline (typical duration is 3-5 years). Therefore, such a requirement would put in difficulty the institutions which, in view of the compliance with the rules of contracts and contractual law, will have to renegotiate quickly without being able to impose the new provisions on the providers. There will therefore be a risk of non-renewal or contractual termination of the outsourced service as soon as the service provider refuses to accept the new conditions which were not provided at the time of the call for tender and are binding to the parties. The only choice for institutions, in the event of failure of renegotiations with a provider, will be to take the risk of ending business continuity. Moreover, in the case of a contractual breach, this may be considered as resulting from a fault of the institution in the absence of a legal basis (even more if the breach takes place before the end of the contract or renewal date). Therefore, ESBG believes that the alignment of the existing outsourcing contracts with the requirements of the Guidelines would represent an infringement of the legal certainty since it imposes on the contractual parties obligations which at the time of concluding the contracts were unknown and not legally binding. We therefore suggest to completely remove this requirement in the final version of the Guidelines.
We would like to make sure that, as we understood, there is no specific deadline for the stock of long term contracts other than their termination date or renewal date. Therefore, it would be very useful if paragraph 13 would make this clear as to avoid confusion. Finally, in order to avoid confusion, it would be appropriate to replace the word “documentation” with the word “register” in paragraph 13. Furthermore, we would also propose an additional transition period for one additional year. This would, in our view, meet the objectives of securing outsourcing operations, preferably by modifying paragraph 13 in the way described below.
13. Institutions, payment institutions and electronic money institutions should complete the Register of all existing outsourcing arrangements, other than outsourcing arrangements to cloud services providers, in line with these guidelines following the first renewal date of each existing outsourcing arrangement, but not later than by 31 December 2021.””
ESBG welcomes the definition of sub-outsourcing. However, we notice that the guidelines do not always treat it in a coherent way. We therefore suggest that the guidelines should specify that the different obligations related to subcontracting should only apply to critical or important services."
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
We notice that there seems to be only marginal preferential treatment of outsourcing within groups or within financial networks related to an institutional protection scheme (IPS). Requirements (management, control) are thus not relaxed but remain the same as those applied to outsourcing activities outside the group. By doing so, basically no recognition is made of the degree of integration reached within many banking groups, where centralized functions at group level act as a service provider for the other entities within the same group.We therefore propose that the spirit of the EBA Guidelines from 2006 is retained in Title 1, point 2. This specified that intra group outsourcing should be allowed for lighter controls. You can find the proposed text below.
“Intragroup outsourcing and outsourcing according to Guideline 4.1(i) can be material. Outsourcing institutions should be aware that supervisory authorities may take specific circumstances into consideration, such as the extent to which the outsourcing institution controls the service provider or has the ability to influence its actions, and the extent to which the service provider is included in the consolidated supervision of the group, when assessing the risks associated with an intragroup outsourcing arrangement and the treatment to apply to such arrangements.”
“The policy should recognise that the management of non-material and intra-group outsourcing should be proportionate to the risks presented by these arrangements.”
In this context, we would also suggest that some requirements are exempted or proportionally applied to intra group outsourcing arrangements as well as to outsourcing among entities of a financial network related to an IPS. Specific examples are: section 9.2 due diligence, paragraphs 59 and 86 on concentration risks and section 12 on exit strategies.
We appreciate the application of the principle of proportionality to this issue, but we do feel that it has to be applied in a way that does not hinder the level playing field among the different types of entities competing in the same market. If all activities that a credit institution performs are affected by these Guidelines, there is no reason to exclude account aggregators or credit intermediaries from the application of these guidelines; as, on the contrary, more lenient regulatory requirements would confer exempted companies a competitive advantage. In case these guidelines are not extended to apply to those institutions, any third party arrangement related to aggregation services or credit intermediation made by credit, payment and e-money institutions should not be considered outsourcing.
In relation to paragraphs 19 and 20, ESBG welcomes the fact that some facilitations shall be available for outsourcing within groups and institutional protection schemes (IPS). We believe that this is generally justified because such groups and groupings are focused on long-term cooperation and a rational division of tasks and responsibilities. As stated above, the requirements in the outsourcing guidelines should be broken down further and supplemented.
The governance and ownership structures in an IPS can be different to those of a consolidated group within the meaning of Article 11ff. of the CRR (Regulation (EU) 575/2013). Based on paragraph 35c) of the Draft Guidelines, we are requesting that, for an IPS, all outsourcing to other entities affiliated with the corresponding financial network should be covered (as well as outsourcing arrangements between the member institutions).
With regard to IPSs, we suggest to include a reference to Article 113(7) of Regulation (EU) 575/2013 and to ensure consistency with the IPS definition mentioned therein.
The EBA Draft Guidelines on Outsourcing provide a set of rules which will remove the current advantages of intra group outsourcing and treat it basically from a risk perspective in the same way as external outsourcing. In our view, this needs to be avoided. As long as the reporting and impact assessments are fulfilled, the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. More precisely, paragraph 20 a should be adjusted in order to reflect the proposed changes:
“a. where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised (e.g. as part of a master agreement for the outsourcing arrangements), those institutions and payment institutions should ensure that there is independent monitoring of the service provider and an appropriate oversight by each institution or payment institution, including by receive from the centralised monitoring function reports covering the institution’s or payment institution’s outsourcings. Those institutions and payment institutions should also ensure that their management body will be duly informed of relevant changes being planned regarding the centralised service providers in order for them to assess the impact of these changes and ensure compliance with all regulatory requirements; as long as the reporting and impact assessments are fulfilled the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements;
With regard to the wording of paragraph 20b (“where those institutions and payment institutions (…) rely on a central pre-outsourcing assessment (…)”) we believe that it needs to be aligned with the wording in Title IV Section 9 where a pre-outsourcing analysis is mentioned. We therefore recommend replacing the term “pre-outsourcing assessment” with “pre-outsourcing analysis”.
“b. where those institutions and payment institutions within the group, institutions affiliated to a central body or part of an institutional protection scheme rely on a central pre-outsourcing analysis of the outsourcing arrangements as referred to in Section 9, each institution and payment institution should receive the respective analysis and ensure it takes into consideration its specific structure and risks within their decision making. “
For outsourcing activities within groups the Draft Guidelines foresee several conditions to ease the requirements especially on the level of a single entity belonging to a central body, groups or members of an institutional protection scheme (IPS). It allows that by establishing uniform arrangements and centralized operational tasks.
We acknowledge the systematics of the conditions within paragraph 21 of the Draft Guidelines as comparable to a waiver, whereas Article 10 CRR demands a high level of integration and control mechanisms of institutions affiliated to a central body. However, we question the understanding of other (sometimes similarly and/or) highly integrated groups, with centrally executed control and enforcement mechanisms. The major differences between these groups are the organisational structure and the capital participation. To give an example, an IPS has to prove that there is no current or foreseen material practical or legal impediment to the prompt transfer of own funds or repayment of liabilities from the counterparty to the institution and that the institutional protection scheme disposes of suitable and uniformly stipulated systems for the monitoring and classification of risk, which gives a complete overview of the risk situations of all the individual members and the institutional protection scheme as a whole, with corresponding possibilities to take influence.
We therefore suggest that the EBA reconsiders the approach for the chapter “Outsourcing within group application and institutional protection scheme” (paras 17-21 of the Draft Guidelines) and enabling IPSs a similar centrally organized outsourcing regime as groups where waivers have been granted. We would like to reiterate the fact that some IPSs face a situation of certain ownerships like foundations without a proprietor (e.g. in Austria), that want to cooperate and act as one group but have no other opportunity than to arrange themselves by an IPS-structure, that tries to achieve group-effects but cannot become a (usual) group such as by equity participation.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
Regarding paragraph 22, ESBG feels that the wording of the second sentence goes too far. According to this dictum, any form of cooperation amongst licensed entities would have to be qualified as “outsourcing”. However, there are, for example, functions of central clearing houses in payments or securities settlement that can definitely not be performed by individual institutions and should thus not be considered to be outsourcing within the meaning of the guidelines. We suspect that the intention behind this requirement is in particular to ensure that there cannot be any reference to capacity or expertise that an institution currently does not possess. This could be better expressed as follows:“it is not relevant whether or not … or it would be able to perform it by itself on the basis of current resources and capabilities.”
Moving on to paragraph 24, ESBG opposes a requirement to perform a risk assessment in accordance with section 9.3 of the Draft Guidelines for all of an institution’s contractual relationships. The analyses and assessments required there are likely to be excessive for almost all other contractual relationships, and this is not something that can be remedied by a general reference to the principle of proportionality. The requirement for other contractual relationships should be limited to their inclusion in the management of operational risk and ensuring compliance with the legal provisions to be observed by the institution.
The intention of paragraph 26 is to put in place agreements between the competent authorities of EU Member States and the competent authorities of non-EU countries concerning regulated banking activities or payment services with a view to securing the outsourcing of these activities located outside the EU is in the interest of the institutions. In practice, we believe that it should be ensured that the negotiated agreements will be both protective and effective for the institutions.
However, ESBG believes that the guidelines should specify that the requirements of paragraph 26 only apply in case of complete outsourcing of authorised activities and do not concern e.g. the outsourcing of cloud services outside EU (which is often the case in practice). We would like to point out that these provisions were not in the EBA’s Recommendations on outsourcing to cloud service providers dated December 20 2017.
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
We believe that in an intra group setting, where outsourcing is provided and steered centrally, in order to avoid repeating processes it is sufficient that the lead institution is responsible for making sure that proper management and oversight of outsourcing arrangements are retained. Other institutions of the group would of course validate the management and oversight of the outsourced arrangements. We therefore propose to change paragraph 29 as follows:“29. Outsourcing should not lower the suitability requirements applied to the members of an institution or payment’s institution’s management body, persons responsible for the management of the payment institution and its key functions holders. Institutions and payment institutions should retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. Where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised, it shall be sufficient that those institutions and payment institutions should ensure independent monitoring and appropriate oversight.”
ESBG thinks that the guidelines requirement to form new functions dedicated to outsourcing or to designate Key Function Holders would generate very significant costs and implementation time which is not necessary in all cases. Moreover, ESBG members consider that their internal control functions are already competent to verify the accuracy of the implementation process of outsourcing arrangements. We are of the opinion that institutions s should be given freedom of choice on the means.
We therefore propose the following changes to paragraph 30.c.
“ ensure a clear division of task and responsibilities for the monitoring of outsourcing arrangement”.
Concerning paragraph 34, we are of the view that some of the requirements are too detailed for such a policy document adopted by the management body. For instance, the exit strategies and termination processes of paragraph 34 are too specific and different depending on the type of services that could be too detailed for such a policy. We consider that those aspects should be in lower corporate level documents or included as an annex.
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
In relation to intra group outsourcing, currently many banking groups are composed of multiple and diverse subsidiaries, which make extensive use of intra group outsourcing. However, strategic decisions at group level do not always work under arm’s length contracts. Those strategic decisions take into account every consequence for both the main entity and its subsidiaries, with no single part having to assume dire consequences.Therefore, it needs to be understood that even though banks need to assess the risks of conflicts of interest, especially in cases of intra group outsourcing, as stated in paragraph 38, banks should not be required to take any additional measures in order to appropriately balance conflicts of interest. We believe that the issue should be left to auto-regulation through, for example, internal codes of conduct and policies on conflicts of interest.
In relation to the internal audit function, particularly paragraph 42, we consider that the revision of outsourced activities should be set at an institution level and should be performed under a risk based approach plan, based on the internal control framework and mechanisms of the entity following the EBA’s Guidelines on Internal Governance. Therefore, the revision of the outsourced activities can be undertaken either by the second line of defence, specialized functions (IT, legal, compliance, etc.), outsourced specialist (third party certifications, external auditors, etc.) or a combination of these.
Paragraphs 74 and 75 allow third-party certifications and reports and pooled audits to be used complementary to audits of the institution’s internal audit function. These options should also be mentioned in section 7. In addition, many service providers themselves have an internal audit function that meets national and international professional standards. In this case too, it should be clarified that their audit activities and outcomes may be used.
In particular, when the service provider is a supervised institution or works for a large number of clients, inappropriate multiple audits should be avoided. These would not generate any appreciable additional benefits, but rather operational burden and higher costs.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
In relation to paragraph 47.c (v) about scheduled audits, we believe that the outsourcing register should not require duplicative information. Audit schedules are part of the documentation of the internal audit function. ESBG suggests deleting this point.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
We believe that there are too many criteria for assessing the critical or important nature of a service to be taken into account. This includes criteria, which we find to be more relevant to risk assessment.We therefore propose that for clarity purposes paragraphs 49 and 50 are moved from Section 9.1 Assessment of the criticality or importance” to section 2. ”Subject matter, scope and definitions” which concerns the definition of the concept critical and important.
We also believe that paragraph 51 should be moved into the section on risk assessment (9.3 Risk Assessments of outsourcing arrangements) because we think that the criteria listed do not fall under the evaluation of the critical or important nature but the assessment of the risk borne by the service (business continuity and data among others). For example, paragraph 51(e) currently contemplates that “when assessing whether or not an outsourcing arrangement is critical or important, i.e. it concerns a critical or important function, institutions and payment institutions should take into account: […] (e) other outsourcing arrangements, in accordance with Section 9.3, the institution’s and payment institution’s aggregated exposure to the same service provider or the cumulative impact of outsourcing arrangements in the same business area”. Outsourced activities should be considered critical or not independently of who the service provider is. It is true that the provider needs to be accounted as a risk factor on the outsourcing agreement, but the criticality of most activities should not, as a general rule, depend upon the identity of the service provider. Paragraph 59a requires taking into account concentration risks, which should be sufficient in this respect."
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
ESBG is of the opinion that the obligation to conduct due diligence on a service provider should be limited to the outsourcing of “critical or important functions” in line with the response to Q2. This is also necessary in light of the fact that such a classification is likely to happen in many cases because of the criteria given in section 9.1.Paragraph 56 constitutes, compared with paragraph 94 of EBA’s governance guidelines, an unreasonable expansion and cannot actually be implemented in this extent. ESBG therefore urges for the modifying of this paragraph in the following manner: “Institutions and payment institutions should take into account whether appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct”
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
Paragraph 57 constitutes a reference to all third parties monitoring when it states that Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, manage, monitor and report all risks they are or might be exposed to relating to arrangements with third parties, regardless of whether or not those arrangements are considered outsourcing arrangements". ESBG is of the opinion that such a requirement does not lie within the scope of the outsourcing guidelines. Paragraph 57 therefore should be deleted. At a minimum, we would ask the EBA to clarify that combined risk assessments of similar non-outsourcing arrangements are admissible and that institutions may entirely exclude arrangements of minor extent.In the case of some service providers (for instance the examples covered by paragraph 60), it is almost impossible to obtain all the information requested by the Draft Guidelines on sub-contractors of these service providers (sub-outsourcing). For some outsourced services, subcontractors are numerous and it is difficult for institutions to go down the chain. We would like to draw your attention to the fact that one way to comply would be to contractually oblige the provider to ensure the compliance of its subcontractor and to provide the financial institution with the necessary documents. This way would fulfil the Guidelines’ requirements that the financial institution keeps all of the responsibilities toward the customers."
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Applying the requirements outlined in paragraph 63 for non-critical and non-important outsourcing arrangements would be too ambitious and not practice-oriented (e.g. agreement on comprehensive information, audit and access rights). We recommend consistently focusing Section 10 on “critical or important” outsourcing.ESBG would furthermore suggest the following actions to facilitate access to cloud solutions and the development of the cloud in the banking industry:
• Cloud services providers should be required to offer cloud solutions certified as conforming to technical, legal and security standards defined by the European authorities (prior approvals would be difficult to obtain, especially from cloud service providers);
• A reference framework should be established to facilitate contractual negotiations of banks with cloud service providers and to allow banks to be reassured on the fact that they have met the technical, legal and security standards when adopting cloud services (standardized contracts terms and conditions);
• We also believe that the comparison of cloud services offered should be facilitated by requiring more transparency from cloud service providers (standardization of services offered).
Additionally, in relation to the obligations of paragraph 66 we consider that they should be undertaken by the provider on behalf of its subcontractor. Therefore, the provider would have by contract the obligation to require to the subcontractor to comply with the requirements of that paragraph.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
Paragraph 83 affirms that “Institutions and payment institutions should monitor on an ongoing basis the performance by the service provider and, where applicable sub-contractors, with regard to all outsourcing arrangements with a particular focus on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured.” This requirement appears to extend the control functions currently performed by institutions on service providers, so if it is maintained in the final Guidelines, we suggest the EBA further explains what sort of ongoing monitoring is expected from institutions.Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
Concerning paragraph 89, some outsourcing relationships in the financial sector, especially in consolidated groups or among entities of a financial network related to an IPS, are characterised by a permanent division of functions and specialisations. In Germany, for example, the savings banks and cooperative banks have outsourced much of their IT to the centralised data centre of the respective financial network. Because of the ownership and governance structures within these groups and IPS-related networks, the likelihood that a service provider will be terminated or will fail is extremely low. If the quality of service starts deteriorating, the client institutions have adequate opportunities to intervene.Developing clearly defined exit strategies for such outsourcing arrangements would require an unreasonably high and unnecessarily burdensome effort. ESBG is therefore calling for the addition of an exemption for intra group outsourcing and outsourcing within an IPS, including all entities that are members of the respective network.
We further believe that the term “tested” could be misinterpreted in a way that a successful transfer or in-housing of outsourced functions could be requested which would in fact be very burdensome and very counterproductive (this would be connected with major risks as some outsourcings usually require several years of preparation, e.g. outsourcing of core-banking systems or move of services from captive providers to external providers). Therefore, we propose the rewording of paragraph 90a of the Draft Guidelines as follows:
“90. Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients. To achieve this, they should:
a. develop and implement exit plans for the outsourcing of important or critical functions which address the main considerations (e.g. potential costs, impact, resource and timing implications of transferring an outsourced service to alternative provider) relevant to a potential exit;”
Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
A common data format would probably be based on the very extensive information requirements of the ECB for the SI SREP and thus violate the principle of proportionality. The arrangements for collecting information for the SREP should therefore be a matter for the competent authorities.In ESBG’s opinion, the register to be made available to the competent authorities should not be understood to mean all of the internal documentation to be maintained internally by the institutions in accordance with section 8 and Annex I. ESBG is calling for this to be explicitly clarified. Providing basic information such as the brief description of the outsourced function, whether it is considered critical or important, and the name and the registered address of the service provider is sufficient (paragraphs 47a) i), ii) and iii); b) i) and ii). If they need to, the competent authorities can obtain a more detailed insight at any time in an on-site inspection or through inquiries.
According to paragraph 93, “institutions and payment institutions should adequately inform competent authorities in a timely manner of planned outsourcing of critical or important functions, including the outsourcing of critical or important cloud services, before they intend to enter into the new outsourcing agreement”. In relation to the process for informing of planned outsourcing and the register of the outsourcing agreement within the remit of the competent authority, we would like to raise a few considerations. On one hand, it is not clear whether the competent authority has “veto powers” or not. The option for competent authorities to intervene is only mentioned in the accompanying documents to the Draft outsourcing guidelines. This may cause uncertainty for the institutions about when the contract with a service provider can be effectively entered into. A clarification is deemed necessary. The institution is responsible in the first instance for assessing the admissibility of an outsourcing arrangement. Any supervisory intervention rights would curtail the management powers and responsibility of the governing body.
Furthermore, the requirement for advance notification from CEBS GL02 was also not implemented by many competent authorities in the past for good reasons.
Such advance notifications would cause additional effort at the institutions. And, at the same time, generate a flood of information at the supervisors’ side. This applies in particular to LSI supervision within the SSM.
In general, the provision of the regular overview by the institutions in accordance with paragraph 92 should be sufficient. For the reasons shown above, ESBG is calling for the requirements in paragraphs 93 and 94 to be deleted without replacement.
Paragraph 95 states that “institutions and payment institutions should inform without undue delay competent authorities of material changes and severe events regarding their outsourcing arrangements which could have a material impact on the continuing provision of the institutions and payment institutions’ business activities”. From this statement it could be derived that banks need to monitor the solvency and liquidity of the service provider, which would require a sort of supervision from banks over the providers. However, at the meeting with ESBG representatives of the EBA confirmed that this was not its intention, hence, it could be helpful in order to clear any future misinterpretation if this section includes a sentence stating that an institution’s responsibility on this issue will be limited to the information it receives from the service provider.
Q15: Is the template in Annex I appropriate and sufficiently clear?
There is a new reference to third parties monitoring (institutions are required to identify, manage, monitor and report all potential risks related to arrangements with third parties, even though these arrangements are not considered outsourcing ") that we understand as a new obligation to control any third party that would dramatically increase the compliance burden for institutions, since the number of third parties to be analysed and the criteria for this analysis would increase substantially.It should be explicitly allowed to keep a different structure of the outsourcing register, as long as it contains the required information. Applying structural changes to existing outsourcing registers would require a lot of time and effort, without real added value."