Response to consultation on draft Guidelines on outsourcing
Go back
First sentence of paragraph 46 on p. 30 reads:
»Institutions and payment institutions should maintain a register of all outsourcing arrangements at institution and group level where applicable as referred to in Section 2, document and record all current outsourcing arrangements, distinguishing the outsourcing of critical or important functions and other outsourcing arrangements«.
It follows that all existing outsourcing arrangements should be included in such a register, which is not reasonable. For example: for those service providers who have been identified as least risky already at the initial risk assessment (for example, they do not even reach the minimum internally set threshold of materiality), it is not necessary to collect and manage entire documentation, but only the most critical part. In view of this, we ask for a more detailed explanation of the term other outsourcing arrangements", since also the general definition of outsourcing in the Guidelines is not entirely clear.
A possible proposal for a solution is to set criteria for determining "significant" or “material” outsourcing arrangements, which should be included in the register (for example, by assessing its impact on capital, liquidity, reputation...of the institution) and / or allow the materiality threshold to be determined at this point or in the definition of outsourcing in chapter 2 of the Guidelines.
The definition of outsourcing should therefore be more closely linked to those external contractors where the realization of risks could (materially) affect the profit, capital and / or liquidity of the institution, as this is, in our opinion, crucial for linking this part of the bank's operations with risk appetite framework, ICAAP and ILAAP."
According to paragraph 24 (on p. 23) which reads
»The risks, including in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraph 22 and 23, should be assessed in line with paragraphs 53 and 55 and Section 9.3, taking into account the application of the proportionality principle as referred in Section 1.«,
institutions and payment institutions need to conduct risk assessment for all arrangements with third parties (i.e. also for those services which are not considered outsourcing in accordance with paragraph 23) in line with paragraphs 53 and 55 of the Guidelines.
Paragraph 53 requires institutions and payment institutions to carry out an appropriate assessment whether the service provider has “appropriate and sufficient ability, capacity, resources, organisational structure and, if applicable, required regulatory authorisation(s) to perform the critical or important function« before signing the contract, so we propose to change the title of subchapter 9.2 from “Due diligence” to “Due diligence within selection process”.
Considering the above we propose the rewording of this paragraph, e.g. by inserting the words “where applicable” so that the new wording would be as follows:
»Institutions and payment institutions should ensure, where applicable, that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients.«
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
With regard to point d. of paragraph 44 which requires, among other things, that the internal audit function ascertains that the risk appetite of the service provider is in line with the institution’s or payment institution’s strategy we would ask for further clarification how the risk appetite (which should not be confused with the term “risk profile”!) can be assessed in practice given the fact that service providers from the real sector of the economy do not disclose their risk appetite framework in a sufficient detail.Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
We would welcome additional clarification as presented below.First sentence of paragraph 46 on p. 30 reads:
»Institutions and payment institutions should maintain a register of all outsourcing arrangements at institution and group level where applicable as referred to in Section 2, document and record all current outsourcing arrangements, distinguishing the outsourcing of critical or important functions and other outsourcing arrangements«.
It follows that all existing outsourcing arrangements should be included in such a register, which is not reasonable. For example: for those service providers who have been identified as least risky already at the initial risk assessment (for example, they do not even reach the minimum internally set threshold of materiality), it is not necessary to collect and manage entire documentation, but only the most critical part. In view of this, we ask for a more detailed explanation of the term other outsourcing arrangements", since also the general definition of outsourcing in the Guidelines is not entirely clear.
A possible proposal for a solution is to set criteria for determining "significant" or “material” outsourcing arrangements, which should be included in the register (for example, by assessing its impact on capital, liquidity, reputation...of the institution) and / or allow the materiality threshold to be determined at this point or in the definition of outsourcing in chapter 2 of the Guidelines.
The definition of outsourcing should therefore be more closely linked to those external contractors where the realization of risks could (materially) affect the profit, capital and / or liquidity of the institution, as this is, in our opinion, crucial for linking this part of the bank's operations with risk appetite framework, ICAAP and ILAAP."
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
We would propose one amendment as described below.According to paragraph 24 (on p. 23) which reads
»The risks, including in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraph 22 and 23, should be assessed in line with paragraphs 53 and 55 and Section 9.3, taking into account the application of the proportionality principle as referred in Section 1.«,
institutions and payment institutions need to conduct risk assessment for all arrangements with third parties (i.e. also for those services which are not considered outsourcing in accordance with paragraph 23) in line with paragraphs 53 and 55 of the Guidelines.
Paragraph 53 requires institutions and payment institutions to carry out an appropriate assessment whether the service provider has “appropriate and sufficient ability, capacity, resources, organisational structure and, if applicable, required regulatory authorisation(s) to perform the critical or important function« before signing the contract, so we propose to change the title of subchapter 9.2 from “Due diligence” to “Due diligence within selection process”.
Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
Paragraph 90 requires preparation of exit strategies/termination of the contracts without undue disruption of institutions’ and payment institutions’ business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of their provision of their services to clients. Given the dominant or even monopoly position of some service providers, institutions have extremely limited possibilities (or no possibilities whatsoever) to negotiate appropriate exit strategies in the contracts, which they could actually implement in practice in the manner defined above.Considering the above we propose the rewording of this paragraph, e.g. by inserting the words “where applicable” so that the new wording would be as follows:
»Institutions and payment institutions should ensure, where applicable, that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients.«