Response to consultation on draft Guidelines on outsourcing
Go back
Additionally, where components of a function are delivered by different providers, yet the function is not considered to be fully outsourced (as may happen at present), this may have unseen concentration risks from a dominant provider. Providing a proportionate approach to component outsourcing would enable this risk to be better understood.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
The definition of “function” can be at too high a level to cover outsourcing of components, often technology, required to fulfil the “function”. These components are where much of the innovation, that can bring significant cost reductions to organisations, is naturally taking place. The application of these innovations may be restricted if use of such components leads to entire functions being considered outsourced. A proportionate policy and approach to outsourcing of components, with well-defined contractual and technical interfaces, is needed to be able to incrementally improve the components of functions.Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
No additional comments.Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
No additional comments.Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
The outsourcing policy should be proportionate to the scale of the outsourcing, in particular where only components of a function are outsourced to (potentially multiple) “best of breed” providers.Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
Section 5 highlights potential conflicts of interest in outsourcing arrangements, which can particularly be a concern in both the evaluation of outsourcing providers and in the service level monitoring of outsourcing where these functions are undertaken by the internal function that may itself be affected (typically internal IT resources), rather than the business area requiring the service.Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
No additional comments.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
No additional comments.Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
No additional comments.Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
The assessment of concentration risk of a dominant provider (section 9.3-59-a-1) is not necessarily easy for an institution to make, since it may require commercially confidential information.Additionally, where components of a function are delivered by different providers, yet the function is not considered to be fully outsourced (as may happen at present), this may have unseen concentration risks from a dominant provider. Providing a proportionate approach to component outsourcing would enable this risk to be better understood.