Response to consultation on draft Guidelines on outsourcing
Go back
2. According to the definition, sub-outsourcing means a situation where the service provider under an outsourcing arrangement further transfers a process, a service or an activity, or parts thereof, to another service provider. As there is no definition of a process, a service or an activity, sub-outsourcing may be understood to mean contracting by the service provider of any function related to services provided by such service provider. Hence it is important to establish what may be the subject matter of outsourcing as the definition in the Guidelines is very broad and might in fact cover all services, operations and process which together comprise the bank’s activity.
3. Some doubts arise with regard to the term ‘Critical function’, which is known from other regulations, but defined differently (e.g. BRRD). The authors are aware of this, but they should emphasise this fact beyond just a reference in footnote 11.
4. The term ‘review’ is equally unclear. Given that the event of renewal of an agreement may be postponed by a significant period, a gap may appear with regard to the existing agreements, whereby they will remain unadjusted to the new standards for too long.
5. As far as the date of application of the Guidelines is concerned, the transition periods for new and existing outsourcing agreements seem sufficient in order to agree with service providers on new requirements resulting from the Guidelines as appropriate. Nevertheless, the need to take account of the Guidelines for the first renewal of an outsourcing agreement after 30 June 2019 may raise some doubts: it is unclear whether this applies to any first addendum to an outsourcing agreement, or to a renewal to a successive period.
6. The definitions of a private, public, community and hybrid cloud all refer to an undefined term ‘cloud infrastructure’ (instead of ‘cloud services’, which is the term actually defined), which may lead to doubts as to the interpretation.
7. It would also be advisable to reduce the number of sub-outsourcers in the supply chain (reduced risk). Serious consideration should be given to prohibiting the use of sub-outsourcing with regard to important and critical functions. Outsourcing raises the level of risk, and sub-outsourcing raises it even more. This might be hazardous in the case of important and critical functions, especially in the context of the very dense cross-border interlinks in the EU banking sector.
The guidelines should state clearly whether multi-level sub-outsourcing is allowed, i.e. whether it is permissible for a sub-outsourcer to outsource some of the services outsourced to it by the outsourcer to other entities (to other sub-outsourcers), or whether only one level of sub-outsourcing is allowed – from outsourcer to sub-outsourcer. Paragraph 60(b) suggests that multi-level sub-outsourcing is acceptable; however, this is a controversial matter and, for reasons of practical importance, should be described and explicitly regulated.
2. We endorse the introduction of the principle of proportionality for the purpose of application the EBA outsourcing guidelines; in particular, the principle of proportionality should be applicable in determining (for the purpose of application of guideline 10.3) the exact scope in which access to data and infrastructure of the providers of outsourced services should be granted to obliged entities, their supervisory authorities or other entities appointed by them (e.g. auditors).
3. With regard to outsourcing within group application, the approach referred to in paragraphs 18 to 19 of the Guidelines needs to be clarified. A clarification is needed as to what consolidated/sub-consolidated level is referred to. As the reference to the CRD/CRR regime in the Guidelines might suggest, consolidation would also cover entities other than institutions (i.e. financial institutions to which, as a rule, the scope of the Guidelines does not apply at the individual level). By all means a desirable solution, it would, however, call for a more explicit approach.
4. The arrangements, processes and mechanisms referred to in paragraph 1 must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and the institution’s activities. The technical criteria established in Articles 76 to 95 of Directive 2013/36/EU must be taken into account.
2. No clear indication is provided as to what sanctions may be imposed by the supervisor. It seems that the appropriate approach would be to follow the generally applicable principles, but this should be confirmed in the Guidelines.
3. The guidelines in items 25 and 26 are not entirely precise and would benefit from reformulation. They indirectly entail that all operations can be outsourced (no restrictions are mentioned), including those that require licensing. In particular, this means that outsourcing may take place with regard to banking activities which one bank (A) will outsource to another bank (B), even in a third country. This may lead to situations where the single passport principle is circumvented by a bank from a third country, with no protection offered to us against it by the rules laid down in Paragraph 26. As a result, “empty shells” would be allowed to operate.
4. It seems that the objective of Paragraphs 25 and 26 is to emphasise that an institution may only outsource licensable or regulated activities to entities which – providing that the relevant legal systems are equivalent – in their own country are subject to requirements which are at least equivalent to those applicable in the country of the outsourcing institution. This is a reasonable requirement, yet it should be indicated more explicitly in the Guidelines.
5. There seems to be a need for a requirement that a contractual obligation be imposed by the institution on the entities providing outsourced services to present all data as requested by the institution’s competent regulator, and to terminate the outsourcing agreement when such data is denied.
6. While, in a country with an equivalent supervisory system, it is easy to assess the requirement of ‘being effectively supervised’ as applicable to a provider from a third country under Paragraph 26(a), such assessment should be conducted by the supervisor rather than by an institution, which does not usually have appropriate tools to assess the effectiveness of supervision in a third country. It may only verify whether or not the party concerned is supervised, but it may not assess the quality or effectiveness of such supervision. It seems that a sufficient safeguard is provided by further conditions (see Paragraph 26(b) and (c)), concerning the availability of a cooperation agreement between the competent supervisory authorities and defining the minimum scope of the cooperation.
7. As a rule, it should be assumed that a third party may only access the customers’ personal data on the basis of an outsourcing agreement. Nevertheless, emergencies should be provided for under particularly justified circumstances when such access might be granted to an external entity without an outsourcing agreement. For instance, in the event that none of the entities providing a specific service (in practice, this would almost exclusively apply to IT maintenance) under an outsourcing agreement is available.
The following aspects raise serious doubts:
• Paragraph 31(c) refers to outsourcing of internal control functions. Internal control functions, just like risk management, should not be outsourced by a bank to anyone as those are the most critical elements of bank management, with significant impact on banking activity risks. While certain exceptions from this principle might be considered, the mere relations within a group supervised by the same supervisor (e.g. a universal bank and its subsidiary mortgage bank in the same country) are an insufficient basis for determining that this area of outsourcing might generate high risk and therefore should be excluded from outsourcing.
• Paragraph 32(d) contradicts Paragraph 31(c). One cannot at the same time allow outsourcing of an internal control function and expect (rightly so) that it complies with Paragraph 32(d). This concept needs to be reconsidered, including the organisation of both institutions (the ordering party and the contracting party), hierarchy, reporting lines etc.
• Under Paragraph 33, the outsourcing policy must be approved at the level of the management body. Nevertheless, given its critical effect on the functioning of a bank and possibly far-reaching impact, it should be approved at the level of the supervisory board.
2. In its policy, the bank should take into account the economic aspects of such undertaking, by adopting rules of determination of benefits and costs and criteria for assessing the cost-effectiveness. Finally, boundary conditions should be specified for the respective parameters described in Sections 9.1 to 9.3, exceeding of which would disqualify a specific undertaking. This is essential, given that with no boundary values specified at the beginning, a credible threat would arise that business benefits might be the focus, at the expense of minimisation of excessive risk.
3. Given that the guidelines require the establishment of an outsourcing unit/function reporting directly to the institution’s management body, there is definitely a need for a reference to the principle of proportionality, under which such function might also be put in place at the level of the management body (particularly in smaller entities, especially with regard to payment institutions and electronic money institutions). The outsourcing-related principles of corporate governance at institutions (and credit institutions in particular) should be consistent with their applicable approach of three lines of defence.
4. The Guidelines fail to refer to a case where an institution, payment institution or electronic money institution would act as a service provider for other entities (e.g. within a group) – addressing such case in the Guidelines should still be considered.
2. Section 5 on conflicts of interest is written in a clear manner. It would, however, add to the clarity of the Guidelines if the rules concerning conflict of interest were illustrated with examples of such cases where such conflict is not immediately visible.
3. Sections 6 and 7, addressing business continuity plans and the internal audit function, are described in a complex manner, providing the reader with indications on which to base their approach in these matters.
4. In the context of conflicts of interest, a requirement should be introduced that where no solution to an identified conflict of interest has been found, such conflict be disclosed, together with the mitigation measures taken and the assessment of their effectiveness. It should also be considered whether outsourcing can be safely applied in the context of unresolved conflicts of interest.
5. In Paragraph 40, the requirement according to which the service provider is to be involved in business continuity planning is imprecise. A business continuity plan should be put in place both by the service provider and by the ordering institution. The service provider’s plan should be implemented first. The institution’s plan would be implemented in the event that the service provider fails to restore the services within a prescribed period.
2. The requirement concerning the verification of the entity’s ownership structure, in particular the collection and analysis of information on the principal shareholder, is desirable by all means. It should, however, be limited to important and critical activities and the ones which may involve a conflict of interest.
3. It is reasonable that a register of outsourcing agreements/arrangements should be maintained, differentiating, as proposed in the Guidelines, between outsourcing of ‘important or critical functions’ and other outsourcing. The rules of maintenance of such a register should be governed by internal procedures. The register should include information with regard to the required submission of information on the intention to enter into an outsourcing agreement to the competent supervisory authority (where such notification is required), in particular the date of such notification and communication with the authority concerning such case/decisions, if any.
4. In addition to the requirements laid down in Paragraph 47 with regard to documentation of outsourced activities, one might also consider a reference to IT resources (in particular IT systems) of the institutions bound by an outsourcing agreement.
5. Adopting rules with regard to certification or authorisation (or mandatory cyclical audits) of providers of cloud services to financial entities would reduce the documentation volume and mitigate the risk faced when using such services.
6. The documentation requirements indicating the minimum scope of information seem to contain the most essential set of information, broken down into information on outsourcing agreements, service providers and sub-contractors, and additional information, including the minimum applicable to critical and important functions and cloud service providers.
2. A clear indication is also missing that the assessment of the significance should precede the decision on outsourcing a specific activity. Furthermore, the institution should assess, on a regular basis (e.g. annually), whether any changes, developments etc. have taken place at the institution such that might influence the assessment of the activities outsourced.
2. There are, in turn, no guidelines as to, for instance, how the results of the evaluation are to be related to the guidelines, or how they should be interpreted in other to determine whether or not a specific entity may act as the provider of outsourced services. The guidelines in Section 9.2 concerning the due diligence should indicate explicitly that the process may be simplified where the other party is also an institution or a payment institution. For clarity, it would be advisable to extend this section, for instance by adding examples of acceptable methods with which information about a service provider may be sought through the due diligence process – whether these may include documents obtained from the provider, questionnaires and declarations submitted by the provider, other independent sources.
3. It is also proposed to consider a reference to the certification mechanisms set forth in Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the GDPR), and, as applicable, to the fact that a specific service provider is subject to the requirements concerning digital service providers set forth in the NIS Directive.
4. It should follow clearly from the EBA guidelines that, in addition to entities providing an outsourced service directly to institutions, electronic money institutions or payment institutions, the obligation to conduct due diligence also applies to providers of a sub-outsourced service (selected by the principal provider of an outsourced service).
2. With regard to risk assessment, the Guidelines refer directly to operational risk and concentration risk. It should be considered (with the principle or proportionality being taken into account with regard to credit institutions and investment firms) whether or not risk assessment of other types of risk (such as business risk, strategic risk) is reasonable.
3. As entire Section 9.3 is dedicated to risk management rather than just risk assessment, a modification of the headline is proposed to read as follows: ‘Risk management of outsourcing arrangements’.
4. According to the Guidelines, chain-outsourcing is acceptable. What about a case when the legislation a Member State does not allow it (with sub-outsourcing only being allowed up to one level)? Will such a State be able to continue its existing more restrictive approach? As far as sub-outsourcing is concerned, an additional requirement might be considered that liability toward the customer should always rest with the principal service provider (regardless of whether sub-contractors are used).
5. The assessment of the risk of there being no or limited possibility to properly supervise the activities of a long/complex chain of sub-outsourcers seems to be a complex process with an uncertain result and therefore this type of risk should be mitigated by statutory measures.
2. The access of an institution, supervisory authority and auditor to data and information which constitutes the outsourcer’s secrecy has always been regarded as a controversial aspect. Therefore, in order to ensure at least a minimum level of comparability, it would be useful to specify the minimum scope of information to be made accessible to the auditing entities on a guaranteed basis.
3. There is some doubt as to whether the obligation to set out the end date as set forth in Paragraph 63(b) means that an outsourcing agreement may not be of indefinite duration. If so, a clear indication should be made.
4. It would be advisable to state clearly that outsourced activities are subject to examination by an auditor at least to the same extent as they would be examined during an audit conducted at the outsourcing institution.
5. In Paragraph 64(c) of the Guidelines, there is a requirement that the service levels be agreed upon, including precise quantitative and qualitative performance targets. Please note that this is not possible for each service. Thus it seems that by adding a qualification ‘as applicable’, one will prevent unnecessary artificial structures, which would be designed just in order to comply with the Guidelines.
6. Paragraph 65(d) – 65 lit. d) – the content of this provision is incomprehensible as to the approval of sub-outsourcing; it should be clarified whether such approval may be of a general nature, or whether the institution should grant its approval to each case of sub-outsourcing.
7. Paragraph 72(2) requires that, within the written outsourcing agreement, the service provider grant the institutions and their competent authorities and any other person complete access to all relevant business premises, including the full range of devices, systems, networks, information and data used for providing the outsourced process, service or activity, financial information, personnel and the service provider’s external auditors (‘access rights’).
We take the view that the extent to which the right of access is granted is too broad, and therefore it leads to difficulties of both legal and practical nature, and furthermore it leads to the materialisation of risk, as indicated in the introduction to this response.
Making its equipment available to institutions or other entities mentioned may lead to disclosure of the service provider’s trade secrets or even professional secrets. Hence it seems that the right of access should only be limited to the institution’s supervisory authorities. The institution itself, in turn, should be granted a contractual right to receive information, data and explanation. The right of access might be considered as a non-obligatory commitment of the service provider vis-à-vis the institution only (not other entities as well), providing that the date is agreed on and that the person(s) designated by the service provider is (are) present.
8. In Section 10.3, Paragraph 75 allows audits to be organised jointly with other institutions. This solution may be considered too risky for the service provider, who may offer different terms and conditions of cooperation and a different scope of services to different institutions. A joint audit may lead to involuntary disclosure of the service provider’s trade secrets and as such it should be subject to the outsourcer’s consent. Therefore, what we propose is to provide the qualification that a specific consent of the service provider is required whenever a joint audit is conducted.
9. Paragraph 81 – according to this Paragraph, an outsourcing agreement should expressly allow the possibility for the institution to terminate it ‘in accordance with national law’. This statement needs to be more specific. In the case of cross-border outsourcing, the institution and the outsourcer may operate under different legal regimes. It is unclear whether what is meant is the national law applicable to the institution, or to the service provider. An outsourcing agreement may be concluded under foreign law, other than the law applicable to the institution, especially in the event that the service provider comes from a third country.
10. While the ‘access rights’ and ‘audit rights’ provided for in the Guidelines must be regarded as essential tools for controlling outsourced activities, in practice they may be significantly difficult to apply. Furthermore, service providers may find it problematic to ensure in the outsourcing agreements an unlimited right of access to their principal place of business/place of operations (‘all relevant business premises’). This may be difficult when the provider is a supervised institution or an entity providing services to a number of different institutions/payment institutions or electronic money institutions. The ‘on-site inspection’ mode should only be ensured with regard to outsourcing of critical and important functions, in line with the principle of proportionality.
11. The Guidelines provide for ‘pooled audits’, i.e. audits organised jointly with other customers of the same service provider, which may turn out to be a challenge in many cases, both in terms of the competition between institutions and in terms of trade secrets. Furthermore, it is unclear whether ‘access rights’ and ‘audit rights’ would apply to sub-contractors (sub-outsourcing), and if so, to what an extent.
12. No reference is made in the guidelines to the contractual liability of an outsourcer. This means that the guidelines are transferred to the local supervisory level and/or that it is limited to the contractual provisions, which may lead to a significant disadvantage to those smaller organisations whose negotiating power vis-à-vis service providers is lower. As a result, the guidelines in their present shape introduce unequal treatment of the bank and the outsourcer. It should be adopted as a rule that the contractor is held liable for damage caused to the bank, and in consequence to the customer, up to the amount of the actual loss. As market experience suggests, it should be added that the contractor’s liability for documented losses caused by it may not be limited on the agreement with the bank or otherwise. Hence the contractor’s liability vis-à-vis the bank must be explicitly defined in the contract.
2. With regard to oversight of outsourcing arrangements, the institutions’ existing management information system should, in addition to reports submitted to the management body, also provide for information to be submitted to committees (if any), as well as periodical reports for the supervisory board.
2. The ‘exit’ rules are presented in a clear and comprehensible manner. What should still be considered is whether this section should not be a part of the outsourcing agreements and whether it should not be expressly integrated with internal regulations.
3. With regard to the strategy for exiting the cooperation, the entity outsourcing a service should have an option ensured in the agreement to safely terminate the service, including the return of data in appropriate form, scope and manner, and should have appropriate business continuity plans in place in such a case.
2. Given that the purpose of the Guidelines is, inter alia, a harmonised framework for outsourcing in the Member States, this section should regulate directly the aspect of the approval of outsourcing arrangements by supervisory authorities. Firstly, should such requirement apply, and if so, under what circumstances should such approval be required? In particular, a clear determination would be important as to whether an outsourcing agreement signed with an entity from a different country (including a Member State) is only to be notified to, or also to be expressly approved by, the supervisory authority. In the former case, the supervisory authority would rely on the institution’s assurance that the requirements of the Guidelines are complied with, and irregularities, if any, would be identified as a part of supervisory measures at some point in time during the term of the agreement. In the latter case, the supervisory authority would verify the compliance with the Guidelines and grant its approval after such compliance is established. As far as a service provider from a Member State is concerned, such approval would, in general, be related to the ability of the institution itself, the supervisory authority, and the auditor to perform control functions. The latter approach would save unnecessary expenses, given that irregularities would be identified as a part of normal operations.
3. There is no justification for the requirement that the register of outsourcing agreements be made available every 3 years. Such register should only be available on request and during an inspection conducted by a supervisory authority. Ad-hoc verification may be an effective manner to reflect the Guidelines’ rationale for the supervisory authority’s assessment of the fact of market consolidation of outsourced services or the existence of a small group of outsourcers for many service providers.
2. A need for cooperation between financial institutions’ supervisory bodies and digital service providers’ supervisory bodies as referred to in the NIS Directive should be suggested. Adopting the principle of mutual information on significant irregularities concerning the providers of outsourced services as an element of the agreement between competent supervisory authorities would contribute significantly to the mitigation of the outsourcing risk.
2. The breakdown of activities into two groups should be taken into account: important and critical, and other. Significant conservatism is required with regard to the former. Even more so, considering that in their present shape, the Guidelines do not provide for inability to outsource specific operations.
3. One should not neglect the risk that subsidiary banks of third-country entities might be established in some Member States, which, with the consent of the local supervisor, might outsource a number of important functions to their respective parent companies. Formal aspects might prevent this from happening. But if these were put in order, the scale or technical scope of outsourcing would be very difficult to restrain.
To sum up:
• the guidelines should indicate the activities which may not be outsourced, including internal control, risk management, licensed activities;
• important or critical functions should only be outsourceable on the basis of an explicit supervisory consent, as with licensing;
• outsourcing to a third country should only be possible on the basis of an explicit supervisory consent, as with licensing;
• the outsourcing agreement should include an explicit statement concerning the outsourcer’s liability for losses incurred by the bank/customer up to the amount of loss, resulting from improper performance of, or a failure to perform, the agreement;
• safeguards should be developed against setting up ‘empty shell’ banks, given that such business model of a subsidiary bank in a Member State may be fully compliant with the proposed guidelines.
4. For instance, enormous individual evaluation costs are involved in starting the application of due diligence to potential outsourcers. Such expenses are only justified for eligible outsourcing. It is incomprehensible that all requirements should be applied to outsourcers irrespective of whether ordinary or important operational activities are outsourced.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
1. While the definitions seem clear, some aspects may lead to an unnecessary excess of terms. The section begins with the definition of outsourcing / sub-outsourcing, explains what critical or important functions are, and touches upon the aspects of cloud services2. According to the definition, sub-outsourcing means a situation where the service provider under an outsourcing arrangement further transfers a process, a service or an activity, or parts thereof, to another service provider. As there is no definition of a process, a service or an activity, sub-outsourcing may be understood to mean contracting by the service provider of any function related to services provided by such service provider. Hence it is important to establish what may be the subject matter of outsourcing as the definition in the Guidelines is very broad and might in fact cover all services, operations and process which together comprise the bank’s activity.
3. Some doubts arise with regard to the term ‘Critical function’, which is known from other regulations, but defined differently (e.g. BRRD). The authors are aware of this, but they should emphasise this fact beyond just a reference in footnote 11.
4. The term ‘review’ is equally unclear. Given that the event of renewal of an agreement may be postponed by a significant period, a gap may appear with regard to the existing agreements, whereby they will remain unadjusted to the new standards for too long.
5. As far as the date of application of the Guidelines is concerned, the transition periods for new and existing outsourcing agreements seem sufficient in order to agree with service providers on new requirements resulting from the Guidelines as appropriate. Nevertheless, the need to take account of the Guidelines for the first renewal of an outsourcing agreement after 30 June 2019 may raise some doubts: it is unclear whether this applies to any first addendum to an outsourcing agreement, or to a renewal to a successive period.
6. The definitions of a private, public, community and hybrid cloud all refer to an undefined term ‘cloud infrastructure’ (instead of ‘cloud services’, which is the term actually defined), which may lead to doubts as to the interpretation.
7. It would also be advisable to reduce the number of sub-outsourcers in the supply chain (reduced risk). Serious consideration should be given to prohibiting the use of sub-outsourcing with regard to important and critical functions. Outsourcing raises the level of risk, and sub-outsourcing raises it even more. This might be hazardous in the case of important and critical functions, especially in the context of the very dense cross-border interlinks in the EU banking sector.
The guidelines should state clearly whether multi-level sub-outsourcing is allowed, i.e. whether it is permissible for a sub-outsourcer to outsource some of the services outsourced to it by the outsourcer to other entities (to other sub-outsourcers), or whether only one level of sub-outsourcing is allowed – from outsourcer to sub-outsourcer. Paragraph 60(b) suggests that multi-level sub-outsourcing is acceptable; however, this is a controversial matter and, for reasons of practical importance, should be described and explicitly regulated.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
1. The presented solutions seem to give no reason for concern. Though concise, the presentation of the aspects of proportionality is complete and captures the essence. It is pointed out in the guidelines that when applying the principle of proportionality, the relevant criteria specified in the EBA Guidelines on Internal Governance should be taken into account. The principles are clear and properly laid down. They apply to EU-based groups. Hence all banks within a group are subject to the same harmonised provisions. Yet even the best provisions are insufficient if they are not duly and uniformly enforced. This does not pose a problem for banks based in the Eurozone as they are subject to the supervision of the ECB, which – as the sole supervisor – guarantees such uniformity. In such a case, even providing services in the area of internal control does not have to be too risky. The risk rises, though, for an EU-based subsidiary bank which is situated beyond the Eurozone and therefore supervised by its local supervisor. Hence the Guidelines should take account of the fact that not all EU-based banks are supervised by the ECB, and more rigorous rules should apply to other banks.2. We endorse the introduction of the principle of proportionality for the purpose of application the EBA outsourcing guidelines; in particular, the principle of proportionality should be applicable in determining (for the purpose of application of guideline 10.3) the exact scope in which access to data and infrastructure of the providers of outsourced services should be granted to obliged entities, their supervisory authorities or other entities appointed by them (e.g. auditors).
3. With regard to outsourcing within group application, the approach referred to in paragraphs 18 to 19 of the Guidelines needs to be clarified. A clarification is needed as to what consolidated/sub-consolidated level is referred to. As the reference to the CRD/CRR regime in the Guidelines might suggest, consolidation would also cover entities other than institutions (i.e. financial institutions to which, as a rule, the scope of the Guidelines does not apply at the individual level). By all means a desirable solution, it would, however, call for a more explicit approach.
4. The arrangements, processes and mechanisms referred to in paragraph 1 must be comprehensive and proportionate to the nature, scale and complexity of the risks inherent in the business model and the institution’s activities. The technical criteria established in Articles 76 to 95 of Directive 2013/36/EU must be taken into account.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
1. The catalogue of rights is described quite extensively, and it includes an important reference to supervisory rights in a third country to which a service is outsourced. The document specifies what supervisory rights are vested in an institution and what measures it may take.2. No clear indication is provided as to what sanctions may be imposed by the supervisor. It seems that the appropriate approach would be to follow the generally applicable principles, but this should be confirmed in the Guidelines.
3. The guidelines in items 25 and 26 are not entirely precise and would benefit from reformulation. They indirectly entail that all operations can be outsourced (no restrictions are mentioned), including those that require licensing. In particular, this means that outsourcing may take place with regard to banking activities which one bank (A) will outsource to another bank (B), even in a third country. This may lead to situations where the single passport principle is circumvented by a bank from a third country, with no protection offered to us against it by the rules laid down in Paragraph 26. As a result, “empty shells” would be allowed to operate.
4. It seems that the objective of Paragraphs 25 and 26 is to emphasise that an institution may only outsource licensable or regulated activities to entities which – providing that the relevant legal systems are equivalent – in their own country are subject to requirements which are at least equivalent to those applicable in the country of the outsourcing institution. This is a reasonable requirement, yet it should be indicated more explicitly in the Guidelines.
5. There seems to be a need for a requirement that a contractual obligation be imposed by the institution on the entities providing outsourced services to present all data as requested by the institution’s competent regulator, and to terminate the outsourcing agreement when such data is denied.
6. While, in a country with an equivalent supervisory system, it is easy to assess the requirement of ‘being effectively supervised’ as applicable to a provider from a third country under Paragraph 26(a), such assessment should be conducted by the supervisor rather than by an institution, which does not usually have appropriate tools to assess the effectiveness of supervision in a third country. It may only verify whether or not the party concerned is supervised, but it may not assess the quality or effectiveness of such supervision. It seems that a sufficient safeguard is provided by further conditions (see Paragraph 26(b) and (c)), concerning the availability of a cooperation agreement between the competent supervisory authorities and defining the minimum scope of the cooperation.
7. As a rule, it should be assumed that a third party may only access the customers’ personal data on the basis of an outsourcing agreement. Nevertheless, emergencies should be provided for under particularly justified circumstances when such access might be granted to an external entity without an outsourcing agreement. For instance, in the event that none of the entities providing a specific service (in practice, this would almost exclusively apply to IT maintenance) under an outsourcing agreement is available.
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
1. The guidelines on outsourcing are written in a clear manner, but at the same time the description seems complex. They contain the key elements to be taken into account by an institution in designing its outsourcing process, from the division of competences and responsibilities, to planning and verification of the entity to which a specific part of the activity is to be outsourced, to elements related to discontinuing of the activity.The following aspects raise serious doubts:
• Paragraph 31(c) refers to outsourcing of internal control functions. Internal control functions, just like risk management, should not be outsourced by a bank to anyone as those are the most critical elements of bank management, with significant impact on banking activity risks. While certain exceptions from this principle might be considered, the mere relations within a group supervised by the same supervisor (e.g. a universal bank and its subsidiary mortgage bank in the same country) are an insufficient basis for determining that this area of outsourcing might generate high risk and therefore should be excluded from outsourcing.
• Paragraph 32(d) contradicts Paragraph 31(c). One cannot at the same time allow outsourcing of an internal control function and expect (rightly so) that it complies with Paragraph 32(d). This concept needs to be reconsidered, including the organisation of both institutions (the ordering party and the contracting party), hierarchy, reporting lines etc.
• Under Paragraph 33, the outsourcing policy must be approved at the level of the management body. Nevertheless, given its critical effect on the functioning of a bank and possibly far-reaching impact, it should be approved at the level of the supervisory board.
2. In its policy, the bank should take into account the economic aspects of such undertaking, by adopting rules of determination of benefits and costs and criteria for assessing the cost-effectiveness. Finally, boundary conditions should be specified for the respective parameters described in Sections 9.1 to 9.3, exceeding of which would disqualify a specific undertaking. This is essential, given that with no boundary values specified at the beginning, a credible threat would arise that business benefits might be the focus, at the expense of minimisation of excessive risk.
3. Given that the guidelines require the establishment of an outsourcing unit/function reporting directly to the institution’s management body, there is definitely a need for a reference to the principle of proportionality, under which such function might also be put in place at the level of the management body (particularly in smaller entities, especially with regard to payment institutions and electronic money institutions). The outsourcing-related principles of corporate governance at institutions (and credit institutions in particular) should be consistent with their applicable approach of three lines of defence.
4. The Guidelines fail to refer to a case where an institution, payment institution or electronic money institution would act as a service provider for other entities (e.g. within a group) – addressing such case in the Guidelines should still be considered.
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
1. The guidelines referring to conflicts of interests, business continuity planning and internal control functions are comprehensible and seem unambiguous. The guidelines indicate, inter alia, that institutions and payment institutions should identify, assess and manage conflicts of interest with regard to outsourcing and put in place business continuity plans with regard to outsourcing of critical and important functions; the guidelines also point out the elements which should be ensured with regard to the internal audit function.2. Section 5 on conflicts of interest is written in a clear manner. It would, however, add to the clarity of the Guidelines if the rules concerning conflict of interest were illustrated with examples of such cases where such conflict is not immediately visible.
3. Sections 6 and 7, addressing business continuity plans and the internal audit function, are described in a complex manner, providing the reader with indications on which to base their approach in these matters.
4. In the context of conflicts of interest, a requirement should be introduced that where no solution to an identified conflict of interest has been found, such conflict be disclosed, together with the mitigation measures taken and the assessment of their effectiveness. It should also be considered whether outsourcing can be safely applied in the context of unresolved conflicts of interest.
5. In Paragraph 40, the requirement according to which the service provider is to be involved in business continuity planning is imprecise. A business continuity plan should be put in place both by the service provider and by the ordering institution. The service provider’s plan should be implemented first. The institution’s plan would be implemented in the event that the service provider fails to restore the services within a prescribed period.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
1. The chapter dedicated to outsourcing documentation is described in detail and contains a catalogue of information items which should be included in such documentation. An additional section is dedicated to documentation of critical functions and outsourcing of functions with use of cloud processing. Furthermore, the adopted option of differentiating the extent of documentation between critical and other outsourcing shows that a lot of care has been taken to maintain precision.2. The requirement concerning the verification of the entity’s ownership structure, in particular the collection and analysis of information on the principal shareholder, is desirable by all means. It should, however, be limited to important and critical activities and the ones which may involve a conflict of interest.
3. It is reasonable that a register of outsourcing agreements/arrangements should be maintained, differentiating, as proposed in the Guidelines, between outsourcing of ‘important or critical functions’ and other outsourcing. The rules of maintenance of such a register should be governed by internal procedures. The register should include information with regard to the required submission of information on the intention to enter into an outsourcing agreement to the competent supervisory authority (where such notification is required), in particular the date of such notification and communication with the authority concerning such case/decisions, if any.
4. In addition to the requirements laid down in Paragraph 47 with regard to documentation of outsourced activities, one might also consider a reference to IT resources (in particular IT systems) of the institutions bound by an outsourcing agreement.
5. Adopting rules with regard to certification or authorisation (or mandatory cyclical audits) of providers of cloud services to financial entities would reduce the documentation volume and mitigate the risk faced when using such services.
6. The documentation requirements indicating the minimum scope of information seem to contain the most essential set of information, broken down into information on outsourcing agreements, service providers and sub-contractors, and additional information, including the minimum applicable to critical and important functions and cloud service providers.
Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
1. Section 9.1 deals quite comprehensively with the assessment of how important or critical a function is. Nevertheless, an explicit reference would also be required to the classification of respective activities at the individual and group levels. It is clear that, in a group with a complex structure or in diversified entities, there will always be a chance that activities would be identified which are insignificant from the group’s point of view, but which may be critical for the entity in which they take place. Hence it should be stated clearly that the classification should be conducted at each level, and where an activity is classified as important or critical at any level, it is to be treated as such at least at the level concerned. It would not be proper to fail to recognise an activity as important or critical on account of its insignificance at the group level where it has been classified as such, say, at the level of a subsidiary.2. A clear indication is also missing that the assessment of the significance should precede the decision on outsourcing a specific activity. Furthermore, the institution should assess, on a regular basis (e.g. annually), whether any changes, developments etc. have taken place at the institution such that might influence the assessment of the activities outsourced.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
1. The guidelines on due diligence do not seem to raise any doubts. According to the guidelines, before entering into an outsourcing arrangement, institutions and payment institutions should ensure in their selection process and assessment that the service provider meets a number of conditions, such as has appropriate ability, capacity, resources, organisational structure and required authorisations (if applicable). The guidelines also include a list of additional factors to be considered when conducting due diligence.2. There are, in turn, no guidelines as to, for instance, how the results of the evaluation are to be related to the guidelines, or how they should be interpreted in other to determine whether or not a specific entity may act as the provider of outsourced services. The guidelines in Section 9.2 concerning the due diligence should indicate explicitly that the process may be simplified where the other party is also an institution or a payment institution. For clarity, it would be advisable to extend this section, for instance by adding examples of acceptable methods with which information about a service provider may be sought through the due diligence process – whether these may include documents obtained from the provider, questionnaires and declarations submitted by the provider, other independent sources.
3. It is also proposed to consider a reference to the certification mechanisms set forth in Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the GDPR), and, as applicable, to the fact that a specific service provider is subject to the requirements concerning digital service providers set forth in the NIS Directive.
4. It should follow clearly from the EBA guidelines that, in addition to entities providing an outsourced service directly to institutions, electronic money institutions or payment institutions, the obligation to conduct due diligence also applies to providers of a sub-outsourced service (selected by the principal provider of an outsourced service).
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
1. The chapter begins with a reference to the principle of proportionality, which is not defined sufficiently and leaves a wide margin for interpretation. The comment concerning the aspect of proportionality is repeated here.2. With regard to risk assessment, the Guidelines refer directly to operational risk and concentration risk. It should be considered (with the principle or proportionality being taken into account with regard to credit institutions and investment firms) whether or not risk assessment of other types of risk (such as business risk, strategic risk) is reasonable.
3. As entire Section 9.3 is dedicated to risk management rather than just risk assessment, a modification of the headline is proposed to read as follows: ‘Risk management of outsourcing arrangements’.
4. According to the Guidelines, chain-outsourcing is acceptable. What about a case when the legislation a Member State does not allow it (with sub-outsourcing only being allowed up to one level)? Will such a State be able to continue its existing more restrictive approach? As far as sub-outsourcing is concerned, an additional requirement might be considered that liability toward the customer should always rest with the principal service provider (regardless of whether sub-contractors are used).
5. The assessment of the risk of there being no or limited possibility to properly supervise the activities of a long/complex chain of sub-outsourcers seems to be a complex process with an uncertain result and therefore this type of risk should be mitigated by statutory measures.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
1. There is a serious risk that the important provisions of Section 10.3 will be a dead letter to some extent. Service providers, especially major IT service providers, are always firmly reluctant to audits referred to in this Section. In the light of the ‘comply or explain’ principle, there is a significant risk that institutions and supervisory authorities, as the weaker part, will refrain from applying the requirements set forth in this Section. Therefore, a solution should be sought in which this aspect is governed by a regulation rather than guideline.2. The access of an institution, supervisory authority and auditor to data and information which constitutes the outsourcer’s secrecy has always been regarded as a controversial aspect. Therefore, in order to ensure at least a minimum level of comparability, it would be useful to specify the minimum scope of information to be made accessible to the auditing entities on a guaranteed basis.
3. There is some doubt as to whether the obligation to set out the end date as set forth in Paragraph 63(b) means that an outsourcing agreement may not be of indefinite duration. If so, a clear indication should be made.
4. It would be advisable to state clearly that outsourced activities are subject to examination by an auditor at least to the same extent as they would be examined during an audit conducted at the outsourcing institution.
5. In Paragraph 64(c) of the Guidelines, there is a requirement that the service levels be agreed upon, including precise quantitative and qualitative performance targets. Please note that this is not possible for each service. Thus it seems that by adding a qualification ‘as applicable’, one will prevent unnecessary artificial structures, which would be designed just in order to comply with the Guidelines.
6. Paragraph 65(d) – 65 lit. d) – the content of this provision is incomprehensible as to the approval of sub-outsourcing; it should be clarified whether such approval may be of a general nature, or whether the institution should grant its approval to each case of sub-outsourcing.
7. Paragraph 72(2) requires that, within the written outsourcing agreement, the service provider grant the institutions and their competent authorities and any other person complete access to all relevant business premises, including the full range of devices, systems, networks, information and data used for providing the outsourced process, service or activity, financial information, personnel and the service provider’s external auditors (‘access rights’).
We take the view that the extent to which the right of access is granted is too broad, and therefore it leads to difficulties of both legal and practical nature, and furthermore it leads to the materialisation of risk, as indicated in the introduction to this response.
Making its equipment available to institutions or other entities mentioned may lead to disclosure of the service provider’s trade secrets or even professional secrets. Hence it seems that the right of access should only be limited to the institution’s supervisory authorities. The institution itself, in turn, should be granted a contractual right to receive information, data and explanation. The right of access might be considered as a non-obligatory commitment of the service provider vis-à-vis the institution only (not other entities as well), providing that the date is agreed on and that the person(s) designated by the service provider is (are) present.
8. In Section 10.3, Paragraph 75 allows audits to be organised jointly with other institutions. This solution may be considered too risky for the service provider, who may offer different terms and conditions of cooperation and a different scope of services to different institutions. A joint audit may lead to involuntary disclosure of the service provider’s trade secrets and as such it should be subject to the outsourcer’s consent. Therefore, what we propose is to provide the qualification that a specific consent of the service provider is required whenever a joint audit is conducted.
9. Paragraph 81 – according to this Paragraph, an outsourcing agreement should expressly allow the possibility for the institution to terminate it ‘in accordance with national law’. This statement needs to be more specific. In the case of cross-border outsourcing, the institution and the outsourcer may operate under different legal regimes. It is unclear whether what is meant is the national law applicable to the institution, or to the service provider. An outsourcing agreement may be concluded under foreign law, other than the law applicable to the institution, especially in the event that the service provider comes from a third country.
10. While the ‘access rights’ and ‘audit rights’ provided for in the Guidelines must be regarded as essential tools for controlling outsourced activities, in practice they may be significantly difficult to apply. Furthermore, service providers may find it problematic to ensure in the outsourcing agreements an unlimited right of access to their principal place of business/place of operations (‘all relevant business premises’). This may be difficult when the provider is a supervised institution or an entity providing services to a number of different institutions/payment institutions or electronic money institutions. The ‘on-site inspection’ mode should only be ensured with regard to outsourcing of critical and important functions, in line with the principle of proportionality.
11. The Guidelines provide for ‘pooled audits’, i.e. audits organised jointly with other customers of the same service provider, which may turn out to be a challenge in many cases, both in terms of the competition between institutions and in terms of trade secrets. Furthermore, it is unclear whether ‘access rights’ and ‘audit rights’ would apply to sub-contractors (sub-outsourcing), and if so, to what an extent.
12. No reference is made in the guidelines to the contractual liability of an outsourcer. This means that the guidelines are transferred to the local supervisory level and/or that it is limited to the contractual provisions, which may lead to a significant disadvantage to those smaller organisations whose negotiating power vis-à-vis service providers is lower. As a result, the guidelines in their present shape introduce unequal treatment of the bank and the outsourcer. It should be adopted as a rule that the contractor is held liable for damage caused to the bank, and in consequence to the customer, up to the amount of the actual loss. As market experience suggests, it should be added that the contractor’s liability for documented losses caused by it may not be limited on the agreement with the bank or otherwise. Hence the contractor’s liability vis-à-vis the bank must be explicitly defined in the contract.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
1. The guidelines concerning the oversight of outsourced functions seem clear. The guidelines in Section 11 sensitise the party ordering outsourced services to a certain continuity of the process and to the need to monitor the developments on the service provider’s side on an ongoing basis. The following requirement will be the most serious challenge: ‘payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirement’, given that in practice this will mean that the service provider’s performance and regulatory compliance will have to be monitored on a continuous basis.2. With regard to oversight of outsourcing arrangements, the institutions’ existing management information system should, in addition to reports submitted to the management body, also provide for information to be submitted to committees (if any), as well as periodical reports for the supervisory board.
Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
1. The guidelines on exit strategies seem clear. At the same time, the chapter contains many elements to be taken into account by an institution which develops exit plans as a safeguard in case the outsourcing agreement has to be terminated. In addition to elements such as the need to ensure accurate documentation of the exit plans, the EBA also emphasises a need for testing the plans and ensuring an alternative provider for the period after the relationship with the existing service provider is exited.2. The ‘exit’ rules are presented in a clear and comprehensible manner. What should still be considered is whether this section should not be a part of the outsourcing agreements and whether it should not be expressly integrated with internal regulations.
3. With regard to the strategy for exiting the cooperation, the entity outsourcing a service should have an option ensured in the agreement to safely terminate the service, including the return of data in appropriate form, scope and manner, and should have appropriate business continuity plans in place in such a case.
Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
1. From the point of view of the content of the Guidelines concerning the ways of limiting the information in the register, they seem so precise and exhaustive that there is little room left for any limitation of the scope of information to be submitted to the regulator, especially with regard to information provided on request.2. Given that the purpose of the Guidelines is, inter alia, a harmonised framework for outsourcing in the Member States, this section should regulate directly the aspect of the approval of outsourcing arrangements by supervisory authorities. Firstly, should such requirement apply, and if so, under what circumstances should such approval be required? In particular, a clear determination would be important as to whether an outsourcing agreement signed with an entity from a different country (including a Member State) is only to be notified to, or also to be expressly approved by, the supervisory authority. In the former case, the supervisory authority would rely on the institution’s assurance that the requirements of the Guidelines are complied with, and irregularities, if any, would be identified as a part of supervisory measures at some point in time during the term of the agreement. In the latter case, the supervisory authority would verify the compliance with the Guidelines and grant its approval after such compliance is established. As far as a service provider from a Member State is concerned, such approval would, in general, be related to the ability of the institution itself, the supervisory authority, and the auditor to perform control functions. The latter approach would save unnecessary expenses, given that irregularities would be identified as a part of normal operations.
3. There is no justification for the requirement that the register of outsourcing agreements be made available every 3 years. Such register should only be available on request and during an inspection conducted by a supervisory authority. Ad-hoc verification may be an effective manner to reflect the Guidelines’ rationale for the supervisory authority’s assessment of the fact of market consolidation of outsourced services or the existence of a small group of outsourcers for many service providers.
Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
1. The guidelines for competent authorities should be integrated/common with the rules of the Supervisory Review and Evaluation Process (SREP). Systemic risk generated by an institution, including its G-SII or O-SII status, should be among the factors to be taken into account by competent authorities in their assessment of the institutions’ outsourcing arrangements. Furthermore, the cooperation of competent authorities and resolution authorities in this regard seems justified in order to focus the supervision on outsourcing arrangements with regard to systemically important institutions, fulfilling functions which are critical to the financial system and real economy.2. A need for cooperation between financial institutions’ supervisory bodies and digital service providers’ supervisory bodies as referred to in the NIS Directive should be suggested. Adopting the principle of mutual information on significant irregularities concerning the providers of outsourced services as an element of the agreement between competent supervisory authorities would contribute significantly to the mitigation of the outsourcing risk.
Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?
1. The analysis addresses no Brexit-related challenges or potential costs. As a result of the UK’s exit from the EU, centres including IT infrastructure which have so far been located in the EU will become third-country locations. It also seems that significant efforts will be required on the part of financial institutions with regard to transferring specific activities to cloud outsourcing. Mostly IT-related costs (IT experts) will be involved in this formula.2. The breakdown of activities into two groups should be taken into account: important and critical, and other. Significant conservatism is required with regard to the former. Even more so, considering that in their present shape, the Guidelines do not provide for inability to outsource specific operations.
3. One should not neglect the risk that subsidiary banks of third-country entities might be established in some Member States, which, with the consent of the local supervisor, might outsource a number of important functions to their respective parent companies. Formal aspects might prevent this from happening. But if these were put in order, the scale or technical scope of outsourcing would be very difficult to restrain.
To sum up:
• the guidelines should indicate the activities which may not be outsourced, including internal control, risk management, licensed activities;
• important or critical functions should only be outsourceable on the basis of an explicit supervisory consent, as with licensing;
• outsourcing to a third country should only be possible on the basis of an explicit supervisory consent, as with licensing;
• the outsourcing agreement should include an explicit statement concerning the outsourcer’s liability for losses incurred by the bank/customer up to the amount of loss, resulting from improper performance of, or a failure to perform, the agreement;
• safeguards should be developed against setting up ‘empty shell’ banks, given that such business model of a subsidiary bank in a Member State may be fully compliant with the proposed guidelines.
4. For instance, enormous individual evaluation costs are involved in starting the application of due diligence to potential outsourcers. Such expenses are only justified for eligible outsourcing. It is incomprehensible that all requirements should be applied to outsourcers irrespective of whether ordinary or important operational activities are outsourced.