Response to consultation on draft Guidelines on outsourcing
Go back
The current definition is extremely broad and risks encapsulating many activities performed by third parties on behalf of regulated institutions as outsourcing. For the sake of clarity, we believe that the nature of the services or activities falling in the scope of outsourcing should better reflect the following two features:
• They are performed on an ongoing basis;
• They are performed in the course of the institution’s ordinary business.
Therefore, we suggest the following amendment to the definition of outsourcing in paragraph 11:
Outsourcing
means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken performed by the institution, the payment institutions or the electronic money institution itself, on an ongoing basis during the course of its ordinary business.
Furthermore, additional illustrations of services or activities that are not outsourcing would be welcome, in order to help institutions mapping their contractual arrangements with third parties.
Comments on paragraph 12, date of application
Given that negotiations of outsourcing agreements may take a lot of time, the date of 30 June 2019 is too short notice. In addition, due to the uncertainty around the outcome of Brexit negotiation, this timing may be particularly challenging for EU banks using UK-based providers. We suggest postponing the date of application by one or better two years (2021), so as to allow the stakeholders sufficient time to anticipate the Guidelines.
Comments on paragraph 13, transitional provisions
The Guidelines should not apply to outsourcing agreements that are in place on the date of its application, unless review/renewal of such agreements. We suggest deleting the entire paragraph 13. if that is not feasible, the date of 31 December 2020 should be postponed to 3 years after the date of application, in order to allow sufficient time to the stakeholders to manage the implementation of the new set of rules. The matter is also relevant for competent authorities, which might have to negotiate cooperation agreements with third-country authorities to fulfill the requirements of paragraph 26: see our comments on Question 3, last point.
Intra-group outsourcing arrangements are widely used by the banking industry. Indeed, they constitute an essential tool enabling the efficient allocation of tasks and skills across banking groups’ entities, thus contributing to their competitiveness. Intra-group outsourcing may take different forms: a subsidiary outsourcing services to the parent company, the group centralizing services in a unique entity acting as service provider for the whole group, etc.
Against this background, it is crucial that the Guidelines remain neutral on the organization of EU cross-border groups, while preserving their financial integrity. In particular, the degree of integration reached within many banking groups, where centralized functions at group level act as a service provider for the other entities of the group, should be recognized. To this end, competent authorities should be in a position to implement the following requirements in a proportionate manner:
• Due diligence (paragraphs 53 to 56);
• Risk assessment of outsourcing arrangements (paragraphs 57 to 61), notably the concentration risk;
• Sub-outsourcing of critical or important functions (paragraphs 67), where the sub-contractors pertain to the group;
• Exit strategies (paragraphs 89 to 91).
Competent authorities should alleviate requirements on due diligence and on risk assessment considering:
• The benefits of centralized risk management functions: requiring complete due diligence and risk assessment from subsidiaries outsourcing services to their parent company would be disproportionate.
• The track record of existing well-functioning intra-group outsourcing arrangements.
With regards to exit strategies, the existence of robust group recovery and resolution frameworks should be taken into account. Many groups have indeed opted for a “single point of entry” resolution strategy, where the parent company ensures the continuity of the critical functions performed by its subsidiaries. Under this pattern, subsidiaries outsourcing critical or important functions to their parent company rely on the business continuity plan and on the exit strategies of their parent company. Likewise, proper exchange of information between EU competent authorities and EU resolution authorities is critical for achieving proportionality.
Such proportionate requirements should be extended to third-country groups operating in the EU, subject to the existence of cooperation agreements between supervisors (on this point, see our comments on paragraphs 25 and 26). Also, the existence of colleges of supervisors and of resolution colleges with third country authorities should foster the application of proportionality.
In order to reflect properly the specificities of intra-group outsourcing, we propose inserting the following paragraph in Title I – Proportionality and group application:
New paragraph 21a
Where outsourcing arrangements are established within the group, the provisions of these guidelines shall remain neutral on the organization and on the business model of the group. Competent authorities shall make sure that the requirements of these guidelines at solo level comply with the principle of proportionality and that they are consistent with the recovery and resolution frameworks of the group.
In line with our comments on Question 1, we suggest to better frame the nature of services that are not in the scope of outsourcing. In this regard, the wording used “…that are not normally performed…” is too vague and should be amended as follows:
23. The acquisition of services (e.g. advice of an architect regarding the premises, legal representation in front of the court and administrative bodies, servicing of company cars, catering), goods (e.g. purchase of office supplies, or furniture) or utilities (e.g. electricity, gas, water, telephone line) that are not normally performed by the institutions or payment institutions on an ongoing basis during the course of their ordinary business are not considered outsourcing.
Moreover, the situations that are not to be considered as outsourcing are obvious and it would certainly be helpful to add some illustrative examples. The activity of legal advice should be added to the examples of acquisition of services:
23. The acquisition of services (e.g. advice of an architect regarding the premises, legal advice, legal representation in front of the court and administrative bodies, servicing of company cars, catering),….
Comments on paragraph 24
This principle makes sense for outsourcing agreements. However, arrangements regarding services which are mentioned in paragraph 23 (and which are not to be considered as outsourcings) should be excluded from the scope of this Guidelines. See also our comments on paragraph 57.
Comments on paragraph 25 and 26, outsourcing of activities subject to supervisory authorization
Banking activities subject to supervisory authorization (i.e. part of the banking license) can be outsourced to a service provider located in another EU member state only if this provider is duly authorized to perform such banking activity (§ 25). If the service provider is located in a third country, additional conditions must be met, notably the existence of Memoranda of Understanding (MoUs) between supervisors. According to such MoUs, EU supervisors should have access to any information relevant to perform their supervisory duties.
While we acknowledge the usefulness of tools facilitating cooperation and exchange of information between competent authorities, we make the following comments:
• Paragraph 26 makes institutions responsible for ensuring the existence of appropriate cooperation agreements between the EU competent authority and the competent authority of the service provider located in a third country. Firstly, we observe that institutions cannot have any influence on the process for concluding cooperation agreements between competent authorities. Secondly, even if competent authorities usually publish on their website the list of cooperation agreements concluded with foreign authorities, the details of such cooperation agreements are not systematically disclosed. As a consequence, institutions will not be in position to assess at a first glance compliance with the requirements of paragraph 26, point c. In order to make the verification process more efficient and less burdensome, we suggest that competent authorities specify on their website whether cooperation agreements comply with the requirements of paragraph 26, point b.
• For the sake of efficiency and of proportionality, the form and the magnitude of the cooperation agreements or MoUs referred to in paragraph 26 should not be prescriptive, provided they contain the minimum requirements of point c. It is our understanding that MoUs may take the form of
bilateral agreements covering specific institutions or be of a more generic nature.
• The situation of existing outsourcing arrangements falling in the scope of paragraph 26 should be considered, where with no cooperation agreement is in place between authorities. In order to ensure business continuity and regulatory predictability for institutions, we believe that such arrangements should be subject to a grandfathering clause. If that is not feasible, at the very least, a transitional period of three years should be left to competent authorities for concluding a cooperation agreement.
It is not entirely clear how these criteria are supposed to be applied with those of paragraphs 49 and 50. We understand that the points listed in section 51 impose additional conditions to the ones contained in sections 49 and 50. In this case, we suggest merging both in order to keep a single list of conditions and criteria necessary for the assessment. That would be easier to read and to implement.
It is not sufficiently clear if the additional factors are to be considered or not. The paragraph 54 should be deleted.
The paragraph 56 is part of institutions’ general policies. Therefore, the list of due diligence checks should be limited to paragraphs 53 to 55.
As the topic of the Guidelines is outsourcing agreements, the obligation set out in paragraph 57 should be limited to outsourcing arrangements. See also our comment on paragraph 24.
Comments on paragraph 58, risk assessment of outsourcing arrangements
The draft Guidelines requires banks to perform scenario analysis on their operational risk for each outsourcing arrangement, where scenarios of possible risk events should be considered. We believe that this requirement is too prescriptive and that it should be instead outcome-based. Banks should be allowed to apply their own risk assessment approach provided it meets the objectives of the regulation.
Comments on paragraph 61, risk assessment of outsourcing arrangements
Point (e) should only be applicable to IT outsourcing.
• point f: we suggest adding confidentiality to the list.
• point h: generally speaking, service providers are very reluctant to grant audit rights to institutions. It remains to be seen if such a broad statement (“unrestricted right of institutions”) will be accepted by service providers. Any additional cost will have to be borne by institutions.
Comments on paragraph 72: see comments on paragraph 63
Comments on paragraph 81
• It is not clear to us why the outsourcing arrangement mentions that the termination should occur “in accordance with national law”. From our understanding, only the law of the contract should be considered.
• Regarding point (a), it will be difficult to impose on the providers that the institution will have the right to terminate the contract in case of breach on any contractual provision. Usually, the right to terminate is limited to cases where such violation has an important detrimental effect on the institution.
• It is not clear what is meant in point (b) with “identified impediments” and how they could be identified when drafting the outsourcing agreement.
We suggest replacing the word ‘ongoing’ by regular.
The draft Guidelines foresees ex ante information to the competent authority for outsourcing of critical or important activities, where banks have to provide at least all the information specified in the documentation requirements (paragraph 47, points a, b and c if available).
For the sake of proportionality, ex ante information of critical functions should be limited to a brief description of the planned outsourcing arrangement, given that detailed documentation will have to be further completed and made available to competent authorities. It would be unduly burdensome and overlapping to require full documentation at the preliminary stage of ex ante information.
We understand that some examples listed in the template consist of the purchase of a software. However, this should not be considered as an outsourcing where the institution holds a license and operates the software itself.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
Comments on paragraph 11, definition of outsourcingThe current definition is extremely broad and risks encapsulating many activities performed by third parties on behalf of regulated institutions as outsourcing. For the sake of clarity, we believe that the nature of the services or activities falling in the scope of outsourcing should better reflect the following two features:
• They are performed on an ongoing basis;
• They are performed in the course of the institution’s ordinary business.
Therefore, we suggest the following amendment to the definition of outsourcing in paragraph 11:
Outsourcing
means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken performed by the institution, the payment institutions or the electronic money institution itself, on an ongoing basis during the course of its ordinary business.
Furthermore, additional illustrations of services or activities that are not outsourcing would be welcome, in order to help institutions mapping their contractual arrangements with third parties.
Comments on paragraph 12, date of application
Given that negotiations of outsourcing agreements may take a lot of time, the date of 30 June 2019 is too short notice. In addition, due to the uncertainty around the outcome of Brexit negotiation, this timing may be particularly challenging for EU banks using UK-based providers. We suggest postponing the date of application by one or better two years (2021), so as to allow the stakeholders sufficient time to anticipate the Guidelines.
Comments on paragraph 13, transitional provisions
The Guidelines should not apply to outsourcing agreements that are in place on the date of its application, unless review/renewal of such agreements. We suggest deleting the entire paragraph 13. if that is not feasible, the date of 31 December 2020 should be postponed to 3 years after the date of application, in order to allow sufficient time to the stakeholders to manage the implementation of the new set of rules. The matter is also relevant for competent authorities, which might have to negotiate cooperation agreements with third-country authorities to fulfill the requirements of paragraph 26: see our comments on Question 3, last point.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
Comments on paragraphs 17 to 21, intra-group outsourcingIntra-group outsourcing arrangements are widely used by the banking industry. Indeed, they constitute an essential tool enabling the efficient allocation of tasks and skills across banking groups’ entities, thus contributing to their competitiveness. Intra-group outsourcing may take different forms: a subsidiary outsourcing services to the parent company, the group centralizing services in a unique entity acting as service provider for the whole group, etc.
Against this background, it is crucial that the Guidelines remain neutral on the organization of EU cross-border groups, while preserving their financial integrity. In particular, the degree of integration reached within many banking groups, where centralized functions at group level act as a service provider for the other entities of the group, should be recognized. To this end, competent authorities should be in a position to implement the following requirements in a proportionate manner:
• Due diligence (paragraphs 53 to 56);
• Risk assessment of outsourcing arrangements (paragraphs 57 to 61), notably the concentration risk;
• Sub-outsourcing of critical or important functions (paragraphs 67), where the sub-contractors pertain to the group;
• Exit strategies (paragraphs 89 to 91).
Competent authorities should alleviate requirements on due diligence and on risk assessment considering:
• The benefits of centralized risk management functions: requiring complete due diligence and risk assessment from subsidiaries outsourcing services to their parent company would be disproportionate.
• The track record of existing well-functioning intra-group outsourcing arrangements.
With regards to exit strategies, the existence of robust group recovery and resolution frameworks should be taken into account. Many groups have indeed opted for a “single point of entry” resolution strategy, where the parent company ensures the continuity of the critical functions performed by its subsidiaries. Under this pattern, subsidiaries outsourcing critical or important functions to their parent company rely on the business continuity plan and on the exit strategies of their parent company. Likewise, proper exchange of information between EU competent authorities and EU resolution authorities is critical for achieving proportionality.
Such proportionate requirements should be extended to third-country groups operating in the EU, subject to the existence of cooperation agreements between supervisors (on this point, see our comments on paragraphs 25 and 26). Also, the existence of colleges of supervisors and of resolution colleges with third country authorities should foster the application of proportionality.
In order to reflect properly the specificities of intra-group outsourcing, we propose inserting the following paragraph in Title I – Proportionality and group application:
New paragraph 21a
Where outsourcing arrangements are established within the group, the provisions of these guidelines shall remain neutral on the organization and on the business model of the group. Competent authorities shall make sure that the requirements of these guidelines at solo level comply with the principle of proportionality and that they are consistent with the recovery and resolution frameworks of the group.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
Comments on paragraph 23In line with our comments on Question 1, we suggest to better frame the nature of services that are not in the scope of outsourcing. In this regard, the wording used “…that are not normally performed…” is too vague and should be amended as follows:
23. The acquisition of services (e.g. advice of an architect regarding the premises, legal representation in front of the court and administrative bodies, servicing of company cars, catering), goods (e.g. purchase of office supplies, or furniture) or utilities (e.g. electricity, gas, water, telephone line) that are not normally performed by the institutions or payment institutions on an ongoing basis during the course of their ordinary business are not considered outsourcing.
Moreover, the situations that are not to be considered as outsourcing are obvious and it would certainly be helpful to add some illustrative examples. The activity of legal advice should be added to the examples of acquisition of services:
23. The acquisition of services (e.g. advice of an architect regarding the premises, legal advice, legal representation in front of the court and administrative bodies, servicing of company cars, catering),….
Comments on paragraph 24
This principle makes sense for outsourcing agreements. However, arrangements regarding services which are mentioned in paragraph 23 (and which are not to be considered as outsourcings) should be excluded from the scope of this Guidelines. See also our comments on paragraph 57.
Comments on paragraph 25 and 26, outsourcing of activities subject to supervisory authorization
Banking activities subject to supervisory authorization (i.e. part of the banking license) can be outsourced to a service provider located in another EU member state only if this provider is duly authorized to perform such banking activity (§ 25). If the service provider is located in a third country, additional conditions must be met, notably the existence of Memoranda of Understanding (MoUs) between supervisors. According to such MoUs, EU supervisors should have access to any information relevant to perform their supervisory duties.
While we acknowledge the usefulness of tools facilitating cooperation and exchange of information between competent authorities, we make the following comments:
• Paragraph 26 makes institutions responsible for ensuring the existence of appropriate cooperation agreements between the EU competent authority and the competent authority of the service provider located in a third country. Firstly, we observe that institutions cannot have any influence on the process for concluding cooperation agreements between competent authorities. Secondly, even if competent authorities usually publish on their website the list of cooperation agreements concluded with foreign authorities, the details of such cooperation agreements are not systematically disclosed. As a consequence, institutions will not be in position to assess at a first glance compliance with the requirements of paragraph 26, point c. In order to make the verification process more efficient and less burdensome, we suggest that competent authorities specify on their website whether cooperation agreements comply with the requirements of paragraph 26, point b.
• For the sake of efficiency and of proportionality, the form and the magnitude of the cooperation agreements or MoUs referred to in paragraph 26 should not be prescriptive, provided they contain the minimum requirements of point c. It is our understanding that MoUs may take the form of
bilateral agreements covering specific institutions or be of a more generic nature.
• The situation of existing outsourcing arrangements falling in the scope of paragraph 26 should be considered, where with no cooperation agreement is in place between authorities. In order to ensure business continuity and regulatory predictability for institutions, we believe that such arrangements should be subject to a grandfathering clause. If that is not feasible, at the very least, a transitional period of three years should be left to competent authorities for concluding a cooperation agreement.
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
No comment.Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
No comment.Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
As a general comment, the requirements set out in paragraphs 47 should only be a guidance and institutions should be able to set up their own documentation.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
Comments on paragraph 51It is not entirely clear how these criteria are supposed to be applied with those of paragraphs 49 and 50. We understand that the points listed in section 51 impose additional conditions to the ones contained in sections 49 and 50. In this case, we suggest merging both in order to keep a single list of conditions and criteria necessary for the assessment. That would be easier to read and to implement.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
With regards to the application of the requirements from an intra-group perspective, see our comment on Question 2.It is not sufficiently clear if the additional factors are to be considered or not. The paragraph 54 should be deleted.
The paragraph 56 is part of institutions’ general policies. Therefore, the list of due diligence checks should be limited to paragraphs 53 to 55.
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
Comments on paragraph 57As the topic of the Guidelines is outsourcing agreements, the obligation set out in paragraph 57 should be limited to outsourcing arrangements. See also our comment on paragraph 24.
Comments on paragraph 58, risk assessment of outsourcing arrangements
The draft Guidelines requires banks to perform scenario analysis on their operational risk for each outsourcing arrangement, where scenarios of possible risk events should be considered. We believe that this requirement is too prescriptive and that it should be instead outcome-based. Banks should be allowed to apply their own risk assessment approach provided it meets the objectives of the regulation.
Comments on paragraph 61, risk assessment of outsourcing arrangements
Point (e) should only be applicable to IT outsourcing.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Comments on paragraph 63• point f: we suggest adding confidentiality to the list.
• point h: generally speaking, service providers are very reluctant to grant audit rights to institutions. It remains to be seen if such a broad statement (“unrestricted right of institutions”) will be accepted by service providers. Any additional cost will have to be borne by institutions.
Comments on paragraph 72: see comments on paragraph 63
Comments on paragraph 81
• It is not clear to us why the outsourcing arrangement mentions that the termination should occur “in accordance with national law”. From our understanding, only the law of the contract should be considered.
• Regarding point (a), it will be difficult to impose on the providers that the institution will have the right to terminate the contract in case of breach on any contractual provision. Usually, the right to terminate is limited to cases where such violation has an important detrimental effect on the institution.
• It is not clear what is meant in point (b) with “identified impediments” and how they could be identified when drafting the outsourcing agreement.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
Comments on paragraph 83 and 87We suggest replacing the word ‘ongoing’ by regular.
Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
Please refer to our comments on Question 2.Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
Comments on paragraph 93, ex ante information to competent authoritiesThe draft Guidelines foresees ex ante information to the competent authority for outsourcing of critical or important activities, where banks have to provide at least all the information specified in the documentation requirements (paragraph 47, points a, b and c if available).
For the sake of proportionality, ex ante information of critical functions should be limited to a brief description of the planned outsourcing arrangement, given that detailed documentation will have to be further completed and made available to competent authorities. It would be unduly burdensome and overlapping to require full documentation at the preliminary stage of ex ante information.
Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
No comment.Q15: Is the template in Annex I appropriate and sufficiently clear?
Comments on the templateWe understand that some examples listed in the template consist of the purchase of a software. However, this should not be considered as an outsourcing where the institution holds a license and operates the software itself.