Response to consultation on draft Guidelines on outsourcing
Go back
If Amundi thinks that securities market and asset management matters should remain under the authority of ESMA it is essentially due to the fact that ESMA has a better knowledge of these activities and the risk involved for their participants, be they investment firms or asset managers without this status. It guarantees a more proportionate consideration of the risks, not only based on the size of the entities but also on their business model, that results in a better adjusted regulation and a more operational approach in guidelines and Q and As. We do not object to the expertise of EBA on the matter under review, but firmly think that banks and asset managers are totally different animals and that different authorities have been created to take stock of this reality. Even if most of the guidelines that we expect ESMA to produce on outsourcing arrangements would be comparable to the draft document of EBA, we still consider that it would be better adapted and would create less risk of misinterpretation due to the better knowledge of the organization and functioning of securities markets and asset management.
Another concern is that EBA overlooks the principle that sectorial regulation when it exists has preeminence on a more general regulation. We read in the current CRD (and in particular article 109§2) that subsidiaries of a credit institution or a bank should apply the banking regulation on a consolidated basis and make sure that the sectorial regime that applies to them at solo level does not contradict the banking regime and enables their group to be compliant on a consolidated or sub consolidated level.
Lastly and, concerning the date of application of the guidelines, the difference between banks or credit institutions who are required to adapt and payment or electronic money institutions which have to introduce new procedures should also apply to the extension of the EBA cloud service providers recommendations to other firms than the banks and credit institutions initially concerned. Asset managers should be granted the transition period till end of 2020 to implement these new recommendations on cloud services.
We also do not consider as appropriate the requirement in §75 e to “have the contractual right to request the expansion of the scope of the certifications”. It is typically a clause that exceeds the scope of the contract and that we will not be able to obtain in most instances if the legal counsel of the co-contractor is attentive.
More generally, we read these guidelines as a check list that should not prevent flexibility in the direct negotiation of outsourcing arrangements between parties.
- To require that only outsourcing of critical and important functions be reported in the register;
- To consider that the register is not an audit report but should be used as a reference tool to have at hand relevant information of a contractual nature that is useful for an easy monitoring of the contracts; the register should be built as a data base and not as a place to store reports and assessments;
- To communicate the register to the supervisory authority on its demand, either in the framework of a regular review of activities (SREP) or punctually at any time. The minimum 3 year frequency that is mentioned does not add much in the process, since there is a requirement to inform authorities in case of material changes.
- Require that only outsourcing of critical and important functions be reported in the register;
- Consider that the register is not an audit report but should be used as a reference tool to have at hand relevant information of a contractual nature that is useful for an easy monitoring of the contracts; the register should be built as a data base and not as a place to store reports and assessments;
- To communicate the register to the supervisory authority on its demand either in the framework of a regular review of activities (SREP) or punctually at any time. The minimum 3 year frequency that is mentioned does not add much in the process since there is a requirement to inform authorities in case of material changes.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
No. Amundi does not agree with the scope as intended by EBA and the presentation of the subject matter. We object to the capacity of EBA to issue uniform guidelines for the application of requirements expressed in different texts that apply to different types of entities. We support the consistency in the approach and interpretation of comparable regimes that suppress the unnecessary operational difficulties in the end. However, we have often reaffirmed our view that a “one size fits all” approach is rarely commendable.If Amundi thinks that securities market and asset management matters should remain under the authority of ESMA it is essentially due to the fact that ESMA has a better knowledge of these activities and the risk involved for their participants, be they investment firms or asset managers without this status. It guarantees a more proportionate consideration of the risks, not only based on the size of the entities but also on their business model, that results in a better adjusted regulation and a more operational approach in guidelines and Q and As. We do not object to the expertise of EBA on the matter under review, but firmly think that banks and asset managers are totally different animals and that different authorities have been created to take stock of this reality. Even if most of the guidelines that we expect ESMA to produce on outsourcing arrangements would be comparable to the draft document of EBA, we still consider that it would be better adapted and would create less risk of misinterpretation due to the better knowledge of the organization and functioning of securities markets and asset management.
Another concern is that EBA overlooks the principle that sectorial regulation when it exists has preeminence on a more general regulation. We read in the current CRD (and in particular article 109§2) that subsidiaries of a credit institution or a bank should apply the banking regulation on a consolidated basis and make sure that the sectorial regime that applies to them at solo level does not contradict the banking regime and enables their group to be compliant on a consolidated or sub consolidated level.
Lastly and, concerning the date of application of the guidelines, the difference between banks or credit institutions who are required to adapt and payment or electronic money institutions which have to introduce new procedures should also apply to the extension of the EBA cloud service providers recommendations to other firms than the banks and credit institutions initially concerned. Asset managers should be granted the transition period till end of 2020 to implement these new recommendations on cloud services.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
We consider proportionality as a serious matter and present suggestions in our answer to question 13 for a more proportionate approach.Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
The distinction in §23 between acquisition of services and outsourcing is very important. So is the definition of outsourcing of important or critical functions. We believe that the present guidelines are a good opportunity to come back to this definition, with a more granular view based on the business model and the functional organization of market participants than the reference to MIFID.Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
If the outsourcing of critical or important function deserves a specific monitoring, it is not justified in our opinion to include other non-important outsourcing into the same outsourcing policy. Letter box entities do outsource their critical and important functions and it is enough to identify them.Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
No comment.Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
Considering the balance between the operational and purely administrative burden that the maintenance of a register of all outsourcing arrangements and the benefits of the listing of all unimportant peripheral and substitutable services that are considered as outsourcing, Amundi recommends to limit the register to outsourcing of critical and/or important functions.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
We note a reference to critical functions as designed by Directive 2014/59/EU and delegated regulation (EU) 2016/778 which concern the resolution of credit institutions. We see it as an illustration of the preference for EBA to use references and examples in the context of credit institutions that it perfectly masters. We would like to have ESMA directly involved in the preparation and adjustment of the guidelines to include references to the sectorial regulations of securities market and asset management.Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
No comment.Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
We agree with the list of items that are of importance in the assessment of outsourcing arrangements. Though, we do not think that the scenario analysis that is mentioned in §58 to determine whether outsourcing increases or decreases operational risk is an appropriate recommendation and doubt that it introduce proportionality.Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
We would like to point what could look as an inconsistency in section 10.1. Under §65 g an institution should have the right to object or require to give an explicit approval on a proposed sub-outsourcing (or terminate the outsourcing agreement under §65 h). Even if §67 does not explicitly refer to sub-outsourcing of critical or important functions as specified in article 65, it belongs to a section dedicated to sub-outsourcing of such critical or important functions. Therefore, we read as preposterous the precision in the end of §67 “if such a right was agreed” when it is part of the guidelines to obtain such a right.We also do not consider as appropriate the requirement in §75 e to “have the contractual right to request the expansion of the scope of the certifications”. It is typically a clause that exceeds the scope of the contract and that we will not be able to obtain in most instances if the legal counsel of the co-contractor is attentive.
More generally, we read these guidelines as a check list that should not prevent flexibility in the direct negotiation of outsourcing arrangements between parties.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
No comment.Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
We understand that there will be room for the contractors to appreciate what are “unacceptable service levels” that can trigger the exit. We feel that it is an assessment that cannot be determined ex ante in a contract. The guidelines suggest to determine levels that would trigger an exit procedure. There is a danger that such a contractual level may be used to oppose the exit just because it has not been breached and, nevertheless, the level of service can globally be so poor that exiting is the best solution (despite the absence of breach of the trigger level of any of the indicators).Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
We think of three ways to introduce proportionality:- To require that only outsourcing of critical and important functions be reported in the register;
- To consider that the register is not an audit report but should be used as a reference tool to have at hand relevant information of a contractual nature that is useful for an easy monitoring of the contracts; the register should be built as a data base and not as a place to store reports and assessments;
- To communicate the register to the supervisory authority on its demand, either in the framework of a regular review of activities (SREP) or punctually at any time. The minimum 3 year frequency that is mentioned does not add much in the process, since there is a requirement to inform authorities in case of material changes.
Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
No comment.Q15: Is the template in Annex I appropriate and sufficiently clear?
EBA’s feeling, apparent in question 13, that the proposed items are too numerous and burdensome opens the way for suggestions. First, we approve the exercise to prepare an operational file to help stakeholders to understand the impact of the register. Second, when going through the file, we can only wish that proportionality is introduced. We think of three ways to introduce proportionality:- Require that only outsourcing of critical and important functions be reported in the register;
- Consider that the register is not an audit report but should be used as a reference tool to have at hand relevant information of a contractual nature that is useful for an easy monitoring of the contracts; the register should be built as a data base and not as a place to store reports and assessments;
- To communicate the register to the supervisory authority on its demand either in the framework of a regular review of activities (SREP) or punctually at any time. The minimum 3 year frequency that is mentioned does not add much in the process since there is a requirement to inform authorities in case of material changes.