2024_6979 Clarification on How the Guidelines Impact Vendors Whose Products are Not Deemed as Outsourcing Arrangements

Question ID: 2024_6979
Legal act: Directive 2013/36/EU (CRD)
Topic: Internal Governance
Article: EBA Guidelines on Outsourcing Arrangements
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: EBA/GL/2019/02 - Guidelines on outsourcing arrangements
Article/Paragraph: Para 24 and 25 page 11, in light of the responses provided in pages 88 and 89
Type of submitter: Individual
Subject matter: Clarification on How the Guidelines Impact Vendors Whose Products are Not Deemed as Outsourcing Arrangements
Question: In light of the EBA's clarification(pages 88 and 89) we understand that the purchase of standardized/licensed software or services, such as those supporting IT platforms (e.g., web hosting, DDoS systems, data backup processes), does not fall within the scope of outsourcing (as per the EBA's response to related queries).

Paragraphs 24 and 25 on page 11, however, require financial institutions to assess risks from third-party arrangements, even if not classified as outsourcing.

As a vendor providing non-outsourcing arrangements, we seek clarification on whether the EBA requires financial institutions to mandate compliance with the EBA outsourcing guidelines in our case, considering our offerings are explicitly excluded from the outsourcing definition. Can financial institutions require compliance with these guidelines, citing them as a compulsory regulatory requirement, even when our offerings do not qualify as outsourcing arrangements?
Background on the question: As the corporate counsel for a company that provides standardized hardware and software (WAF, load balancing hardware and software, hosting, and distributed denial-of-service (DDoS) systems. I am reaching out regarding a recurrent concern in my negotiations of agreements with financial institutions.

Our customers consistently require from us to comply with the comprehensive EBA Guidelines for Outsourcing arrangements. We find this approach to be a bit disproportional to the engagement particularly considering the EBA's explicit clarification that our offerings, which include standardized hardware and software, fall outside the classification of outsourcing arrangements.

We are looking for clarity from the EBA to establish that (i) Arrangements that are not classified as outsourcing do not need to be mandated to comply with outsourcing guidelines; (ii) risk-proportionate arrangements with vendors need to be made through fair commercial negotiations rather than being unilaterally imposed on vendors in the guise of regulatory requirements.

We recognize and respect these obligations and seek clarity on how they apply specifically to arrangements that fall outside the scope of outsourcing as defined by the EBA.
Submission date: 19/01/2024
Rejected publishing date: 04/03/2024
Rationale for rejection: This question has been rejected because the issue it deals with is already explained or addressed in the EBA/GL/2019/02 - Guidelines on outsourcing arrangements.
For further information on the purpose of this tool and on how to submit questions, please see 'Additional background and guidance for asking questions'.
Status: Rejected question

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre