On 25 February 2019, the European Banking Authority (EBA) published its final guidelines on outsourcing arrangements (the Guidelines).
The Guidelines will replace the existing CEBS Guidelines on Outsourcing published in 2006. The EBA has also "integrated" its recent Recommendations on outsourcing to cloud service providers into the Guidelines.
10 things you need to know
The Guidelines represent a significant extension in the scope of existing EBA materials on outsourcing
The Guidelines apply not only to credit institutions and investment firms, but to authorised payment institutions (APIs) and e-money institutions (EMIs) which, up to now, have not been subject to detailed requirements related to outsourcing.
The Guidelines also cover a broad spectrum of arrangements beyond critical and material outsourcings, including outsourcings which are not critical or material and even other service provision arrangements. The Guidelines provide a list of requirements that apply to all outsourcings and some requirements which apply to arrangements with third parties.
The Guidelines specify that outsourcing must not lead to an institution becoming an "empty shell" lacking the substance to remain authorised. Sufficient resources must be in place to support and ensure performance of responsibilities.
The Guidelines are more prescriptive than current outsourcing regulation
The Guidelines would go beyond the outsourcing requirements of current EU law (e.g. MiFID Org Regulation (EU 2017/565)). For example, the Guidelines contain specific documentary requirements, including:
- maintaining a written outsourcing policy;
- maintaining a register of all outsourcing arrangements, with additional information requirements for critical or important functions, which should be available to the competent authority upon request;
- mapping and recording all outsourcing risks; and
- providing a list of matters which should be covered in the contract governing the outsourcing including "the agreed service levels which should include precise quantitative and qualitative performance targets".
The Guidelines require firms to ensure that the firm, its auditors and its regulators are able to have "full access" and "unrestricted rights of inspection" in relation to the service provider, i.e. full access to premises, systems or data.
The Guidelines highlight particular types of outsourcing risk
The EBA expects firms to factor into their risk assessments and establish additional safeguards where:
- service providers are located in third countries (i.e. the UK post 29 March 2019, subject to any transitional provisions) are inherently more risky than service providers located in Member States;
- the firm is receiving IT services, even when those arrangements are not in fact outsourcings or are not categorised as critical or material; and
- service providers are subject to concentration risk. The need to monitor and manage this concentration risk is particularly relevant to certain forms of IT outsourcing, including cloud outsourcing, which are dominated by a small number of highly dominant service providers.
Outsourcing registers need to cover all outsourcings, not just those that are critical/material
Firms will need to share these with their competent authority in a common database format on request. The Guidelines are prescriptive in the requirements which need to be maintained for the existing outsourcing arrangements, with additional information to be provided for the outsourcing of critical or important functions.
Where outsourcing is provided by a service provider that is part of a group or an institutional protection scheme, the conditions, including financial conditions, should be set at arm's length, but there are limited exceptions where the same or similar services are provided to several institutions within a group or an institutional protection scheme.
Specific guidance for digital outsourcings
One of the key ways in which firms access and trial innovative technologies is through an outsourcing arrangement. The EBA set out additional guidance specific to technology outsourcings, for example for cloud services.
An individual in senior management must be accountable for outsourcing arrangements
For credit institutions, outsourcing is a PRA prescribed responsibility under the Senior Managers and Certification Regime. However, for APIs, EMIs, and investment firms which are not authorised by the PRA, this will be a new requirement with the expectation a senior member of staff will be responsible for managing and overseeing risks of outsourcing arrangements.
There are new requirements for sub-contracting
EBA advises that firms explicitly set out in their outsourcing agreements whether or not they allow the sub-outsourcing of critical or important functions, or material parts of those functions. Where they do, there are additional obligations, which should be documented, around ensuring their oversight and management of the risks associated with sub-contracting arrangements. One of those obligations is to ensure, where appropriate, that the firm has the right to object to an intended sub-outsourcing or that an explicit written approval is required in order for it to go ahead.
For outsourcing of functions of banking or payment services, where performance of the function requires authorisation or registration by a competent authority, then certain conditions must be met before services can be provided by a service provider located in a third country.
Integration with the Recommendations on outsourcing to cloud service providers
Unlike other competent authorities, the Financial Conduct Authority (FCA) currently requires “banks, building societies, designated investment firms and IFPRU investment firms" to comply with the Recommendations rather than the FCA's domestic guidance. As the Recommendations are not faithfully reproduced in the Guidelines, this means a two-step implementation exercise.
30 September 2019 is the key date
If adopted by the UK regulators, the date of application is 30 September 2019 (with the exception of Guideline 63(b) which applies from 31 December 2021), which does not leave firms with much time to set up the governance and internal monitoring required by the Guidelines.
The EBA expects firms to amend existing outsourcing arrangements to comply with the Guidelines by 31 December 2021 and there are no transitional/grandfathering provisions
Firms are expected to "complete" the documentation of all existing outsourcing arrangements (other than those to cloud service providers) in line with the Guidelines following either the first renewal date of the arrangement or 31 December 2021, whichever is earlier. Given that many outsourcing agreements can be for a 5 year term, this period would be inadequate and would require firms to initiate change in the control procedures and/or bring forward contract negotiations. If a review of outsourcing arrangements of critical or important functions is not concluded by 31 December 2021, the competent authority should be informed with the firms' planned measures or exit strategy to be implemented.
10 things you need to do
- Revisit governance arrangements for outsourcing to consider them against the detail offered in the Guidelines.
- Review existing outsourcing classifications to assess compliance with the Guidelines, including criticality criteria.
- Review and amend internal audit function's responsibilities to reflect the EBA's directions as to what the internal audit function should be looking at in the context of outsourcings.
- Design, review and/or update the outsourcing register (and management information flow used to populate it) to ensure that it records all current outsourcing arrangements and distinguishes the outsourcing of critical or important functions from other outsourcing arrangements and include the comprehensive information prescribed by the Guidelines.
- Update the outsourcing policy to reflect the Guidelines, in particular, to include a compliance framework for each stage of the outsourcing from the decision to outsource to termination and exit.
- Update the business continuity plan to factor in outsourcing arrangements and include critical or important outsourcings into stress testing.
- Ensure there is a senior executive with responsibility for outsourcing arrangements.
- Reconsider intra group outsourcings and whether the controls around them are robust enough to meet the Guidelines.
- Put in place a plan for the review of existing contracts based on their renewal date. This will need to factor in time to renegotiate elements of the contractual arrangement if they are non-compliant with the Guidelines.
- Consider the Guidelines in the context of Brexit planning.
If you would like to have a chat about any of the above and how to prepare for these changes, please get in touch with the contcts below.
FAQs
The EBA Guidelines apply to: credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms; and. payment institutions and electronic money institutions.
What is an outsourcing arrangement? ›
Outsourcing is an arrangement under which an organisation contracts with a service provider to perform services that the organisation currently performs in-house or which are performed by an existing third party supplier.
Are EBA guidelines mandatory? ›
The Court also confirms that, while EBA guidelines are not legally binding, supervisory authorities and financial institutions must make every effort to comply with them, that supervisory authorities have to give reasons if they intend not to comply, and that national courts are expected to take EBA guidelines into ...
What is EBA guideline? ›
The EBA Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the ...
What should be in an outsourcing policy? ›
The matters to be covered include the financial and technical ability of the service provider and its capacity to perform the outsourcing; its control framework; and any conflict of interests, e.g. between service provider and undertaking or arrangements with competitors.
What is outsourcing risk assessment? ›
(1) Outsourcing risk is the risk posed to an insurer's business by non-performance, or poor performance, by a service provider of a function transferred to the service provider under a material outsourcing arrangement (within the meaning of CTRL).
Which is the best example of outsourcing? ›
Advertising, office and warehouse cleaning, and website development are the best examples of outsourcing. Most business owners delegate authority to outsourced specialists when it comes to bookkeeping, maintenance, recruitment. This helps enterprises to focus most of their resources on the main activity.
How is outsourcing regulated? ›
National Regulations
US federal laws do not specifically regulate outsourcing transactions. Contract law is generally governed by state law, subject to any applicable federal laws (such as laws relating to intellectual property (IP) rights, immigration, export controls and bankruptcy).
Are EBA opinions binding? ›
The EBA develops draft BTS which are finally endorsed and adopted by the European Commission. Contrary to other documents such as Guidelines or Recommendations, the BTS are legally binding and directly applicable in all Member States.
What is the difference between ECB and EBA? ›
The European Central Bank (ECB) ensures that banks follow the rules set forth by the EBA, which runs annual transparency exercises and stress tests on more than 100 EU banks. This involves cultivating fiscal data on a bank's capital, risk-weighted assets (RWA), recorded profits and losses, market risk, and credit risk.
The EBA Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the ...
What is Corep and Finrep? ›
While COREP is a capital reporting regime, FINREP is its financial counterpart. It is a framework given by EBA for reporting financial (accounting) information to the regulator which will be applicable to all Credit Institutions in the European Union.
What is a PRA supervisory statement? ›
This Supervisory Statement (SS) sets out the Prudential Regulation Authority's (PRA) expectations for receiving information concerning the risks in the wider group and co-operation from other supervisory authorities concerned with the firm or its wider group.
When outsourcing business responsibilities to a vendor what are you accountable for? ›
In reality, you are still responsible for the quality and security of your products and data. Of course, outsourcing is often necessary, but external parties expand the scope of your risk, creating new potential vulnerabilities.
How do you write a outsourcing strategy? ›
6 Steps for Building a Successful Outsourcing Strategy
- Outline Detailed Outsourcing Goals. ...
- Budget for the Expected and Unexpected. ...
- Choose the Right Outsourcing Engagement Model. ...
- Mitigate Outsourcing Risks. ...
- Actively Track Outsourcing Progress and Added Value.
The types that are less likely to be outsourced are human resources, distribution and finance, and lawyers although the list is much broader than these. Retaining control over certain parts is necessary because they are too important to outsource.
How do you mitigate risks of outsourcing? ›
How to Mitigate IT Outsourcing Risks: An Expert Guide
- In-house versus outsourcing potential.
- Understanding the different risks.
- COVID-19's impact on IT outsourcing.
- Ten crucial steps to risk mitigation.
- Ensure Cultural and Work Ethic Alignment.
- Prioritize Project Management.
- Schedule Regular Status Updates.
Requirements Definition. Vendor Selection and Due Diligence. Contract Negotiation and Implementation. Ongoing Monitoring.
Is outsourcing the same as third party? ›
Companies can outsource virtually any part of their business model. Finally, outsourcing is not the same thing as purchasing a product or service. While the distinction can sometimes be fine, outsourcing refers specifically to finding a third party to do work the company would otherwise have done itself.
What are the benefits and risks of outsourcing? ›
The Pros And Cons Of Outsourcing
- You Don't Have To Hire More Employees. When you outsource, you can pay your help as a contractor. ...
- Access To A Larger Talent Pool. When hiring an employee, you may only have access to a small, local talent pool. ...
- Lower Labor Cost. ...
- Lack Of Control. ...
- Communication Issues. ...
- Problems With Quality.
Disadvantages of outsourcing
- service delivery - which may fall behind time or below expectation.
- confidentiality and security - which may be at risk.
- lack of flexibility - contract could prove too rigid to accommodate change.
- management difficulties - changes at the outsourcing company could lead to friction.
Outsourcing often fails due to conflicts between in-house and outsourced teams. This may be due to cultural differences, gaps in communication, and negative perceptions about the outsourced company. Also, keep your internal team in the loop at all times while communicating with the client and other teams.
What is outsourcing in simple words? ›
Outsourcing is a business practice in which a company hires a third-party to perform tasks, handle operations or provide services for the company.
What is the most common type of outsourcing? ›
Business process outsourcing is the most common type of outsourcing. It refers to contracting any business process to a third-party service provider. This type usually deals with repetitive tasks such as customer support and administrative roles.
How can I improve my outsourcing performance? ›
7 Tips to Improve Outsourcing Management in Your Company
- Define the Working Environment and Related Risks. ...
- Reduce Risks and Respect Safety Standards. ...
- Choose the Right Contractor. ...
- Foster the Sharing of Information with Workers. ...
- Conduct Preventive Monitoring and Take Safety Measures as Required. ...
- Conduct Investigations.
Here are 3 tips to successfully managing an outsourced workforce.
- Communicate Clear Expectations. Your outsourced team can only work with what has been provided to them. ...
- Stay Connected. ...
- Ensure Outsourced Workforce Understands Your Company Goals.
Outsourcing non-core activities can improve efficiency and productivity because another entity performs these smaller tasks better than the firm itself. This strategy may also lead to faster turnaround times, increased competitiveness within an industry, and the cutting of overall operational costs.
What are the most commonly outsourced elements of a business? ›
10 Small Business Functions That Can Be Easily Outsourced
- Accounting. Accounting is one of the most common areas where small businesses choose to outsource. ...
- Marketing. ...
- Sales. ...
- IT Management. ...
- Administrative Tasks. ...
- Customer Service. ...
- Manufacturing. ...
- Shipping and Logistics.
Recommendations that are complied with in the UK
Changes to existing EU Guidelines and Recommendations, and new Guidelines and Recommendations, issued by the EBA after the end of the transition period are not relevant for the purposes of this SoP.
Is EBA part of the banking union? ›
The EBA is independent, but accountable to the European Parliament, the European Council of the European Union and the European Commission.
The term Single Rulebook was coined in 2009 by the European Council in order to refer to the aim of a unified regulatory framework for the EU financial sector that would complete the single market in financial services. This will ensure uniform application of Basel III in all Member States.
What is the European banking authority EBA and what is its main task? ›
The EBA is an independent EU agency established in 2011 at the height of the financial crisis. Its objective is to contribute to financial stability across the EU and safeguard the integrity, efficiency and orderly functioning of the EU banking sector.
Who do the EBA guidelines apply to? ›
The EBA Guidelines apply to: credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms; and. payment institutions and electronic money institutions.
What is EBA Clearing system? ›
www.ebaclearing.eu. It owns and operates major payment infrastructure in Europe for Euro payments between banks. This includes EURO1 for high value payments system, STEP1, a payment system for single euro payments for small and medium-sized banks, and STEP2, a pan-European automated clearing house (PE-ACH).
Is the EBA a supervisor? ›
The European Banking Authority (EBA) is the micro-prudential supervisory authority for the banking sector in the European Union and forms part of the European System of Financial Supervision (ESFS).
Are EBA guidelines mandatory? ›
The Court also confirms that, while EBA guidelines are not legally binding, supervisory authorities and financial institutions must make every effort to comply with them, that supervisory authorities have to give reasons if they intend not to comply, and that national courts are expected to take EBA guidelines into ...
What are the 3 main factors to consider in determining AML risk? ›
Key Categories of BSA/AML Risk for Community Banks. Inherent BSA/AML risk falls into three main categories: (1) products and services, (2) customers and entities, and (3) geographic location.
Which are the three most commonly used AML risk criteria? ›
Size of a business and transaction. Customer type. Types of products and services sold to customers. Location.
Who is FINREP submitted to? ›
FINREP applies to credit institutions, banks and investment firms that are: Listed on a recognised stock exchange. Prepare their financial statements in accordance with International Financial Reporting Standards (IFRS); and. Subject to CRD IV so all credit institutions and some investment firms.
Who needs to report COREP? ›
What you need to report to us. COREP applies to investment firms and covers various aspects of a firm's operations that need to be reported to us, including own funds resources and requirements, large exposures, and leverage.
These Guidelines define a common reporting framework (COREP) to be used by credit institutions and investment firms when they report their solvency ratio to supervisory authorities under the Capital Requirements Directive (CRD).
What are the PRA threshold conditions? ›
The PRA's Threshold Conditions
In broad terms, they require firms to have an appropriate amount and quality of capital and liquidity, to have appropriate resources to measure, monitor and manage risk, to be fit and proper, conduct their business prudently and be capable of being effectively supervised by the PRA.
What are the PRA fundamental rules? ›
The PRA's Fundamental Rules are: Fundamental Rule 1 – A firm must conduct its business with integrity. Fundamental Rule 2 – A firm must conduct its business with due skill, care and diligence. Fundamental Rule 3 – A firm must act in a prudent manner.
What is the difference between the FCA and PRA? ›
The PRA and the FCA are two separate entities – although we do work closely with the FCA Opens in a new window on certain issues/firms. The main difference is that the FCA works with firms to ensure fair outcomes for consumers.
What is regulated outsourcing? ›
Outsourcing of utility regulation is defined as the use by a regulator of an external contractor, instead of its own employees, to perform certain tasks or functions. Public bodies and private companies are permanently confronted with decisions about whether to make or buy products and services.
When did the EBA guidelines enter into force? ›
The EBA Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the ...
Can you outsource compliance? ›
Outsourcing compliance work can save money and time. The outsourcing firms can often handle parts of your compliance at a lower cost than if you ran everything yourself. They benefit from economies of scale due to specializing in one or two services.
What are the advantages and disadvantages of outsourcing? ›
The Pros And Cons Of Outsourcing
- Advantages Of Outsourcing. ...
- You Don't Have To Hire More Employees. ...
- Access To A Larger Talent Pool. ...
- Lower Labor Cost. ...
- Cons Of Outsourcing. ...
- Lack Of Control. ...
- Communication Issues. ...
- Problems With Quality.
Intra-group outsourcing, is when a firm enters into an outsourcing arrangement with a company in the same group, including cross-border outsourcing to parent or sibling companies outside the UK.
What are the 3 main factors to consider in determining AML risk? ›
Key Categories of BSA/AML Risk for Community Banks. Inherent BSA/AML risk falls into three main categories: (1) products and services, (2) customers and entities, and (3) geographic location.
Size of a business and transaction. Customer type. Types of products and services sold to customers. Location.
What type of due diligence is required for AML CFT matters? ›
Adequate due diligence on new and existing customers is a key part of these controls. The application of strict Customer Due Diligence (CDD) by financial institutions and a high degree of transparency is crucial to fight money laundering and the financing of terrorism effectively.
