Firms have five months before the deadline to bring legacy outsourcing arrangements into compliance with the European Banking Authority "Guidelines on outsourcing arrangements" ("EBA Guidelines"). In this note, UK outsourcing partner, Tristan Jonckheer, sets out five clear steps to achieve compliance within this short timeframe.
The EBA Guidelines came into effect on 30 September 2019. These guidelines require financial services firms to include specific provisions in their outsourcing contracts. Firms are required to bring legacy outsourcing arrangements into compliance with the EBA Guidelines no later than the next contract renewal date, or 31 December 2021 at the latest.
Notwithstanding Brexit, UK regulators notified the EBA that the UK will comply with the EBA Guidelines. However, due to the COVID-19 pandemic, the PRA and FCA have both confirmed they will give firms in the UK until 31 March 2022 to bring legacy outsourcing arrangements into compliance with the UK's implementation of the EBA Guidelines.Outside the UK, regulators in EU member states have remained committed to the original deadline of 31 December 2021.
As a result, firms are rushing to plan and implement remediation projects across their European operations to bring legacy contracts into compliance with the EBA Guidelines before the deadline. This is a complex task and can be daunting when hundreds of contracts in multiple jurisdictions may be in-scope.
In this note, we have broken down such remediation projects into five distinct steps and set out some tips for delivering these projects in a manageable and efficient manner:
Five steps for delivering a remediation project
Step 1 – Identify in-scope contracts
In-scope firms – do the EBA Guidelines apply to you?
Initially you will need to establish if the EBA Guidelines apply to your firm and, if so, to which aspects of its operations.
The EBA Guidelines apply to:
- credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms; and
- payment institutions and electronic money institutions.
As some EU member states have applied their outsourcing guidelines to a broader range of firms, local counsel should be instructed in relevant jurisdictions to advise on the scope of local law implementations of the EBA Guidelines. For example, in the UK the PRA's Supervisory Statement 2/21 (SS2/21) also applies to:
- insurance and reinsurance firms and groups in-scope of Solvency II, including the Society of Lloyd’s and managing agents (insurers); and
- branches of overseas banks and insurers (third-country branches).
In-scope jurisdictions – which jurisdictions do you operate in?
Regulators in EU member states have committed to complying with the EBA Guidelines (see compliance table here). Notwithstanding Brexit, the UK will implement the EBA Guidelines, to the extent that they remain relevant post-Brexit.
Firms will therefore need to assess which of their European operations may have arrangements within the scope of the EBA Guidelines.
In-scope contracts – which of the contracts are in-scope of the EBA Guidelines?
Once a firm has identified which aspects of its European operations may be impacted by the EBA Guidelines, it must identify the outsourcing arrangements which are in-scope in each relevant jurisdiction.
The EBA Guidelines apply to any "Outsourcing" arrangements, defined as: "an arrangement of any form between [a firm] and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the [firm] itself." This includes unwritten informal arrangements and intra-group outsourcing.
The following arrangements are not "outsourcing":
- a function that is legally required to be performed by a service provider (e.g. a statutory audit);
- market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
- global network infrastructures (e.g. Visa, MasterCard);
- clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
- global financial messaging infrastructures that are subject to oversight by relevant authorities;
- correspondent banking services; and
- the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. utilities).
The output of this phase of the project should be a list of in-scope outsourcing arrangements, including the relevant information relating to each such arrangement.
Step 2 – Prioritise
Identify critical contracts – does the contract relate to a critical or important function?
When complying with the EBA Guidelines, firms should have regard to the proportionality principle and take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. In other words, the more critical the outsourcing arrangement, the more important it will be to meet the requirements of the EBA Guidelines.
In addition, some requirements in the EBA Guidelines only apply to critical or important outsourcing arrangements, but not to other (less important) arrangements.
Critical contracts should therefore be identified and prioritised in any project to comply with the EBA Guidelines. This requires a risk assessment of each outsourcing arrangement in the list of in-scope contracts (see Step 1), so the list identifies the critical and important contracts.
The EBA Guidelines set out some criteria to help with this assessment. They also make clear a contract will always be critical or important where:
- a defect or failure in its performance would materially impair:
- its continuing compliance with the conditions of their authorisation or its other obligations under the Capital Requirements laws;
- its financial performance; or
- the soundness or continuity of its banking and payment services and activities;
- operational tasks of internal control functions are outsourced, unless the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; or
- it outsources functions that would require authorisation by a competent authority.
Identify renewal dates – will the contract expire or be renegotiated in any event?
For each in-scope contract identified (see Step 1), you should identify the expiry date of the then current term.
If the expiry date is before the deadline for compliance (31 December 2021 (EU); 31 March 2022 (UK)), the contract can usually be excluded from the remediation project. On expiry of such legacy contract, the replacement contract should be compliant with the EBA Guidelines in accordance with the firm's business-as-usual outsourcing policy.
Step 3 – Gap analysis
Each in-scope outsourcing arrangement should be reviewed against each requirement of the EBA Guidelines, to confirm either that the requirement:
- has been met and no further action is required; or
- has not been met and the contract either:
- must be amended to meet the requirement; or
- applying the proportionality principle, no further action is required.
This can be done by checking each contract against a checklist and identifying any gaps. A firm should seek expert legal advice before deciding not to remedy any identified non-compliance with the EBA Guidelines.
Where many contracts are within the scope of the review, this can require extensive resources. Critical and important contracts should be prioritised (see Step 2), both as sensible risk management and as firms will need to report any non-compliance in respect of such contracts to their regulators once the deadline has passed.
Firms may stand up a team of paralegals to help to perform reviews against the EBA Guidelines checklist in a fast and cost-efficient manner, particularly where there are large numbers of non-critical contracts (for example, Dentons can use paralegals based in its remote Legal Delivery Centre to perform such reviews).
Step 4 – Develop precedents
Firms should develop a precedent addendum, or set of clauses, which meet the requirements of the EBA Guidelines.
Where the Gap Analysis (Step 3) has identified that a requirement of the EBA Guidelines has not been met, the relevant provisions in the precedent documents can be incorporated into the contract to "fill the gap" by meeting the requirement.
This addendum (or the relevant clauses) may already have been created by the firm for use in new contracts. If not, a new addendum can be drafted.
Step 5 – Amend contracts
Firms should amend each of the in-scope contracts to remedy any "gap" in compliance with the EBA Guidelines (see Step 3). Again, the most critical arrangements should be prioritised (see Step 2). There are various approaches to achieve this:
The best way to ensure compliance with the EBA Guidelines is to negotiate bespoke contractual amendments with the service provider (via the contractually prescribed Change Control Procedure, or a separate amendment agreement) to remedy any gaps. Firms may use their precedent EBA Guidelines addendum (see Step 4) as a sourcebook for the relevant contractual provisions.
Alternatively, firms may seek to minimise the time required to remedy any gap by requiring the service provider to sign an amendment agreement which contains the EBA Guidelines addendum (or, ideally, only those provisions in the EBA Guidelines addendum which relate to any identified gap).
However, where a service provider is intransigent (often providers of large shared IT platforms or infrastructure), it may refuse to engage in negotiations on its standard contractual terms. In this case, firms may request the service provider's standard EBA addendum. Where the service provider offers such an addendum, this should be carefully checked against the relevant requirements of the EBA Guidelines. Such addendums will often seek to meet the requirements in the least burdensome manner for the service provider and may not go far enough to fully satisfy the requirements of the EBA Guidelines.
If any service provider does not meet the requirements of the EBA Guidelines following negotiations, this must be recorded and addressed, for example through further negotiations, replacement of the service provider or a formal risk acceptance process.
Your project team
Any project to bring legacy contracts into compliance with the EBA Guidelines will be complex. In some projects, there are many hundreds of agreements in-scope. As a result, appointing the right delivery team will be essential to delivering the project efficiently.
The team should include:
- Project manager – Legal project management skills will be essential to delivering the project efficiently. Wherever possible, firms should engage specialist project managers, either in-house, or an external legal project management team, to deliver the project.
- Lead legal adviser – Firms should engage internal or external lawyers with experience of delivering projects to comply with the EBA Guidelines. They will have developed documents to assist with compliance, which can be readily customised, saving time and costs (see Dentons' EBA Guidelines Toolkit below). The lead legal adviser should also act as a single point of contact, managing any local counsel as required (see below).
- Local counsel – Local counsel will need to be engaged to advise on local implementations of the EBA Guidelines. If your lead legal adviser is a global law firm, such as Dentons, the local counsel will be engaged and managed directly by them.
- Legal delivery team – Some of the more resource-intensive tasks in the project are more administrative in nature and will not require expert legal advice, in particular many aspects of Steps 3 (Gap analysis) and 5 (Amend contracts). A legal delivery team, consisting of contract managers and paralegals will often be able to perform much of the "heavy lifting" in these steps in a rapid, cost-efficient manner.
Dentons EBA Guidelines Toolkit
Dentons has developed the following tools and resources which will be customised and deployed as appropriate when advising on a firm's EBA remediation project:
- EBA Scoping Flowchart - A flowchart to help a firm to determine which contracts are in-scope for review against the EBA Guidelines.
- EBA Critical Contracts Flowchart - A flowchart to help a firm to determine which contracts are critical or important.
- EBA Guidelines Checklist - A detailed checklist to confirm if the requirements of the EBA Guidelines have been met by an outsourcing contract.
- EBA Guidelines Addendum – A contractual addendum which can be incorporated into any in-scope contract (in whole or in part) which contains clauses which meet the requirements of the EBA Guidelines.
- EBA Guidelines Addendum Playbook - A customised playbook (with preferred and fall-back positions) so that the procurement, contract management and legal team can negotiate amendments to the EBA Guidelines Addendum and make appropriate escalations where needed.
- Dentons' Legal Project Management Team – A specialist team of legal project managers to enable the efficient delivery of your remediation project, on time and to budget.
- Dentons' Legal Delivery Centre – Project delivery support from our cost-efficient remote paralegal team.
- Dentons Direct – Advanced collaboration and project workflow tool to host documents and facilitate tracking, reporting and project management.
If you would like to discuss these tools or how Dentons can help to deliver your remediation project, please contact Tristan Jonckheer in our top-ranked Outsourcing team.
