New outsourcing guidelines issued by the European Banking Authority (EBA) come into force on 30th September 2019. These replace both the Committee of European Banking Supervisors’ 2006 guidelines for banks and other credit institutions and the EBA’s 2018 recommendations on cloud outsourcing for credit institutions and investment firms regulated under the Markets in Financial Instruments Directive (MiFID II). Payment firms, not previously captured by either of these precursor sets of guidelines, but now brought into scope, potentially have a steeper learning curve ahead. In the following blog, we examine the key features of the EBA’s new outsourcing guidelines and their potential implications for your business.
In many respects, the new guidelines are not a radical departure from what has gone before. This is no regulatory revolution. That’s the good news. The bad news is that they do impose many specific new requirements – or at least updated requirements – with which all UK payment firms and e-money institutions will now need to comply for all new, reviewed or amended outsourcing relationships entered into from 30 September onwards – and for all outsourcing contracts from 31 December 2021. You now have until the latter date to bring all existing outsourcing arrangements into line with the new outsourcing guidelines.
The new guidelines can be read in full on the EBA website. Divided into five chapters or ‘titles’ (see pages 23-71), these set out in some detail what the EBA expects of firms within scope.
The stated intent of the EBA’s new outsourcing guidelines is to create a level playing field for different types of financial services organisations and to harmonise the various requirements previously in force. Where payment firms are concerned, the obvious point of reference here is the EU’s 2015 Payment Services Directive (PSD2). In specific relation to outsourcing, Article 19 of PSD2 essentially requires that any outsourcing arrangements should not compromise your internal quality controls, that it should not involve any delegation on the part of your senior management, and that it should not undermine the conditions of your firm’s authorisation. The new guidelines extend and refine these requirements and emphasise a distinction between ‘critical or important functions’ and those that escape such a definition.
Critical or important
Under Title II (Assessment of outsourcing arrangements), Section 4, the new guidelines provide some indication as to what types of outsourcing should be considered ‘critical or important’. The EBA says firms should apply a general principal of proportionality by taking account of ‘the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function, and the potential impact of the outsourcing on the continuity of their activities.’
Essentially, critical or important outsourced functions fall into three main categories:
- those where a defect or failure would materially impair your firm’s continuing compliance with the conditions of its authorisation or its regulatory obligations, its financial performance or its ongoing ability to provide payment services
- those where operational tasks of internal control functions are outsourced – except where you can show that the failure or inappropriate provision of the outsourced service would not adversely impact your internal control functions
- those for which the outsourced provider would require authorisation.
Section 31 of the guidelines (pages 27-29) sets out a range of factors to consider when seeking to determine whether or not a function fits the ‘critical or important’ definition.
Title III of the EBA’s new outsourcing guidelines goes into considerable detail on what it expects of firms in terms of governance. It stresses that firms may never outsource the oversight of critical or important functions and must retain the necessary skills to do this in house. Importantly, it also makes clear that you should retain the ability to transfer any critical or important outsourced function to alternative service providers, reintegrate it, or discontinue business activities that depend on it within an appropriate timescale. You will also need to designate a senior member of staff accountable to your board for managing outsourcing risks.
You are now required to put in place, maintain and update a comprehensive written outsourcing policy that differentiates between critical and important and other types of outsourcing. This should cover ‘the main phases of the life cycle of outsourcing arrangements and define principles, responsibilities and processes in relation to outsourcing’.
In Section 7 (pages 33-34), the guidelines detail what your outsourcing policy should cover. This includes responsibilities, control functions, selection criteria, due diligence, risk management, business continuity, monitoring and exit strategies. The new guidelines also stress your responsibility for identifying and managing any potential conflicts of interest created by a particular outsourcing arrangement.
One significant innovation from any of the preceding guidelines on outsourcing in the financial services sector is the requirement for firms to compile and maintain a register of information on all outsourcing arrangements. This must be available at any time to the FCA on request. The minimum requirements for what your outsourcing register should cover are set out on pages 37 and 38 of the guidelines, with additional requirements specified for critical or important functions.
Title IV of the guidelines covers the EBA’s expectations in terms of the outsourcing process. It notes your responsibilities in terms of pre-outsourcing analysis, with particular stress on assessing risks around subcontracting, third-country providers, and the security of data and systems. It also sets out in Section 13 (pages 44-45) what should be included in an outsourcing agreement. Included in an 18-point list here are items such as governing law, financial obligations, subcontracting, locational factors, data issues, monitoring, reporting obligations, insurance and audit rights.
What you need to do
As well as adhering to the EBA’s new outsourcing guidelines for any new or updated outsourcing arrangements you now enter into, you now have until the end of December 2021 to bring any and all existing arrangements into line. There’s a lot to get to grips within the new guidelines, with new or expanded requirements for even the most prudently run firms. The best advice would be to begin reviewing your existing arrangements against the new guidelines as soon as possible, as some changes could take longer than others to effect.
How can Thistle help you?
Our specialist team at Thistle can assist you with this process. We can provide practical expert assistance with reviewing and updating your existing provisions to ensure you comply fully with the spirit and the letter of the EBA’s new guidelines – and indeed with any other regulatory issues in the payment services space.
Our dedicated team works with payment initiation services providers (PISPs), account information service providers (AISPs) and other payment services providers. We advise on everything from FCA applications, small payments institution registration, and REP018 submissions to auditing, financial crime, and regulatory returns.
To find out more, visit our Payment Services page – or simply call us on 0207 436 0630 or email email@example.com.