The European Banking Authority (EBA) recently opened a consultation on draft new Committee of European Banking Supervisors (CEBS) guidelines on outsourcing, which includes updates to its previous guidelines and recommendations on 'subcontracting', 'chain outsourcing' or sub-outsourcing' as it is variously referred to.
The purpose of the CEBS guidelines is to provide a framework by which financial institutions must manage risks and their regulatory responsibilities when outsourcing the performance of their functions to third parties. The guidelines will be an important document for banks as they continue to digitise their operations and seek access to the latest technologies, including cloud-based solutions.
The new CEBS guidelines, when finalised, will update an existing version from 2006 as well as more recent recommendations the EBA issued specifically on outsourcing to the cloud – the cloud recommendations, finalised last December, only began to apply on 1 July.
The EBA has said that it has "integrated" the cloud recommendations into its draft new CEBS guidelines, but the reality is that there are changes in terminology on important concepts, quite a lot of subtle changes in wording for banks to understand, and a need for further clarity on a range of issues. This includes issues which relate to sub-contracting.
The 'right to object' and to terminate
In its proposed new guidelines, the EBA said that financial institutions should stipulate in their outsourcing agreements whether or not they allow the "sub-outsourcing of critical or important functions". Where they do, they face additional obligations around ensuring their oversight and management of risks of sub-contracting arrangements.
One of those obligations is to "ensure, where appropriate, that [they have] the right to object against intended sub-outsourcing or that an explicit approval is required".
It is not framed as a requirement for banks to provide in their outsourcing agreements for a right to veto sub-contracting arrangements their provider wishes to put in place – something which would not be easy to negotiate with major cloud providers. However, as the 'right to object' is not explained any further by the EBA, its intended impact in terms of mitigating risk is not clear.
The financial institution engaged in outsourcing must also "ensure that [they] have the contractual right to terminate the agreement in case of undue sub-outsourcing".
When the 'right to object' guideline is read alongside the 'right to terminate', it could be argued that the right to object provides nothing more than a vehicle for raising a complaint that can be ignored by providers.
This reading of the provision is in line with the qualified right data controllers have to object to the engagement of new sub-processors by their data processors under EU data protection laws.
The General Data Protection Regulation (GDPR) prohibits data processors from engaging another processor "without prior specific or general written authorisation of the controller". When general written authorisation is given, processors are required to inform data controllers of "any intended changes" to their sub-processor arrangements, from adding to or replacing existing sub-processors, so that controllers have "the opportunity to object to such changes".
The language used in draft guidance issued by the UK's Information Commissioner's Office (ICO) on contracts and liabilities between controllers and processors suggests that the ICO views this right to object to sub-processor arrangements as a right to raise complaint rather than a right to terminate by other words.
The ICO's draft guidance states: "If another processor is employed under your prior general written authorisation, your processor should let you know of any changes it has made and give you a chance to object to them."
Banks should, however, seek clarification from the EBA about what the right to object under the draft CEBS guidelines means in practice.
It is similarly unclear about when the EBA considers it would be 'appropriate' for the right to object to be included in outsourcing agreements. This vague wording has potential to be interpreted very differently across financial institutions and their providers.
In terms of the right to terminate, it is also unclear what would constitute 'undue sub-outsourcing'. The EBA gave two examples of when this may occur, but has otherwise not defined the concept. The examples it gave are "where the sub-outsourcing materially increases the risks for the institution and the payment institution or where the service provider sub-outsources without notifying the institution or the payment institution".
Whether the right to terminate could be acted on where new risks are introduced by sub-contracting arrangements that are not considered 'material' is unclear.
In the EBA's cloud recommendations, the termination right is limited only to circumstances where the planned changes would have an adverse effect on the risk assessment. However, by providing a non-exclusive list of examples, the EBA has opened up the prospect of banks asking for broader rights to terminate in their outsourcing agreements – something that would be likely resisted by cloud providers in contract negotiations.
Registering and notifying sub-contracting arrangements
Under the new proposals, financial institutions would be required to maintain a central register of "all outsourcing arrangements". Associated with this, the EBA plans to require institutions to include certain details of "all sub-service providers" on the register.
On a technical point, it is not clear whether the terminology 'sub-service providers' and 'sub-contractors' is interchangeable, or whether they refer to different things. This is something institutions will want clarification on.
In relation to the substance of the proposals, however, these are broad requirements that push institutions to obtain more information from their service providers.
Information to be documented about service providers and sub-service providers includes their name, registered address, country of registration and legal entity identifier, their parent company, whether they are part of the institution's group or not, which countries the outsourced services will be performed, and the countries in which data will or will potentially be stored.
Institutions face revised obligations about what to provide for in their outsourcing agreements where they allow their service providers to sub-outsource critical or important functions.
This includes imposing a contractual requirement on service providers to "inform" them of "any planned sub-outsourcing, or material changes thereto, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement".
This marks a change from what is required under the EBA's existing cloud recommendations. Under that guidance, notification is required on "planned significant changes to subcontractors or subcontracted services named in the initial agreement that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement". The use of 'in particular' raises questions as to, firstly, whether the category of subcontractors or subcontracted services which institutions must be informed of is broader than that provided under the cloud recommendations, and secondly if this is the intention, the circumstances which the EBA is trying to address by broadening this right.
Institutions must engage
Important concepts have not been defined, and some terminology is inconsistent, causing potential for mis-application of the guidelines if they are finalised in their current form. In addition, further clarification on the extent of the new obligations and on the changes to the position set out in the cloud recommendations is required.
For these reasons it is vital that institutions engage with the EBA's consultation process to highlight their concerns and where they need clarity.
We have been here before. In May 2017 the EBA published its draft cloud recommendations for consultation. That prompted a significant response from industry and led to improvements and clarifications being made when the finalised cloud recommendations were issued in December.
However, as the EBA essentially admitted at the time, its cloud recommendations were set out within the constraints of what the 2006 CEBS outsourcing guidelines allow. It highlighted this in its finalised cloud recommendations paper when rejecting some of the suggestions industry made for improving the draft guidelines to better encourage the adoption of cloud services.
Now that the EBA is updating the CEBS outsourcing guidelines, there should be greater scope to respond to industry recommendations – provided that what is suggested fits within the bounds of financial services law and regulations. This opportunity to influence must be seized by institutions and service providers alike.
Yvonne Dunn, Luke Scanlon and Craig Callery are experts in cloud contracts in the financial services sector at Pinsent Masons, the law firm behind Out-Law.com.