The guidelines contain significant changes to an earlier draft version the EBA consulted on last year, including focusing most of the requirements around 'critical or important' outsourcing arrangements.
The new guidelines, which are pertinent to credit institutions, investment firms and payment institutions, will replace existing guidance on outsourcing that has applied since 2006 as well as the EBA's specific recommendations on cloud outsourcing that only began to apply in July 2018. They will apply equally to outsourcings to third party service providers and to intra-group outsourcings and, save for one provision, apply from 30 September 2019. Transitional arrangements mean, though, that banks will have until 31 December 2021 to complete the necessary assessment and documenting of all their existing outsourcing arrangements in line with the new guidance.
Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, has outlined 10 of the most important changes in the EBA's revised guidance.
In its new outsourcing guidelines the EBA has reiterated that credit institutions, investment firms and payment institutions must have written agreements in place with providers when outsourcing activities to ensure effective oversight of those arrangements.
The EBA's guidelines draw a distinction between outsourcings that are 'critical or important' and those that are not in terms of the requirements that must be met in the outsourcing contracts. A risk-based approach outlined by the EBA means some non-critical or important outsourcings will be in scope of some of the more stringent requirements.
Banks are expected to make an assessment on what functions they are outsourcing meet the 'critical or important' threshold, although the EBA has set out factors they should consider to inform those assessments. It said, among other criteria, that consideration should be given to whether "a defect or failure" in the performance of a function being outsourced would "materially impair" regulatory compliance, financial performance or business continuity.
The outsourcing contracts must, among other things, set out rights of access and audit for the banks and their regulators.
Banks must ensure that their outsourcing contracts provide them with "full access to all relevant business premises" of their chosen provider, including rights to access devices, systems, networks and data pertinent to the "outsourced function" in cases where the outsourced function has been assessed as being critical or important, as well as in other cases where the risks merit it. This represents the EBA's endorsement of a proportionate, risk-based approach.
Where audit and access rights are to be provided for, the contracts must ensure "unrestricted rights of inspection and auditing related to the outsourcing arrangement".
Provision must also be made in the outsourcing contract for regulators to exercise the same access and audit rights, although the EBA has said those rights must be able to be exercised for all outsourcings the banks enter into, not just those that are critical or important.
In its guidance, the EBA said audit rights can be exercised in practice through 'pooled audits', where multiple banks, or auditors acting on their behalf, are given on-site access to providers' premises on a single visit.
It further backed the concept of certifications or internal reports to satisfy the audit rights requirements. This would see provider draw up their own reports or obtain third party endorsements to evidence their adherence to legal and regulatory standards. The EBA said, though, that banks "should not rely solely on these reports over time".
While the EBA explained that service providers should be notified in advance of intended on-site visits, the outsourcing contracts should leave it open for inspections at little or short notice to be carried out.
"Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective," the EBA said.
According to the EBA, all outsourcings, including those that are not critical or important, must be recorded in an outsourcing register. The guidance sets out what details of the outsourcings banks should include in the register, which must be accessible to regulators upon their request.
The EBA's guidelines also address banks' oversight of sub-outsourcing arrangements that their service providers may enter into. Like in respect of other provisions, it focuses requirements around 'critical or important' outsourcings.
Those outsourcing contracts must stipulate whether sub-outsourcings are permitted by service providers, the EBA said. Where permitted, the agreements must be specific about the "types of activities that are excluded from sub-outsourcing", as well as "the conditions to be complied with in the case of sub-outsourcing". In addition, the contracts must state that the service provider is responsible for overseeing compliance with the contractual obligations by the sub-contractor.
The contracts must also require that service providers "obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data", and that intended "material" changes in sub-outsourcing arrangements are notified to the institutions.
Banks must ensure their contracts with service providers also provide them with a right to terminate those agreements where the provider engage in "undue sub-outsourcing", which includes where the sub-outsourcing "materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution".
All sub-outsourcing of critical or important functions that banks agree to by their service providers should also be recorded in the register, according to the guidance.
Following feedback from industry, the EBA clarified that not all outsourcings to the cloud will necessarily be considered 'critical or important'.