It is positive that, in the revised guidance, the EBA has made attempts to reduce the document keeping burden for outsourcing arrangements that are not assessed to be part of a critical or important function. However, there are still likely to be areas where institutions feel it has not made enough change.
There are 10 areas where the EBA has made changes that financial institutions should be aware of.
1. Focusing on critical and important functions
The EBA has responded to industry criticism that its draft outsourcing guidelines went too far and imposed detailed requirements in relation to all of an institution's outsourcing arrangements, including those which it assesses to be 'non-critical or important' or 'non-material'. However, while the EBA has reduced the number of guidelines which are intended to apply directly to the outsourcing of non-critical and important functions, some references to those types of arrangements remain. Institutions should ensure that they have processes and controls in place for all outsourcing arrangements which take into account the extent to which the guidelines are relevant.
Unfortunately, there is no clear consolidated list of which guidelines apply to which types of arrangements. Some respondents to the EBA's consultation on its draft guidelines had asked for the specific requirements for each type of outsourcing, 'general outsourcing', 'outsourcing of a critical or important function' and 'intragroup arrangements' to be compiled in a specific table or diagram. The EBA however has chosen not provide this suggesting that the "guidelines ensure that the scope of application of the requirements is sufficiently clear."
The EBA's cloud recommendations have been integrated into the final guidelines as they had been in the draft guidelines. The final version clarifies that cloud outsourcings are not automatically considered 'critical or important', an impression that some had taken from the draft guidelines. In the comments section the EBA has said that "cloud outsourcing follows the same approach as other arrangements with service providers, taking into account cloud specificities."
New references to 'cloud monopolists' however will not be pleasing to some.
3. The definitions of outsourcing
The EBA has fully aligned its definition of outsourcing with that set out in the MiFID II framework. It has also clarified that the definition applies to 'parts of' a function. A function is defined to include 'processes, services and activities' which form part of it.
In its comments the EBA acknowledges that there is still some relevance in distinguishing between 'outsourcing' and 'purchasing' although it does not adopt a definition of purchasing within the guidelines. It seems now to be favouring a test which if focussed on whether the arrangement is for 'non-recurrent activities' of ones which are "performed on a recurrent or an ongoing basis". The latter are more likely to be considered outsourcing.
The EBA has also included a more detailed list of the types of arrangements which will likely fall outside the definition of outsourcing. The list now includes references to market information services, global network infrastructure such as Visa and Mastercard, 'hardware or storage space' and many other arrangements.
4. Date of application
New dates have been included for the guidelines to come into force and for transitional arrangements. While the ultimate final date is 31 December 2021, the guidelines will come into force and apply to all outsourcing arrangements entered into, reviewed or amended after 30 September 2019.
5. Audit rights
While the scope of audit rights to be included in outsourcing agreements has not materially changed between the draft and final version of the guidelines, the EBA has commented in relation to audit rights that "the guidelines have been revised to allow for a more principle based and proportionate approach."
The EBA has provided that audit rights are to be set out in the outsourcing agreement 'at least' in the context of outsourcings of critical and important functions. Whether audit rights need to be included in non-critical and important outsourcing agreements is a matter that needs to be assessed on a case-by-case basis taking into account the principle of proportionality.
The EBA has clarified that the requirement to obtain prior approval before 'sub-outsourcing data' may be 'general' and need not be 'specific'. This change has been made to match the process enabled by the General Data Protection Regulation that allows for processors of personal data to engage sub-processors on prior general written authorisation. This change has been made in response to concerns by some that "the prior approval requirement would be extremely challenging to obtain, especially for cloud or standardised services."
In most other respects, the requirements in relation to sub-outsourcing do not appear to have changed significantly. The guideline that sub-outsourcing is only permitted if the service provider obtains from the sub-outsourcing provider the right to "grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider" has been retained.
7. Data locations and business continuity
References in the agreement and the outsourcing register to 'data locations' are now consistently qualified by the words 'countries or regions'. The impact of this is appears to be an acknowledgment from the EBA that the exact locations as opposed to the 'country or region' of data centres need not be disclosed where their disclosure would compromise data security. However, the EBA has also included comments that "if the competent authorities requires more detailed information, e.g. to prepare an audit, more detailed information needs to be provided" and that "Institutions need the exact location of the service provision to be able to fulfil their regulatory obligations, including executing audit rights, where needed." In context it appears that the EBA is not requiring the exact location to be set out in the contract but for institutions to retain the right to be made aware of those locations if necessary in order to undertake audits or otherwise satisfy their regulatory obligations.
The requirement to 'involve' the service provider in business continuity planning in cases of potential 'severe business interruption' set out in the draft guidelines has been removed. The EBA has also clarified that in relation to critical and important functions, institutions cannot rely solely on the business continuity plans of their service providers – they need to maintain own business continuity plans.
8. Exit strategies
The EBA has sought to better align its exit strategy guidelines with those required under the Bank Recovery and Resolution Directive (BRRD). It has said that "Where such plans include sufficient exit strategies from outsourcing arrangements, it is not necessary to define additional strategies for this purpose."
It also clarifies that the BRRD requirements "are tailored for a specific purpose that deviates from a business-as-usual scenario" and that "Institutions should also consider in their operational risk and business continuity management that a failure of an internal service provider may have a material impact on their business activities."
More generally, the draft guidelines seemed to create uncertainty in providing that exit plans needed to be tested. The EBA has clarified that "the actual exit does not need to be tested in terms of a switch to another provider."
9. Broader contractual requirements
Many of the requirements which were expressed as applicable to all outsourcing arrangements in the draft version are now set out as requirements as applicable to critical or important functions. These include the requirements to specify the location of data, to observe sub-outsourcing restrictions included in the guidelines and set out access and audit rights. End dates only need to be set out in the contract 'where applicable'.
10. Group arrangements and record keeping
A number of concessions have been made to account for outsourcings that take place in an intra-group context. However, the EBA has maintained its view that "intragroup outsourcing is not necessarily less risky than outsourcing to an entity outside the group."
The obligation to maintain a register of all outsourcing arrangements remains and extends now to 'ended', likely meaning terminated, expired or otherwise concluded, outsourcing arrangements to the extent that such documentation can be maintained in accordance with national laws.
Luke Scanlon is a financial services and technology law expert at Pinsent Masons, the law firm behind Out-Law.com