[Newsletter n. 11]
On 22 June 2018 EBA launched a public consultation on its Guidelines on outsourcing that will repeal CEBS guidelines issued in 2006 (which only applied to credit institutions), in order to establish a more harmonized framework for the outsourcing arrangements of financial institutions. Indeed, requirements regarding outsourcing of banking activities by institution are not harmonised to the same extent as for institutions and payment institutions subject to MiFID II and PSD2.
The Guidelines are organized in the following sections:
- Proportionality and group application
- Outsourcing arrangements
- Governance framework
- Outsourcing process
- Guidelines on outsourcing addressed to competent authorities
The Guidelines apply to competent authorities and institutions as defined under the Capital Requirements Regulation (Regulation (EU) No 575/2013), i.e. credit institutions and investment firms, as well as to payment institutions as defined by PSD2 (Directive (EU) 2015/2366) and electronic money institutions within the meaning of the e-money Directive (Directive 2009/110/EC).
Responses to the consultation may be submitted not later than 24 September 2018.
A public hearing will take place at the EBA premises on 4 September 2018 from 10:00 to 12:00 UK time.
______
The proposal for new guidelines clearly reflects a phenomenon that is growing in the financial market especially in the context of digitalization. Through this initiative EBA aims at addressing the challenges and issues posed by the increased recourse to outsourcing. Indeed, over recent years, institutions and payment institutions have outsourced activities in order to reduce costs and improve flexibility and to get relatively easy access to new IT and Fintech solutions and to achieve economies of scale. Such new options for outsourcing, in particular outsourcing to cloud service providers, which gained rapidly importance in many industries, carries a high level of uncertainty regarding supervisory expectations and this uncertainty was forming a barrier to institutions using them. in order to address the said uncertainty EBA developed the Recommendations on outsourcing to cloud service providers already in 2017 (see also our Newsflash n. 31).
Indeed, EBA has stressed out the key role of cloud providers that are expected to have the ability to appropriately protect the confidentiality, integrity and availability of data (in transit or at rest) andbe equipped with efficient and reliable systems and processes used to process, transfer or store those data.
On top of any detailed examination of the content of the Guidelines, it is worth mentioning the attempt to create an instrument helping to the harmonization of different legislation. To this end the Guidelines provide a clear definition of critical functions that are outsourced. The wording “critical or important functions” is based on the wording used under MiFID II and the relevant Commission Delegated Regulation (EU) 2017/565, which is considered to embrace all existing legislation and ensure the desired level playing field for the addresses of the Guidelines, without prejudice of the definition used under the BRRD, Solvency II and PSD2. According to such definition, “an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities.”
inter alia, the Guidelines deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements. They also clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities. It is highlighted that the responsibility of the institution’s management body can never be outsourced in order to ensure that institution may remain able to oversee all risks and to manage outsourcing arrangements, to effectively control, challenge the quality and performance of outsourced processes, services and activities, and carry out their own risk assessment and ongoing monitoring.
The guidelines should be read in conjunction with and without prejudice to the other guidelines issued by EBA which may have a impact on and improve the outsourcing of activities (such as, EBA guidelines on internal governance, EBA guidelines on common procedures and methodologies for the supervisory review and evaluation process, EBA guidelines on ICT risk assessment under the SREP, and specifically for payment institutions, EBA guidelines on the information to be provided for the authorisation of payment institutions under Directive 2015/2366/EU (PSD2), EBA guidelines on security measures for operational and security risks under PSD2 and EBA guidelines on major incident reporting under PSD2).
______
Please do not hesitate to contact us should you need any clarification on the draft Guidelines or assistance in submitting your response.
Contacts:
Vito Vittore
Partner
Massimiliano Silvetti
Partner
Marina Mirabella
Partner
Elena Pagnoni
Partner
Chiara Di Torrice
Associate
