New EBA Guidelines Outsourcing: What should be considered? According to the guidelines, outsourcing is an agreement between a credit institution, an e-money institution or a payment institution and an outsourcing company. The latter is also called a “service provider”. Under this agreement, the outsourcing company performs all or part of a process, service or activity that the institution would otherwise perform itself.
When assessing outsourcing arrangements, institutions and payment institutions shall determine whether an arrangement with a third party falls within the definition of outsourcing or does not constitute outsourcing.
This assessment should take into account whether the function (or part of it) outsourced to a service provider is performed by the service provider on a recurring or ongoing basis and whether that function (or part of it) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed that function itself in the past.
What do you have to consider when differentiating between outsourcing and external procurement according to MaRisk? In the following article you will find answers to the following 14 questions regarding the delimitation of outsourcing and external procurement according to MaRisk:
Which audit criteria apply to the supervisory assessment of outsourcing controlling? Outsourcing: The EBA guidelines on outsourcing provide binding guidelines for the supervisory assessment. As part of their assessment, supervisors should consider the following 7 risks in particular:
Institutions and payment institutions should, taking into account the principle of proportionality in accordance with Section 1, identify, assess, monitor and manage all risks to which they are or may be exposed as a result of arrangements with third parties. This shall be done irrespective of whether these arrangements are outsourcing arrangements or not.
The risks, in particular operational risks, of all arrangements with third parties, including those referred to in paragraphs 26 and 28, should be assessed in accordance with Section 12.2. of the EBA Guidelines on Outsourcing.
Institutions and payment institutions shall ensure that they comply with all the requirements laid down in Regulation (EU) 2016/679, including as regards third-party agreements and outsourcing arrangements.
As regards critical or essential functions, institutions and payment institutions shall ensure that the service provider has
This is the only way to ensure that the service provider is able to fulfil its obligations during the term of the draft contract.
Institutions and payment institutions should exercise due skill, care and diligence in monitoring and managing outsourcing arrangements.
Institutions shall regularly update their risk assessment and periodically report to the management body on the risks identified in relation to the outsourcing of critical or essential functions.
Institutions and payment institutions shall monitor and manage their internal concentration risks arising from outsourcing arrangements. The management can be carried out using the EBA Guidelines Outsourcing: Use of Key Performance Indicators.
New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing also regulate the principle of proportionality. This principle applies to the compliance of institutions with the requirements for outsourcing as well as to the monitoring of compliance by supervisory authorities. For the application of the proportionality principle, the criteria developed by the EBA within the framework of the guidelines on internal governance can be used.
In addition, requirements are formulated for central outsourcing solutions within a group or a cross-guarantee system. Examples are a risk analysis, group-wide monitoring and control of outsourcing as well as an outsourcing register at group level. In this case, too, the individual institution remains responsible for compliance with the outsourced banking supervisory requirements. Thus, corresponding rights to information and reporting obligations must be established.
Institutions that have received an exemption from the supervisory authorities (“waiver”) only have to comply with the requirements at the level of the parent company (the central organisation).
New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing specify basic requirements for the outsourcing of processes, services or activities to an outsourcing company.
The outsourcing of functions does not lead to the delegation of management responsibility. The latter remains fully responsible and legally liable for the outsourced areas. In addition, it must adopt a written “Outsourcing Policy” at the level of the institution as well as at the group level and ensure its implementation. Institutions must have an internal organisation with clearly assigned responsibilities and sufficient resources to ensure adequate governance and monitoring of outsourcing arrangements.
In addition, an “outsourcing function” or, alternatively, the appointment of a senior manager with a direct link to the management is required. The guidelines also contain comprehensive requirements for dealing with conflicts of interest that may arise in connection with outsourcing. If material conflicts of interest arise between group companies in the case of intra-group outsourcing, appropriate measures must be taken to manage these conflicts.
If the internal control function is outsourced (internal audit, risk control and compliance function), the institution should exercise appropriate oversight and be able to adequately manage risks arising from the outsourcing of critical functions.
In addition, comprehensive requirements are placed on business continuation plans and on the internal audit of the outsourcing institution. The documentation requirements are significantly higher than the requirements of MaRisk. Thus, the institutions must keep a detailed outsourcing register with all outsourcing agreements in a common database format at the institution and group level. The institutions must regularly make this available to the supervisory authorities as part of the SREP. However, under certain conditions, it can also be kept centrally at the group level.
New EBA Guidelines Outsourcing: What needs to be considered? The EBA guidelines specify detailed requirements for the risk analysis to be carried out in advance of the outsourcing if it has been classified as a critical/significant function or as other outsourcing. In this context, the outsourcing of certain functions, e.g. the operational activities of the internal control functions, should always be classified as critical or significant. The guidelines contain concrete specifications of assessment criteria which the institutions must at least take into account in the classification.
For example, when conducting due diligence on the outsourcing entity, institutions must assess whether the outsourcing entity has sufficient and appropriate capabilities, capacity, resources, organisational structures and, where applicable, the necessary approvals. In addition, before entering into the outsourcing agreement, institutions should identify, assess, monitor and communicate all associated risks. The principle of proportionality must be applied here.
There are also comprehensive requirements for all outsourcing agreements. Institutions must have the necessary rights granted to them in the outsourcing agreement in the event of further outsourcing, termination rights as well as access, information and audit rights. The requirements for monitoring the outsourced activities, processes and services are also regulated. Under certain conditions, centralisation at group level is possible.
Finally, specifications on information security, also in connection with cloud services and exit strategies are determined. Institutions should notify the planned outsourcing of critical or significant functions to the supervisory authority in good time in advance.
New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing also address the competent supervisory authorities. The supervisor should carry out the risk assessment of outsourcing at least within the framework of the supervisory review and evaluation process (SREP). In addition to operational risk, reputational risk and concentration risks, the so-called step-in risk and possible conflicts of interest between service provider and institution should also be considered. For this purpose, the supervisory authority can use the outsourcing register submitted to it by the institutions, as well as demand information that goes beyond the register.
According to the draft, the requirements of the guidelines for new outsourcing projects, including outsourcing to cloud service providers, are to apply from 30 June 2019. For existing outsourcing arrangements, the new documentation requirements can be implemented in the course of the rotational adjustments to the arrangements. However, they must be completed by 31 December 2020 at the latest.