The European Banking Authority (EBA) published its outsourcing guidelines in February 2019. These were an updated version of the CEBS guidelines on outsourcing that were published in 2006. While the CEBS guidelines were limited in their scope of application (investment firms and credit institutions), the EBA outsourcing guidelines expanded that to payment service providers and e-money institutions too.
The transitional period for implementing these guidelines expires on 31st December 2021, leaving approximately six months for institutions to comply with the regulations. Organizations subject to these regulations need to revisit contractual arrangements with third parties, renegotiate service-level agreements, and update their business frameworks to ensure they are compliant with the guidelines before the transitional period expires.
What Are the EBA Outsourcing Guidelines?
The EBA outsourcing guidelines were published following increasing interest from European and UK regulators on how banks and financial money institutions utilize new fintech solutions and the extent to which they can outsource IT functions and technologies.
The new standards include recommendations for assessing outsourcing risks, conducting due diligence such as background checks and credit risk assessment, creating contracts that spell out responsibilities, establishing governance processes to oversee outsourcing arrangements and more.
If you’re a business owner or company manager who is considering hiring an outside vendor to provide services or products in lieu of your own staff or already have existing contracts, it’s important that you go through the guidelines and amend existing contracts, or sign new ones that comply with the guidelines.
These guidelines are designed to provide a modicum of protection to companies operating in the financial sector in Europe and the UK and improve risk mitigation frameworks. The guidelines include a set of requirements for financial institutions to follow when negotiating outsourcing contracts. The main requirements include:
- Firms and institutions are now required to follow the newly defined IT and data security standards.
- Development of a robust outsourcing policy that are in line with the institution’s risk management policies.
- A highly functional and efficient internal control framework.
- Policies for the protection of consumer data throughout the firm/institution and the outsourced function. This includes specifying the location where the data is stored or processed by the service provider.
- Detailed plans for the right to terminate an outsourcing arrangement in case weaknesses are detected in the data protection framework.
- Paragraph 100 of the guidelines makes it mandatory for institutions to regularly monitor and analyze the performance of the outsourcing service provider, with emphasis on data security, accessibility, and reporting.
Who Do The EBA Outsourcing Guidelines Apply To?
The EBA outsourcing guidelines specify that the group management of every financial institution shall bear responsibility for the compliance as well as its activities. As a result, the management is responsible for making available all necessary resources to support and discharge their responsibilities.
These guidelines are applicable for all outsourcing contracts made from September 2019. Legacy contracts made prior to the issuance must be compliant when they are renewed, or by 31st December 2021 at the latest.
These guidelines apply to:
- All credit institutions, such as banks;
- Investment firms that must adhere to the Capital Requirements Regulation, specifically those that have regulatory permissions to hold client money or trade on their account;
- All e-money firms and payment institutions (fintech solutions providers).
It’s important to note that there are some exclusions. BIPRU firms, which can authorize client orders or offer portfolio management services but do not their clients’ securities or money, are excluded. However, such firms must still comply with MiFID II Directive.
The EBA outsourcing guidelines also exclude credit mediators or intermediaries. Non-bank consumer lenders, insurance companies, and registered account information service providers (AISP)s under PSD2 are excluded.
How Does the EBA Define “Outsourcing”?
The guidelines provide a clear definition of “outsourcing,” stating that it is an arrangement made in any form between a regulated institution such as an e-money firm or a payment institution, and a service provider, whereas the service provider performs a function, a process, or any activity, or parts thereof, which would otherwise be carried out by the regulated institution itself.
This definition also applies to intragroup outsourcing functions, because they are now deemed to be at a similar risk than outsourcing contracts with service providers outside the group entity. Conflicts of interest must also be considered before finalizing intragroup outsourcing contracts.
While they apply to all outsourcing arrangements, these guidelines are more stringent for certain functions that are deemed “important” or “critical.” The following activities are not considered as outsourcing:
- Legally required functions such as a statutory audit;
- Global network infrastructures (MasterCard or Visa);
- Worldwide financial messaging frameworks that are subject to monitoring and oversight;
- Any services that the institution would not undertake otherwise;
- Relevant banking services;
- Settlement or clearing arrangements.
How Can Organizations Prepare Their Outsourcing Arrangements to Comply with EBA Regulations?
Organizations need to review their contract compliance systems and outsourcing arrangements to ensure that they are compliant with the guidelines. Financial institutions must specify which contractual arrangements need to be updated, and remediate with the service providers before the deadline expires.
Organizations must develop a framework to manage their contractual obligations and commitments, while keeping a broader outsourcing lifecycle in perspective. The system must highlight and provide reporting for key control areas, data points, and correspondence with relevant parties. The following key points must be considered:
Classification: does the service provider fall under the purview of the “outsourcing” definition, and if it does, is the service considered “critical?”
Governance: are strong contractual and internal controls in place for effective governance? Outsourcing contracts must also stipulate that service providers furnish regular reports on the performance of the outsourced function.
Policies: policies for outsourcing services must be documented, stored, and referenced for practical usage.
Audit: service providers must be subject to audits by the institution, with the scope of the audit, and audit rights, specified in the contract.
Register: a formal register of all relevant documents and information pertaining to the outsourcing contracts must be maintained. It should be made available to the Central Bank.
Exit Strategy: a detailed exit strategy must be specified in the contract or developed in case the institution wants to get out of the arrangement.
Business Continuity: a business continuity plan must be included in the contract, or developed shortly after the effective date. It should be regularly tested for operational resilience.
How a Contract Compliance System Can Help Organizations Ensure They Are Fully Compliant with EBA Guidelines
An effective contract compliance system can help organizations by allowing them to capture several important fields they enter into a contract with an outsource service provider. This makes it easy for them to comply with EBA regulations. Important examples of data that can be captured by the system for complying with EBA regulations include:
- Organization name
- Contract start date
- Contract expiry date
- Vendor name
- Vendor number
- Payment term
- Gross, Net and VAT amount
- Delivery terms
- Nature of agreement and agreed services
- Updates of agreed service levels and performance by vendor
- Declaration over whether personal data has been transferred and processed by service provider (data protection)
- Agreed security policy with an obligation on each side to inform the other when a breach has taken place
- A field indicating whether the outsourced function is critical/important
- A field indicating when this assessment was last carried out
- A field explaining why it is deemed critical/important
- Sub-contractor name and country (where registered)
- Location of storage of data by the subcontractor
- Date of most recent audit of a supplier and audit frequency
- Details of supplier systems – ISO certified? Anti-virus software etc.
- Termination agreements
Other Benefits of Using a Contract Compliance System
Contract compliance systems make it easy for organizations to keep track of all the contracts that they enter into with third parties. Organizations can control permissions or who can view or access the contract, and set reminders to be notified when certain contracts are expiring or up for renegotiation.
Contract compliance systems simplify auditing and offer secure information storage that is compliant with regional and industry practices as defined by the IRS, GDPR, and the Sarbanes-Oxley Act.
The Bottom Line
With just about six months left for the transitional period to expire, organizations need to start updating their legacy contracts as quickly as possible. Using a contract management system simplifies matters, but with time running out quickly, it’s imperative that organizations fall in line with these guidelines by updating existing contracts and making sure that new ones are in compliance.
If you would like to learn more about how SoftCo can help your organization comply with the EBA outsourcing guidelines, take a look at our Contract Compliance solution or simply Request a Demo and a member of our Sales team will be in contact with you.