The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight. Many attendees at the Public Consultation noted that this scope was unduly onerous and would become administratively burdensome for firms to manage. Notably, the broadening of the addressees of the Draft Guidelines In-scope Entities , to include payment institutions subject to the revised Payment Services Directive PSD2 and electronic money institutions subject to the e-money Directive , was not discussed in detail at the Public Consultation.
|Published (Last):||2 December 2006|
|PDF File Size:||18.84 Mb|
|ePub File Size:||2.45 Mb|
|Price:||Free* [*Free Regsitration Required]|
By Fiona M. Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing. The Guidelines apply to a wider range of entities Covered Entities for the purpose of this article than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines come into force on 30 September Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines.
Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements — these requirements will continue to apply as they did prior to publication of the Guidelines.
An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. To outsource banking and payment services to a third country i.
On balance, such requirements invariably favour established service providers over emerging FinTech actors. Specifically, the Guidelines require Covered Entities to implement a written Outsourcing Policy defining the principles, responsibilities, and processes relevant to each phase of the outsourcing lifecycle. Many Covered Entities may need to formalise existing processes that are not clearly documented in a single policy.
This step could lead to a considerable change in how Covered Entities approach negotiations, as they will be forced to require consistency across all outsourcing contracts on these specific procedures so as to align with their outsourcing policy.
Covered Entities may therefore want to consider preparing rider governance schedules that are incorporated into all outsourcing contracts whether on supplier paper or their own to ensure that these processes are consistently documented across all contracts in accordance with the outsourcing policy.
This maintenance may prove to be a significant task for Covered Entities, who most likely do not have such a record in place today — at least not to the granular level the Guidelines require. Covered Entities should consider whether they can leverage work undertaken as part of their GDPR compliance programme, whereby third-party vendors will have been identified and various details documented as part of the GDPR Record of Processing, when preparing this register.
The Guidelines are not prescriptive as to the format of the register nor do they provide any specific requirements regarding periodic maintenance of the register. Covered Entities should include specific reference to the process for completing and updating the register in the outsourcing policy. Intragroup Arrangements The Public Consultation focused particularly on the applicability of the Guidelines to intragroup arrangements and concern that the Guidelines would hinder intra-group outsourcing.
Each individual institution therefore must be cognizant of their own responsibilities, notwithstanding a centralised, consolidated group arrangement or policy. For Covered Entities that have historically placed this onus on a centralised procurement function or service entity, this awareness of responsibility may require internal review. Intragroup outsourcing arrangements inevitably will be viewed with less rigour than third-party outsourcing and, as with many aspects of compliance with these Guidelines, proportionality will be key.
Covered Entities must also be cognizant of the fact that an outsourcing must not lead to a situation in which a financial institution becomes an empty shell that lacks the substance to remain authorised. To counter this outcome, entities must retain sufficient resources and a robust operational and governance framework to effectively carry out their own management and oversight responsibilities. Increased costs of such compliance will need to be factored into business cases when considering the merits of an outsourcing.
Sector concentration occurs if multiple Covered Entities rely on a small number of service providers, and is considered especially relevant by the EBA in the context of IT outsourcing.
Competent authorities will use the outsourcing registers described above maintained by Covered Entities to manage this risk and track sector concentration. Covered Entities should consider the potential for concentration risk in their supplier down-selection processes particularly if monopolists are involved and, if appropriate, engage with their national regulators at an early stage of outsourcing.
It will be interesting to see how the market develops with respect to the level of information, if any, that Covered Entities can receive from service providers regarding their engagement with other Covered Entities, and any contractual protections that may result.
CEBS: Guidelines on outsourcing
The EBA has also "integrated" its recent Recommendations on outsourcing to cloud service providers into the Guidelines. The Guidelines also cover a broad spectrum of arrangements beyond critical and material outsourcings, including outsourcings which are not critical or material and even other service provision arrangements. The Guidelines provide a list of requirements that apply to all outsourcings and some requirements which apply to arrangements with third parties. The Guidelines specify that outsourcing must not lead to an institution becoming an "empty shell" lacking the substance to remain authorised. Sufficient resources must be in place to support and ensure performance of responsibilities. The Guidelines are more prescriptive than current outsourcing regulation The Guidelines would go beyond the outsourcing requirements of current EU law e.
EBA Guidelines on Outsourcing Arrangements
European Banking Authority’s Draft Guidelines on Outsourcing: Discussion of Key Themes