In accordance with Article 74(1) of the Capital Requirements Directive (2013/36/EU) (‘CRD’), institutions shall have robust governance arrangements, which include a clear organisational structure with well-defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks they are or might be exposed to, adequate internal control mechanisms, including sound administration and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management.
Article 74(3) of the CRD provides the EBA with a mandate to issue guidelines on the arrangements, processes and mechanisms referred to above. In particular, the EBA updated Committee of European Banking Supervisors’ (‘CEBS’) guidelines that were issued in 2006 in order to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate. The Outsourcing Guidelines set out specific provisions for these financial institutions’ governance frameworks with regard to their outsourcing arrangements and the related supervisory expectations and processes.
The 2006 CEBS guidelines applied exclusively to credit institutions. In issuing the Outsourcing Guidelines, the EBA widened the scope of application to include:
- credit institutions and investment firms subject to the CRD; and
- payment and electronic money institutions.
The Outsourcing Guidelines are not directly addressed to credit intermediaries and non-bank creditors that are subject to the Credit agreements for Consumers Relating to Residential Immovable Property Directive (2014/17/EU) or to account information service providers that are only registered for the provision of service 8 of Annex I to the Revised Payment Service Directive (2015/2366/EU) (‘PSD2’).
Outsourcing arrangements between institutions, payment institutions and such entities are within the scope of the Outsourcing Guidelines when such entities act as outsourcing service providers.
Date of application
The Outsourcing Guidelines apply from 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date (whilst paragraph 63(b) applies from 31 December 2021).
Institutions and payment institutions should review and amend accordingly existing outsourcing arrangements with a view to ensuring that these are compliant with the Outsourcing Guidelines.
Where the review of outsourcing arrangements of critical or important functions is not finalised by 31 December 2021, institutions and payment institutions should inform their competent supervisory authority of that fact, including the measures planned to complete the review or the possible exit strategy.
Institutions and payment institutions should complete the documentation of all existing outsourcing arrangements, other than for outsourcing arrangements to cloud service providers, in line with the Outsourcing Guidelines following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2021.
Assessment of outsourcing arrangements
Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing.
‘Outsourcing’ is defined as ‘an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself.’
Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together.
According to the EBA, as a general principle, institutions and payment institutions should not consider the following as outsourcing:
- function that is legally required to be performed by a service provider;
- market information services;
- global network infrastructure;
- clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
- correspondent banking services; and
- the acquisition of services that would otherwise not be undertaken by the institution or payment institution, goods or utilities.
- Critical or important functions
The EBA states that institutions and payment institutions should always consider a function as critical or important in the following situations:
- where a defect or failure in its performance would materially impair their continuing compliance with the conditions of their authorisation or its other obligations under Directive (2013/36/EU), Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; their financial performance; or the soundness or continuity of their banking and payment services and activities;
- when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
- when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority.
In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU36 and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778.
Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions, unless the institution’s assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function.
Outsourcing of critical and important functions can have a strong impact on the institution’s or payment institution’s risk profile. To this end, additional requirements apply to the outsourcing of critical or important functions, which aim to ensure the soundness of their governance arrangements and that competent authorities can exercise effective supervision.
When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment, at least the following factors:
- whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised;
- the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; business continuity and operational resilience; operational risk, including conduct, information and communication technology (ICT) and legal risks; reputational risks; where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;
- the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; comply with all legal and regulatory requirements; conduct appropriate audits regarding the outsourced function;
- the potential impact on the services provided to its clients;
- all outsourcing arrangements, the institution’s or payment institution’s aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;
- the size and complexity of any business area affected;
- the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;
- the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);
- the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable;
- the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Outsourcing critical or important functions to service providers located in third countries are subject to additional safeguards that ensure that this outsourcing does not lead to an undue increase in risk or does not impair the ability of competent authorities to effectively supervise institutions and payment institutions.
Governance framework requirements
Sound governance arrangements and third-party risk
As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks.
Institutions and payment institutions should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements.
Sound governance arrangements and outsourcing
The outsourcing of functions cannot result in the delegation of the management body’s responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions.
Institutions and payment institutions should:
- clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements;
- allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements;
- establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution’s or payment institution’s management body.
In addition, when outsourcing, institutions and payment institutions should also ensure that:
- the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology;
- appropriate confidentiality arrangements are in place regarding data and other information;
- an appropriate flow of relevant information with service providers is maintained;
- where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with the GDPR.
The management body of an institution or payment institution that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA’s Guidelines on Internal Governance and, in particular, should take into account the requirements set out in Section 18 of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on Internal Governance.
In particular, the policy should cover at least:
- the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions;
- the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements;
- the planning of outsourcing arrangements;
- the implementation, monitoring and management of outsourcing arrangements;
- documentation and record-keeping;
- the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement.
The internal audit function’s activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions.
With regard to the outsourcing process, the internal audit function should at least ascertain:
- that the institution’s or payment institution’s framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body;
- the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions;
- the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution’s risk strategy;
- the appropriate involvement of governance bodies; and
- the appropriate monitoring and management of outsourcing arrangements.
As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period.
The register should include at least the following information for all existing outsourcing arrangements:
- a reference number for each outsourcing arrangement;
- the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution;
- a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider;
- a category assigned by the institution or payment institution that reflects the nature of the function, which should facilitate the identification of different types of arrangements;
- the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any);
- the country or countries where the service is to be performed, including the location (i.e. country or region) of the data;
- whether or not the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important;
- in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored;
- the date of the most recent assessment of the criticality or importance of the outsourced function.
For the outsourcing of critical or important functions, the register should include at least the following additional information:
- the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing;
- whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme;
- the date of the most recent risk assessment and a brief summary of the main results;
- the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; e. the governing law of the outsourcing agreement;
- the dates of the most recent and next scheduled audits, where applicable; g. where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored;
- an outcome of the assessment of the service provider’s substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function;
- identification of alternative service providers in line with above;
- whether the outsourced critical or important function supports business operations that are time-critical;
- the estimated annual budget cost.
Before entering into any outsourcing arrangement, institutions and payment institutions should:
- assess if the outsourcing arrangement concerns a critical or important function;
- assess if the supervisory conditions for outsourcing are met;
- identify and assess all of the relevant risks of the outsourcing arrangement;
- undertake appropriate due diligence on the prospective service provider;
- identify and assess conflicts of interest that the outsourcing may cause.
Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements.
The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis.
Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable.
With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources(e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract.
The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement.
The outsourcing agreement for critical or important functions should set out at least:
- a clear description of the outsourced function to be provided;
- the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution;
- the governing law of the agreement;
- the parties’ financial obligations;
- whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to;
- the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s);
- where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2;
- the right of the institution or payment institution to monitor the service provider’s performance on an ongoing basis;
- the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met;
- the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider’s ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider;
- whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested;
- the requirements to implement and test business contingency plans;
- provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider;
- the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them;
- for institutions, a clear reference to the national resolution authority’s powers, especially to Articles 68 and 71 of Directive 2014/59/EU, and in particular a description of the ‘substantive obligations’ of the contract in the sense of Article 68 of that Directive;
- the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function;
- termination rights.
How OneTrust Helps
OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews.
Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions.
For additional details on Vendorpedia, read more here.
The European Banking Authority (‘EBA’) is an independent EU authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.
As part of its regulatory and policy work, it has recently updated its Guidelines on outsourcing arrangements (‘the Outsourcing Guidelines’) setting out specific provisions for the governance frameworks of all financial institutions within the scope of the EBA’s mandate with regard to their outsourcing arrangements and related supervisory expectations and processes. The Outsourcing Guidelines will enter into force on 30 September 2019.
Last Updated: July 25, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.