Final Report on

1 Final Report on EBA Guidelines on outsourcing arrangements EBA/GL/2019/02 25 February 2019 Final Report ON THE GUIDELINES ON OUTSOURCING 2 Contents Executive summary 4 Background 6 Guidelines on outsourcing 16 1. Compliance and reporting obligations 17 2. Subject matter, scope and definitions 18 Subject matter 18 Addressees 18 Scope of application 19 Definitions 19 3. Implementation 22 Date of application 22 Transitional provisions 22 Repeal 22 4. Guidelines on outsourcing 23 Title I Proportionality: group application and institutional protection schemes 23 1 Proportionality 23 2 Outsourcing by groups and institutions that are members of an institutional protection scheme 23 Title II Assessment of outsourcing arrangements 25 3 Outsourcing 25 4 Critical or important functions 26 Title III Governance framework 30 5 Sound governance arrangements and third-party risk 30 6 Sound governance arrangements and outsourcing 30 7 Outsourcing policy 33 8 Conflicts of interests 35 9 Business continuity plans 35 10 Internal audit function 36 11 Documentation requirements 36 Title IV Outsourcing process 39 12 Pre-outsourcing analysis 39 Supervisory conditions for outsourcing 39 Risk assessment of outsourcing arrangements 40 Due diligence 43 13 Contractual phase 44 Final Report ON THE

2 GUIDELINES ON OUTSOURCING 3 Sub-outsourcing of critical or important functions 45 Security of data and systems 46 Access, information and audit rights 47 Termination rights 50 14 Oversight of outsourced functions 50 15 Exit strategies 51 Title V Guidelines on outsourcing addressed to competent authorities 53 5. Accompanying documents 56 Draft cost-benefit analysis/impact assessment 56 Feedback on the public consultation 68 Summary of responses to the consultation and of the EBA s analysis 71 Final Report ON THE GUIDELINES ON OUTSOURCING 4 Executive summary Trust in the reliability of the financial system is crucial for its proper functioning and is a prerequisite if it is to contribute to the economy as a whole. Effective internal governance arrangements are fundamental if institutions individually and the financial system they form as a whole are to operate well.

3 Over recent years, financial institutions have been increasingly interested in outsourcing business activities also in order to reduce costs and improve their flexibility and efficiency. In the context of digitalisation and the increasing importance of new financial technology (fintech) providers, financial institutions are adapting their business models to embrace such technologies. Some have intensified the use of fintech solutions and have launched projects to improve their cost efficiency also in response to the intermediation margins of the traditional banking business model being put under pressure by the low interest rate environment. Outsourcing is a way to get relatively easy access to new technologies and to achieve economies of scale. Directive 2013/36/EU (Capital Requirements Directive; CRD) strengthens the governance requirements for institutions and Article 74(3) CRD gives the EBA the mandate to develop guidelines on institutions governance arrangements.

4 Outsourcing is one of the specific aspects of institutions governance arrangements. Directive 2014/65/EU (Markets in Financial Instruments Directive; MiFID II) contains explicit provisions regarding the outsourcing of functions in the field of investment services and activities. Directive 2015/2366/EU (Revised Payment Service Directive; PSD2) sets out requirements for the outsourcing of functions by payment institutions. The EBA is updating the Committee of European Banking Supervisors (CEBS) guidelines on outsourcing that were issued in 2006, which applied exclusively to credit institutions; the aim is to establish a more harmonised framework for all financial institutions that are within the scope of the EBA s mandate, namely credit institutions and investment firms subject to the CRD, as well as payment and electronic money institutions.

5 The guidelines set out specific provisions for these financial institutions governance frameworks with regard to their outsourcing arrangements and the related supervisory expectations and processes. The recommendation on outsourcing to cloud service providers, published in December 2017, has been integrated into the guidelines. Each financial institution s management body remains responsible for that institution and all of its activities, at all times; to this end, the management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an empty shell that lacks the substance to remain authorised.

6 With regard to outsourcing to service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements Final Report ON THE GUIDELINES ON OUTSOURCING 5 ( professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority is able to effectively supervise financial institutions, in particular regarding critical or important functions outsourced to service providers. The guidelines set out which arrangements with third parties are to be considered as outsourcing and provide criteria for the identification of critical or important functions that have a strong impact on the financial institution s risk profile or on its internal control framework.

7 If such critical or important functions are outsourced, stricter requirements apply to these outsourcing arrangements than to other outsourcing arrangements. Competent authorities are required to effectively supervise financial institutions outsourcing arrangements, including identifying and monitoring risk concentrations at individual service providers and assessing whether or not such concentrations could pose a risk to the stability of the financial system. To identify such risk concentrations, competent authorities should be able to rely on comprehensive documentation on outsourcing arrangements compiled by financial institutions. Next steps The guidelines will enter into force on 30 September 2019. The 2006 guidelines on outsourcing and the EBA s recommendation on outsourcing to cloud service providers will be repealed at the same time.

8 Final Report ON THE GUIDELINES ON OUTSOURCING 6 Background 1. Trust in the reliability of the financial system is crucial for its proper functioning and is a prerequisite if it is to contribute to the economy as a whole. Effective internal governance arrangements are fundamental if credit institutions and investment firms subject to Directive 2013/36/EU1 (CRD) (both referred to as institutions ), payment institutions and electronic money institutions (both referred to as payment institutions ) and the financial system they form part of are to operate well. 2. Over recent years, there has been an increasing tendency by institutions and payment institutions to outsource activities also in order to reduce costs and improve flexibility and efficiency.

9 In the context of digitalisation and the increasing importance of information technology (IT) and financial technologies (fintech), institutions and payment institutions are adapting their business models, processes and systems to embrace such technologies. IT has become one of the most commonly outsourced activities. Notwithstanding its benefits, outsourcing IT and data services poses security issues and challenges to the governance framework of institutions and payment institutions, in particular to internal controls as well as to data management and data protection. 3. Some institutions and payment institutions have intensified the use of IT and fintech solutions and have launched projects to improve their cost efficiency also in response to the intermediation margins of the traditional banking lending model being put under pressure by the low interest rate environment.

10 Outsourcing is a way to get relatively easy access to new technologies and to achieve economies of scale, by centralising functions within a group or institutional protection scheme. 4. The importance of outsourcing functions to cloud service providers has increased rapidly in many industries. In 2017, the EBA addressed the specificities of outsourcing to the cloud by developing recommendations on outsourcing to cloud service providers,2 which were based on the 2006 CEBS outsourcing guidelines. The recommendations aimed at overcoming the high level of uncertainty regarding supervisory expectations on outsourcing to cloud service providers and at removing the barriers that this uncertainty caused for institutions proceeding with using cloud services.