COVID-19 Practical Considerations – EBA Guidelines on Outsourcing Arrangements
The ongoing COVID-19 situation has placed outsourcing arrangements in sharp focus for many organisations across the financial services industry.
Click here to view this briefing in PDF format.
For the most part, this focus has centred on operational resilience and business continuity arrangements of outsourced service providers (“OSPs”). However, it also serves as a timely reminder of recent regulatory changes in respect of outsourcing which are designed to ensure that institutions have in place appropriate contractual arrangements and internal processes to identify and mitigate risks associated with outsourcing (including risks arising from disruptive events like COVID-19).
The centrepiece of these recent regulatory changes is the EBA guidelines on outsourcing arrangements (the “EBA Guidelines”). Most institutions and OSPs in Ireland will already be familiar with the EBA Guidelines and many will have taken action to ensure that new outsourcing arrangements are aligned with the EBA Guidelines. However, institutions must also ensure that existing outsourcing arrangements are aligned with the EBA Guidelines by the end of the current transition period and that appropriate internal processes are implemented to oversee and manage outsourcing in line with the EBA Guidelines.
This briefing seeks to remind institutions of certain key steps that they may need to take in order to ensure that their existing outsourcing arrangements and internal processes are appropriately aligned with the EBA Guidelines and to explain why now might be an opportune time to take these steps.
Introduction of the EBA Guidelines
The EBA Guidelines came into force on 30 September 2019 (the “Commencement Date”) and replaced the CEBS guidelines on outsourcing from 2006. The EBA Guidelines also incorporate the EBA’s 2017 recommendations on outsourcing to the cloud.
The EBA Guidelines apply to any outsourcing “entered into, reviewed or amended” by an institution falling within the EBA’s mandate (including credit institutions and investment firms subject to CRD IV, as well as payment and electronic money institutions but not (re)insurance undertakings for example) on or after the Commencement Date. Unlike the CEBS guidelines, the application of the EBA Guidelines is not generally limited to the outsourcing of critical or important functions. The EBA Guidelines apply to all outsourcings by an institution, albeit the EBA Guidelines apply more stringent requirements to the outsourcing of critical or important functions.
Under the EBA Guidelines, outsourcing arrangements in place prior to the Commencement Date benefit from a transition period but institutions must update these arrangements by 31 December 2021 to comply with the EBA Guidelines. Institutions must also ensure that they have in place appropriate internal processes that support compliance with the EBA Guidelines. In practice, the Central Bank of Ireland (the “CBI”) will apply the EBA Guidelines to in-scope institutions by incorporating the EBA Guidelines into its ongoing supervisory practices and processes, as will the European Central Bank (the “ECB”).
Key Requirements under the EBA Guidelines
The key requirements under the EBA Guidelines are primarily focussed on an institution putting in place internal processes alongside robust contractual arrangements so as to ensure that the institution effectively oversees its outsourced activities and identifies and mitigates risks associated with such activities.
We summarise below some key areas for an institution to review and address to assist its compliance with the EBA Guidelines.
Identification and assessment of outsourcing
An institution must be able to effectively determine whether an arrangement with a service provider (including another group entity) constitutes an “outsourcing” and when an outsourcing involves a function which is “critical or important”. Such an assessment will determine what (if any) controls the firm is required to put in place under the EBA Guidelines in respect of that arrangement with a service provider. In addition, the institution must also conduct a risk assessment prior to outsourcing any function. This assessment should determine the potential impact on the institution of failed or inadequate service provision by the OSP and consider how to minimise this impact.
An institution must maintain an outsourcing policy that addresses the main phases of the outsourcing lifecycle and articulates specific controls that the institution ingrains into each phase of this lifecycle. The institution should also supplement its outsourcing policy with comprehensive policies in other key areas of risk (e.g. information security and data protection).
Robust governance controls and structures are particularly important requirements under the EBA Guidelines. While an institution may be able to outsource a particular function, it cannot outsource responsibility for the regulatory compliance of that function. Effective governance is a key mechanism through which the institution may continue to oversee and ensure regulatory compliance in respect of the outsourced function. Effective governance will be comprised of internal and contractual controls. For example, personnel within the institution with the necessary expertise should be assigned to directly oversee the outsourced function and structures should be implemented to ensure that oversight and management of this function appropriately filter up to board level. The contract should also require the OSP to provider regular reports in relation to performance of the outsourced function. This reporting could be supplemented by regular meetings between representatives of the institution and the OSP to review these reports and any other matters relevant to the outsourced function.
An institution must maintain a register, which documents certain information on its outsourcing arrangements. This register will need to include more detailed information for outsourcings of critical or important functions and must be available to the CBI (or the ECB for significant credit institutions).
The institution and its regulator should be afforded rights of access and audit by the OSP, including rights to conduct on-site inspections at the OSP’s premises. These audit rights should be captured in the contract between the institution and the OSP.
The institution’s contract with the OSP should incorporate a robust business continuity plan that applies to the OSP or requires the parties to produce such a plan shortly after the effective date. Obligations to test the OSP’s business continuity plan and take action to remedy any issues identified from such testing should also be included in the contract. In addition, the institution should also have in place its own robust business continuity plan.
A comprehensive exit plan should either be included in the institution’s contract with the OSP or the parties should be under an obligation to develop such a plan shortly after the effective date. This plan should set out the process for ensuring a smooth transition of the services away from the OSP on termination or expiry of the contract and should be reviewed regularly.
Other Contractual Controls
The EBA Guidelines also identify other key aspects of the contract between the institution and the OSP (e.g. service levels, insurance requirements, duration, termination rights, notice periods, etc.) and where relevant, an institution should ensure that its contracts with OSPs address these key aspects.
Updating existing outsourcing arrangements and internal processes
While the deadline for ensuring that outsourcing arrangements executed or amended prior to the Commencement Date comply with the EBA Guidelines is 31 December 2021, it may be advantageous for institutions to update such arrangements for compliance with the EBA Guidelines in the coming months. COVID-19 has clearly highlighted the importance for institutions and OSPs of including robust structures and controls in their contracts so as to ensure effective oversight of outsourced functions and to identify and mitigate risks associated with such functions. As a result, it may be more straightforward for institutions and OSPs to discuss and agree on changes required to their contracts for compliance with the EBA Guidelines in the coming months while COVID-19 remains very much a ‘live’ issue.
The ongoing pandemic may also assist an institution in expediting stakeholder approval of any changes required to its internal governance structures and controls for compliance with the EBA Guidelines. As already touched on in this briefing, robust contractual arrangements alone are unlikely to be sufficient for an institution to address all requirements of the EBA Guidelines, so pointing to a ‘real life’ event such as COVID-19, which demonstrates the need for effective oversight and management of outsourcing arrangements, may help an institution to effect change to its internal governance and reporting structures for compliance with the EBA Guidelines.
Prior to the final version of the EBA Guidelines being issued, the CBI issued a discussion paper on findings and key issues relating to outsourcing in the financial services industry (the “CBI Paper”) in November 2018. The CBI Paper focusses on the outsourcing of critical or important functions and states that the CBI “fully expects [institutions] will analyse this paper and take appropriate steps to address issues [identified in the paper] relevant to their outsourcing practices”. Helpfully, the CBI Paper and the EBA Guidelines frequently cover similar territory and by taking appropriate steps to address the requirements of the EBA Guidelines, an institution can rest assured that these steps are likely to address many of the issues identified in the CBI Paper.