14 May Outsourcing EBA-Style
Dennis Cox BSc FCA CFSI, CEO of Risk Reward Ltd, talks about the latest EBA paper, key requirements, relationships, due diligence, reporting & why outsourcing just got more expensive.
The European Banking Authority (EBA) have recently published their guidance on Outsourcing for implementation by 30 September 2019 (new arrangements) and 30 December 2021 (review of existing arrangements).
A paper on outsourcing at first glance might seem to be a benign annoyance requiring limited time. Do not underestimate this paper. All firms within the scope (institutions, payment institutions and electronic money institutions) need to comply with these rules.
First up: this is a major change project and both analysis and reporting need to be undertaken. All firms need to appoint a project owner and identify the project resources. The outcome is clearly a Board responsibility with requirements for reporting to Boards, so Board members need to take note of this.
The paper focusses on the identification of critical or important functions and sets out criteria which would apply to these. It also highlights the type of outsourced relationship that would not be included within the definition highlighting cleaning and the provision of data services, for example. However, it then sets out criteria that should be applied to all such cases anyway.
Of course, to be able to identify key relationships falling within the criteria there is a requirement to have a register which includes all outsourced relationships. This must include relationships where roles are undertaken by another part of the Group.
Once you have worked out all the relationships, you then need to identify which of these are critical. There are then a broad range of requirements setting out what needs to be recorded for all outsourced relationships whether critical or not. These include:
- a reference number for each outsourcing arrangement;
- the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution;
- a brief description of the outsourced function, including the data that are outsourced and whether or not personal data have been transferred or if their processing is outsourced to a service provider;
- a category assigned by the institution or payment institution that reflects the nature of the function which should facilitate the identification of different types of arrangements;
- the name of the service provider, the corporate registration number, the legal entity identifier, the registered address and other relevant contact details, and the name of its parent company (if any);
- the country or countries where the service is to be performed, including the location of the data;
- whether or not the outsourced function is considered critical or important, including, a brief summary of the reasons why the outsourced function is considered critical or important;
- in the case of outsourcing to a cloud service provider, the cloud service and deployment models, nd the specific nature of the data to be held and the locations where such data will be stored;
- the date of the most recent assessment of the criticality or importance of the outsourced function.
For critical relationships there is further information required including:
- the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing;
- whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme;
- the date of the most recent risk assessment and a brief summary of the main results;
- the individual or decision-making body in the institution or the payment institution that approved the outsourcing arrangement;
- the governing law of the outsourcing agreement;
- the dates of the most recent and next scheduled audits, where applicable;
- where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored;
- an outcome of the assessment of the service provider’s substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function;
- identification of alternative service providers;
- whether the outsourced critical or important function supports business operations that are time-critical;
- the estimated annual budget cost
This is no minor task.
Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable.
With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract.
The level of monitoring of the relationship has also increased and is specified again with regular reporting obligations.
Meeting the Requirements
There is a lot to this paper, and no doubt it will result in changes to outsourcing relationships. Reporting, contingency planning and contracting, are addressed in depth in this paper.
Need a workshop/training? Click here to view a sample course agenda which can be tailored to meet your organisation’s precise needs.