Insights from Latham’s flagship event: Managing the risk and promise of digitisation in financial services

Authors: Andrew Moyle, Nicola Higgs, Christian McDermott, and Kirsty Watkins.

The financial services industry is leading the way in outsourcing, with contract values in excess of US$10.7 billion in 2018, causing regulators to focus more than ever on the associated risks. Guidelines on outsourcing arrangements from the European Banking Authority (EBA), which came into effect on 30 September 2019, expand the requirements on institutions in this area, while both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are also increasing their outsourcing supervision and enforcement activity.

We discussed the new requirements for financial institutions to maintain a register of outsourcing arrangements, and adhere to more stringent risk assessment and due diligence requirements at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services.

The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.

By Fiona M. Maclean and Laura Holden

On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).

The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.

The Guidelines apply to a wider range of entities (Covered Entities for the purpose of this article) than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines now apply to all financial institutions that are:

  • Within the scope of the EBA’s mandate, including credit institutions
  • Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
  • Payment institutions
  • Electronic money institutions

As a result, a wider range of companies, such as FinTech companies, will now face the challenge of remaining agile and competitive in fast-moving markets, whilst managing the administrative and practical challenges of maintaining compliance with the Guidelines.

The Guidelines come into force on 30 September 2019. Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines. Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December 2021. For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements – these requirements will continue to apply as they did prior to publication of the Guidelines. An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here.

While “critical and important functions” are subjected to stricter rules, the Guidelines generally apply to all outsourcings by Covered Entities, including intragroup outsourcings, representing a further widening of scope when compared with the CEBS Guidelines. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. Following concerns raised at the Public Consultation, the EBA clarified in the Guidelines that regulators will not consider every outsourcing to a cloud solution as critical or important; rather the same test applies as with other non-cloud service providers, taking into account “cloud specificities”.

Under the Guidelines, the definition of “outsourcing” is based on the Commission Delegated Regulation (EU) 2017/565 and defined as: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

The Guidelines define “critical or important functions” based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565, which includes functions that “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.

To outsource banking and payment services to a third country (i.e., non-EU) service provider, the Guidelines require the competent authorities responsible for supervising each party to have a co-operation agreement in place. Therefore, post-Brexit, the UK’s Financial Conduct Authority will need to agree a co-operation agreement with EU regulators to ensure that cross-border outsourced arrangements can continue between the UK and the EU27.

By Nicola Higgs, Fiona MacLean, Brett Carr, and Catherine Campbell

Technology outsourcing by financial institutions (FIs) has increased in recent years as FIs look to the latest innovations to improve their day-to-day business processes and to reduce costs. FIs outsource key functions to a host of regulated and unregulated third-party service providers, and the sector is poised for continued growth. According to research conducted by business outsourcing provider Arvato and analyst firm NelsonHall, outsourcing agreements worth £6.74 billion were agreed in the UK last year across all industries (a 9% increase on the prior year), and financial services firms signed £3.26 billion of them. With this continued growth, the outsourcing sector is increasingly likely to be a hotbed of PE deal activity; and, as regulators place a greater focus on outsource providers, deal teams should monitor regulatory engagement and policy developments.

Outsourcing Companies Evolve

IT and business process outsourcing are converging, meaning outsourcing deals are now different to the traditional, bespoke, dedicated service arrangements firms have entered into in the past. Modern-day outsource providers who have grown exclusively as tech companies are looking to meet the demand for processing and administration solutions for financial products and services in a heavily regulated environment. Notably, the Financial Conduct Authority’s (FCA’s) recent Investment Platforms Market Study identified that most investment platforms purchase their technology from third-party providers, and more than half of the platforms the study considered are in the process of re-platforming to a new provider. Less than a third of firms in the study rely on proprietary technology. Areas such as cybersecurity and data analytics have also become increasingly important for the sector, driving demand for specialist third-party providers with robust processes.

The EBA’s draft guidelines on outsourcing will impact cloud outsourcing and institutions’ deployment of FinTech.

By Fiona MacleanCharlotte Collins, and Terese Saplys

On 4 September 2018, a wide audience of interested individuals gathered at Canary Wharf for a public hearing (Public Consultation) to listen to what the European Banking Authority (EBA) had to say in relation to its long-awaited Draft Guidelines on Outsourcing (Draft Guidelines). The Draft Guidelines, which review the existing CEBS Guidelines on Outsourcing published in 2006 (CEBS Guidelines), are the EBA’s opportunity to refresh its recommendations on outsourcing to align more closely with the technical, political, and operational landscape banks face today. The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight.

Scope

The extension of scope of the Draft Guidelines, as compared to the scope of the CEBS Guidelines, was a particular area of focus during the Public Consultation.

The Draft Guidelines describe their subject matter as “specify[ing] the internal governance arrangements that institutions … should implement when they outsource functions and in particular with regard to the outsourcing of critical and important functions” (paragraph 5 of the Draft Guidelines). The term “critical and important functions” is consistent with the wording used in MiFID II and includes functions which, if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations. In this regard, the Draft Guidelines align with the CEBS Guidelines which described the requirements for “material outsourcing,” a term defined in a similar manner. However, while the CEBS Guidelines noted that “there should be no restrictions on the outsourcing of non-material activities of an outsourcing institution” (Guideline 5), the Draft Guidelines extend to all outsourcing, unless expressly stated otherwise. Many attendees at the Public Consultation noted that this scope was unduly onerous and would become administratively burdensome for firms to manage.

Notably, the broadening of the addressees of the Draft Guidelines (In-scope Entities), to include payment institutions (subject to the revised Payment Services Directive (PSD2)) and electronic money institutions (subject to the e-money Directive), was not discussed in detail at the Public Consultation. However, an attendee raised a question as to the applicability of the Draft Guidelines to industry utilities. The EBA confirmed they had not yet considered this point and advised that they would reflect and clarify the position in the final guidelines.

By Fiona Maclean, Stuart Davis and Charlotte Collins

Cloud services come with the promise of many benefits for the financial services sector. Cloud computing offers large-scale and cost-effective solutions for data storage and efficient processing and is also the underlying technology for many FinTech platforms. As with a lot of new technology, however, financial institutions are struggling to see how they can embrace cloud services fully in the context of the current regulatory landscape. This is particularly so given that use of cloud services is often considered a material outsourcing, meaning that banks and investment firms must follow strict rules in order to ensure that the risks posed by migrating data to the cloud are mitigated appropriately.

Cloud Regulatory Guidance: Clear Skies?

Current guidance on outsourcing for banks and investment firms is from the Committee of European Banking Supervisors (CEBS) and dates from 2006 (the CEBS Outsourcing Guidelines), so is overdue for review. The European Banking Authority (EBA) has recognised this and, amidst concerns that firms simply may not use cloud service providers because they cannot reconcile how to do this in line with the regulatory requirements, published some new draft guidelines on outsourcing to cloud services (Draft Cloud Guidelines) for consultation on 17 May 2017.

The final guidance resulting from the public consultation (the Final Cloud Guidelines) will supplement, rather than replace, the existing CEBS Outsourcing Guidelines, so both will need to be read in parallel. Essentially, as the CEBS Outsourcing Guidelines are short and principles-based, the new guidelines seek to add more detail as to how a firm’s regulatory obligations may be met in the specific context of outsourcing to a cloud service provider, based upon discussions the EBA has had with firms and their regulators.

By Gail Crawford and Christian McDermott

The recent cyberattack on Tesco Bank’s IT systems has prompted Rt Hon. Andrew Tyrie MP, Chairman of the Treasury Committee, to call on regulators to take action against vulnerable bank IT systems:

Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly. We can’t carry on like this.

The call follows earlier correspondence on this topic between Andrew Tyrie, various major UK banks, the FCA and the PRA.