The EBA’s draft guidelines on outsourcing will impact cloud outsourcing and institutions’ deployment of FinTech.
On 4 September 2018, a wide audience of interested individuals gathered at Canary Wharf for a public hearing (Public Consultation) to listen to what the European Banking Authority (EBA) had to say in relation to its long-awaited Draft Guidelines on Outsourcing (Draft Guidelines). The Draft Guidelines, which review the existing CEBS Guidelines on Outsourcing published in 2006 (CEBS Guidelines), are the EBA’s opportunity to refresh its recommendations on outsourcing to align more closely with the technical, political, and operational landscape banks face today. The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight.
The extension of scope of the Draft Guidelines, as compared to the scope of the CEBS Guidelines, was a particular area of focus during the Public Consultation.
The Draft Guidelines describe their subject matter as “specify[ing] the internal governance arrangements that institutions … should implement when they outsource functions and in particular with regard to the outsourcing of critical and important functions” (paragraph 5 of the Draft Guidelines). The term “critical and important functions” is consistent with the wording used in MiFID II and includes functions which, if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations. In this regard, the Draft Guidelines align with the CEBS Guidelines which described the requirements for “material outsourcing,” a term defined in a similar manner. However, while the CEBS Guidelines noted that “there should be no restrictions on the outsourcing of non-material activities of an outsourcing institution” (Guideline 5), the Draft Guidelines extend to all outsourcing, unless expressly stated otherwise. Many attendees at the Public Consultation noted that this scope was unduly onerous and would become administratively burdensome for firms to manage.
Notably, the broadening of the addressees of the Draft Guidelines (In-scope Entities), to include payment institutions (subject to the revised Payment Services Directive (PSD2)) and electronic money institutions (subject to the e-money Directive), was not discussed in detail at the Public Consultation. However, an attendee raised a question as to the applicability of the Draft Guidelines to industry utilities. The EBA confirmed they had not yet considered this point and advised that they would reflect and clarify the position in the final guidelines. Continue Reading