The guidelines create new obligations for financial, payment, and electronic money institutions that will impact cloud outsourcing and deployment of FinTech.
By Fiona M. Maclean and Laura Holden
On 25 February 2019, the European Banking Authority (EBA) published a final report on its draft guidelines on outsourcing arrangements (Guidelines). The report followed the EBA’s publication of draft guidelines in June 2018 (Draft Guidelines) and the ensuing public consultation in September 2018 (Public Consultation).
The Guidelines replace the 2006 Committee of European Banking Supervisors (CEBS) Guidelines on Outsourcing (CEBS Guidelines) and replace and incorporate the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations). Financial institutions will now only need to consult one set of guidelines for cloud and non-cloud outsourcing.
The Guidelines apply to a wider range of entities (Covered Entities for the purpose of this article) than the CEBS Guidelines and the Cloud Recommendations, including payment or electronic money institutions. The Guidelines now apply to all financial institutions that are:
- Within the scope of the EBA’s mandate, including credit institutions
- Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
- Payment institutions
- Electronic money institutions
As a result, a wider range of companies, such as FinTech companies, will now face the challenge of remaining agile and competitive in fast-moving markets, whilst managing the administrative and practical challenges of maintaining compliance with the Guidelines.
The Guidelines come into force on 30 September 2019. Any outsourcing arrangements entered into, reviewed, or amended by Covered Entities after that date must comply with the Guidelines. Covered Entities must also update all existing outsourcing arrangements in line with the Guidelines by 31 December 2021. For Covered Entities that are already subject to the Cloud Recommendations, these deadlines will not have any effect on their obligation to comply with the cloud specific requirements – these requirements will continue to apply as they did prior to publication of the Guidelines. An overview of the status of the Cloud Recommendations, per jurisdiction, can be found here.
While “critical and important functions” are subjected to stricter rules, the Guidelines generally apply to all outsourcings by Covered Entities, including intragroup outsourcings, representing a further widening of scope when compared with the CEBS Guidelines. Covered Entities will therefore face additional administrative burdens that they must balance with the need to stay ahead of the competition. Following concerns raised at the Public Consultation, the EBA clarified in the Guidelines that regulators will not consider every outsourcing to a cloud solution as critical or important; rather the same test applies as with other non-cloud service providers, taking into account “cloud specificities”.
Under the Guidelines, the definition of “outsourcing” is based on the Commission Delegated Regulation (EU) 2017/565 and defined as: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.
The Guidelines define “critical or important functions” based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565, which includes functions that “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.
To outsource banking and payment services to a third country (i.e., non-EU) service provider, the Guidelines require the competent authorities responsible for supervising each party to have a co-operation agreement in place. Therefore, post-Brexit, the UK’s Financial Conduct Authority will need to agree a co-operation agreement with EU regulators to ensure that cross-border outsourced arrangements can continue between the UK and the EU27.