United Kingdom (and EU regulation)

EBA issues revised guidelines on outsourcing arrangements

On 25 February 2019, the European Banking Authority (EBA) published revised guidelines on outsourcing arrangements.

The guidelines update the Committee of European Banking Supervisors (CEBS) guidelines on outsourcing that were issued in 2006. The EBA recommendation on outsourcing to cloud service providers, published in December 2017, has also been integrated into the revised guidelines.

The EBA states that the purpose behind revising the guidelines is to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate, namely credit institutions and investment firms subject to the CRD IV, as well as payment and electronic institutions.

The revised guidelines set out which arrangements with third parties are to be considered as outsourcing and provide criteria for the identification of critical or important functions that have a strong impact on the financial institution’s risk profile or on its internal control framework. If such critical or important functions are outsourced, stricter requirements apply to these outsourcing arrangements than to other outsourcing arrangements.

The EBA states that each financial institution’s management body remains responsible for that institution and all of its activities, at all times. The management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised.

In relation to outsourcing to service providers located in third countries, the EBA states that financial institutions are expected to “take particular care” that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority is able to effectively supervise financial institutions, in particular regarding critical or important functions outsourced to service providers.

The revised guidelines will enter into force on 30 September 2019. The CEBS 2006 guidelines on outsourcing and the EBA’s recommendation on outsourcing to cloud service providers will be repealed at the same time.