EBF advisor: Blazej Blasikiewicz
Publication date: 24 September 2018
Outsourcing arrangements are widely used by the banking industry as they contribute to the efficiency and to the competitiveness of banks’ business models. Outsourcing indeed helps banks focus on their core business and gives them access to skills and services that are not available in house at the same level of efficiency and/or effectiveness.
Against this background, it is crucial that the Guidelines (GLs) strike the right balance between necessary safeguards preserving the integrity of outsourcing institutions, and the required flexibility to adapt to a fast-moving economic and technological environment. In particular, we assume that the specific requirements (should) only apply to outsourcings classified as critical/important.
The EBF’s key points relate to the following issues:
Scope of outsourcing: The draft EBA GLs provide for outsourcing requirements that are in line with MiFID II. MiFID II only provides for requirements for the ‘performance of operational functions which are critical for the provision of continuous and satisfactory services.
Definition and examples of what is or is not outsourcing: The current definition is extremely broad and risks encapsulating all activities performed by third parties for regulated institutions as outsourcing.
Intragroup outsourcing: Intragroup outsourcing should be subject to lower obligations than extra-group third-party outsourcing agreements.
Standard contractual clauses will be necessary for outsourcing agreements: Financial institutions may find difficulty in negotiating and getting some of the terms required by these GLs to be accepted by some large suppliers, such as, inter alia, the exercise of unrestricted access rights, or ex ante notification requirements in the sub-outsourcing of critical functions.
Sub-outsourcing assessment: Institutions may find it difficult to perform the risk assessment of sub-outsourcing activities.
Notification requirements: Given that the EBA has reiterated publicly that no upfront approval of outsourcing activities is necessary, in our view it would be sufficient for any bank to have a repository available which could be delivered upon request to the NCAs.
Summary table of requirements: Across the GLs it is not clear which requirements apply to general outsourcing, which to outsourcing of a critical or important function and which to intragroup arrangements respectively.
Cloud: The consideration of cloud services as outsourcing and, in case it is considered as such, as general outsourcing or outsourcing of critical functions should follow the same principles than the rest of services and technologies. It should depend on the nature of the activities outsourced.