Outsourcing is one of the specific aspects of institutions’ governance arrangements and a way to get relatively easy access to new financial technologies (fintech) and to reduce costs and achieve economies of scale. However, more intensive usage of outsourcing brings new risks.
The European Banking Authority (EBA) published on 25th February 2019 its revised Guidelines (EBA/GL/2019/02) on outsourcing arrangements setting out specific provisions for the governance frameworks with regard to their outsourcing arrangements and related supervisory expectations and processes. The recommendation on outsourcing to cloud service providers, published in December 2017, has been integrated into the guidelines. The scope of application includes credit institutions and investment firms subject to the CRD, as well as payment and electronic money institutions.
The Guidelines set out that each financial institution’s management body remains responsible for that institution and all of its activities, at all times. The management body ensures that sufficient resources are available, including overseeing all risks and managing the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised. Regarding service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority is able to effectively supervise financial institutions, in particular regarding critical or important functions outsourced to service providers.
Competent authorities are required to supervise financial institutions’ outsourcing arrangements, including identifying and monitoring risk concentrations at individual service providers and assessing whether or not such concentrations could pose a risk to the stability of the whole financial system.
The guidelines will enter into force on 30 September 2019.
27-3-2019