Response to consultation on draft Guidelines on outsourcing
Go back
These internal governance guidelines present criteria directed at the “size and internal organisation, and the nature, scale and complexity of their [institution’s] activities, when developing and implementing internal governance arrangements”. Given the range of different risk models of agency firms that constitute the AIMA membership, members would welcome additional guidance from the EBA as to which entities can apply the principle.
Furthermore, the guidelines cross referenced in Paragraph 24 do not provide clarity as to which of the requirements set out in the draft guidelines it may be legitimate to disapply because of proportionality, which leaves the reader in some doubt as to how the proportionality principle should be applied in practice.
For example, Paragraph 24 appears to suggest that arrangements not considered outsourcing should be subject to a risk assessment. A fair and proportionate approach in this regard would be to clarify that risk assessments need only occur where outsourcing has taken or will take place. We would infer that this was the desired intention of paragraphs such as this and where it is not explicit (we have provided drafting suggestions on this occasion below), such a reading would represent a fair application of the proportionality principle
While we appreciate the sentiment behind introducing illustrative examples, referencing one legal practice but not others leave open to question the status of those not explicitly referenced. As such, if examples are to be used in this fashion we would recommend refraining from citing specific cases as it leaves other – similar – activities in limbo as to their expected treatment
Echoing a point made in our previous submission to the cloud outsourcing guidelines consultation,7 it is our view that a registration requirement of this kind on all arrangements, rather than just those of a critical or important nature, would generate a disproportionate burden on outsourcing institutions to no discernible benefit and therefore should not be required.
While it is of course always possible for an outsourced activity to become critical or important, even if it is not so at that given moment, such oversight as expected in the form of a universal central register appears unwarranted. The responsibility would still be with the outsourcing institution to inform its NCA when an activity becomes critical or important, and if it were found not to have done so relevant sanctions would apply. This appears a more proportionate approach to the issue at hand here.
A multitude of different international standards exist in this field today, with more forthcoming considering the European Commission’s May 2018 legislative proposals in this regard (the final outcomes from which cannot be foreseen today). We would suggest that outsourcing institutions be able to choose which set of standards they adhere to, including those that are proprietary. If the service provider complies with these that should constitute adherence to these guidelines.
Article 31(i) of the MiFID II DR details how an investment firm, its auditors and the relevant NCA has effective access to relevant data from, and where necessary, the business premises of the service provider. This to ensure effective oversight in accordance with that Article. This provision applies, however, solely to the outsourcing of critical and important functions as defined within MiFID II.
Paragraph 72 of the draft guidelines details how the written outsourcing agreement – not limited to critical or important functions as is the case in Article 31(i) of the MiFID DR – must grant the outsourcing institution and its NCA (among other things) complete access to all relevant business premises, and unrestricted rights of inspection and auditing.
We question the necessity for such rights to be contractually framed in the first instance for all outsourcing arrangements, but more fundamentally, whether this is being dealt with in the correct manner procedurally. As the original specifications for critical or important functions were detailed at Level 2, it is not clear how an apparent expansion of the scope of such requirements can come via the form of draft guidelines such as these.
As such, we would recommend the spirit and letter of MIFID DR Level 2 measures be maintained – i.e. access rights only needing to be contractually framed for the outsourcing of critical or important functions – in this regard, thus adhering to normal EU rulemaking procedure.
Access rights – data centres
In terms of practical application, and again echoing a point made within our earlier cloud outsourcing submission, we would stress that requiring physical access to where data is stored may make it impossible for asset management firms to use public cloud services. We therefore consider that data centres should be specifically carved out of the references to “business premises” and the right of physical access to data centres should be substituted for a right of access to the relevant systems information. In other words, seeing racks of blinking lights is of little value but being able to see infrastructure diagrams and setup might be useful. Increasingly, physical infrastructure is being replaced with software-defined infrastructure so there is nothing to see, or it could be split over multiple locations on shared physical infrastructure. An amendment such as that proposed below is aimed at making this provision more workable.
Access rights – requests made via outsourcing institutions
The final recommendations should clarify that the right of access for the supervising authority to information would be done via the outsourcing institution, i.e., the competent authority requests the information from the outsourcing institution who must have the access and pass the information on, rather than direct access to systems of the service provider. Again, this would represent a more accurate reflection of reality here.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
NAQ2: Are the guidelines regarding Title I appropriate and sufficiently clear?
It is welcome that the principle of proportionality is embedded in the draft guidelines, as it was in the CEBS guidelines and cloud outsourcing recommendations previously. Paragraph 16 specifies how Title I of the EBA Guidelines on Internal Governance (“internal governance guidelines”) in line with Article 74(2) of Directive 2013/36/EU (‘CRD IV’) should be considered when applying this principle.These internal governance guidelines present criteria directed at the “size and internal organisation, and the nature, scale and complexity of their [institution’s] activities, when developing and implementing internal governance arrangements”. Given the range of different risk models of agency firms that constitute the AIMA membership, members would welcome additional guidance from the EBA as to which entities can apply the principle.
Furthermore, the guidelines cross referenced in Paragraph 24 do not provide clarity as to which of the requirements set out in the draft guidelines it may be legitimate to disapply because of proportionality, which leaves the reader in some doubt as to how the proportionality principle should be applied in practice.
For example, Paragraph 24 appears to suggest that arrangements not considered outsourcing should be subject to a risk assessment. A fair and proportionate approach in this regard would be to clarify that risk assessments need only occur where outsourcing has taken or will take place. We would infer that this was the desired intention of paragraphs such as this and where it is not explicit (we have provided drafting suggestions on this occasion below), such a reading would represent a fair application of the proportionality principle
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
The MiFID II Delegated Regulation (DR)6 details certain services that should not be considered critical or important functions, with the provision of legal advice to the outsourcing firm one such example. In a similar fashion, Paragraph 22 of the draft guidelines spells out how the “acquisition of services” should not even be considered outsourcing, and among others refers to “legal representation in front of the court and administrative bodies” as an example of this in practice.While we appreciate the sentiment behind introducing illustrative examples, referencing one legal practice but not others leave open to question the status of those not explicitly referenced. As such, if examples are to be used in this fashion we would recommend refraining from citing specific cases as it leaves other – similar – activities in limbo as to their expected treatment
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
NAQ5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
Paragraph 46 of the draft guidelines specifies that institutions should “maintain a register of all outsourcing arrangements at institution and group level…and record all current outsourcing arrangements, distinguishing the outsourcing of critical or important functions and other outsourcing arrangements”.Echoing a point made in our previous submission to the cloud outsourcing guidelines consultation,7 it is our view that a registration requirement of this kind on all arrangements, rather than just those of a critical or important nature, would generate a disproportionate burden on outsourcing institutions to no discernible benefit and therefore should not be required.
While it is of course always possible for an outsourced activity to become critical or important, even if it is not so at that given moment, such oversight as expected in the form of a universal central register appears unwarranted. The responsibility would still be with the outsourcing institution to inform its NCA when an activity becomes critical or important, and if it were found not to have done so relevant sanctions would apply. This appears a more proportionate approach to the issue at hand here.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
NAQ7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
NAQ8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
The second half of paragraph 56 of the draft guidelines signals that institutions should be satisfied that service providers adhere to “international standards on human rights, environmental protection and appropriate working conditions, including the prohibition of child labour”.A multitude of different international standards exist in this field today, with more forthcoming considering the European Commission’s May 2018 legislative proposals in this regard (the final outcomes from which cannot be foreseen today). We would suggest that outsourcing institutions be able to choose which set of standards they adhere to, including those that are proprietary. If the service provider complies with these that should constitute adherence to these guidelines.
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
NAQ10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Access rights – Level 2/Level 3 measuresArticle 31(i) of the MiFID II DR details how an investment firm, its auditors and the relevant NCA has effective access to relevant data from, and where necessary, the business premises of the service provider. This to ensure effective oversight in accordance with that Article. This provision applies, however, solely to the outsourcing of critical and important functions as defined within MiFID II.
Paragraph 72 of the draft guidelines details how the written outsourcing agreement – not limited to critical or important functions as is the case in Article 31(i) of the MiFID DR – must grant the outsourcing institution and its NCA (among other things) complete access to all relevant business premises, and unrestricted rights of inspection and auditing.
We question the necessity for such rights to be contractually framed in the first instance for all outsourcing arrangements, but more fundamentally, whether this is being dealt with in the correct manner procedurally. As the original specifications for critical or important functions were detailed at Level 2, it is not clear how an apparent expansion of the scope of such requirements can come via the form of draft guidelines such as these.
As such, we would recommend the spirit and letter of MIFID DR Level 2 measures be maintained – i.e. access rights only needing to be contractually framed for the outsourcing of critical or important functions – in this regard, thus adhering to normal EU rulemaking procedure.
Access rights – data centres
In terms of practical application, and again echoing a point made within our earlier cloud outsourcing submission, we would stress that requiring physical access to where data is stored may make it impossible for asset management firms to use public cloud services. We therefore consider that data centres should be specifically carved out of the references to “business premises” and the right of physical access to data centres should be substituted for a right of access to the relevant systems information. In other words, seeing racks of blinking lights is of little value but being able to see infrastructure diagrams and setup might be useful. Increasingly, physical infrastructure is being replaced with software-defined infrastructure so there is nothing to see, or it could be split over multiple locations on shared physical infrastructure. An amendment such as that proposed below is aimed at making this provision more workable.
Access rights – requests made via outsourcing institutions
The final recommendations should clarify that the right of access for the supervising authority to information would be done via the outsourcing institution, i.e., the competent authority requests the information from the outsourcing institution who must have the access and pass the information on, rather than direct access to systems of the service provider. Again, this would represent a more accurate reflection of reality here.