Response to consultation on draft Guidelines on outsourcing

Go back

Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?

In my opinion the paper is entirely unbalanced. It would have been better to produce a separate paper to address payment institutions and methods particularly since these are changing quickly. Indeed even this document does not address the issues that I would seek to have addressed. My key concern is that my using the service" definition to remove certain matters that are conducted by third parties from the definition of outsourcing you are potentially creating an issue. This is a paper on the risks and controls for outsourcing and the provision of external services by lawyers, consultants,cleaners and software houses is included in this work. By risk assessing on a sensible basis the level of due diligence required to be conducted can be assessed. By excluding some of these key elements my concern is that the necessary due diligence may not be conducted. I would change the definition and reassess the balance of the paper."

Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?

No. They become difficult to separate the cloud and tech inbalance.

Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?

This is fine

Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?

While happy with the general thrust of the paper again I would emphasise that the EBA is looking at the risks that third party relationships pose to a firm. This includes architects given cases of branches subsiding, bribes being potentially paid and building collapse. Excluding this from the paper without another paper picking this up in my opinion is doing the industry a disservice. I also think that additional guidance could be provided to enable firms to properly assess criticality.

Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?

Section 5 currently provides neither examples nor responses. At present this is inadequate. I would particularly be interested in additional guidance regarding non executive directors. Section 6 is a little confusing. Normally the firm will obtain the BCP of the outsourced firm and build that into their own BCP identifying issues requiring resolution. I am not sure that this is consistent with the expectations set out here.

Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?

While the guidelines are clear I am unsure where we re identifying the owners, controllers and officers or what work is being undertaken to prevent concentration and fraud, for example.

Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?


Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?

What is written is fine albeit rather brief. The former BIS papers appear to provide more guidance than is repeated here.

Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?

Yes but again are light on the controller, o

Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?

I am concerned over the audit rights issue and any regulator will need to recognise limitations in this. It will not be required in all cases and specific additional guidance where it is not available will be required. There is always the reserve of receiving audit reports.

Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?


Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?


Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.


Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?


Q15: Is the template in Annex I appropriate and sufficiently clear?

Yes but not relevant. Should delete.

Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?

Puzzled why this is beignrequested.

Name of organisation

Risk Reward Limited