Response to consultation on draft Guidelines on outsourcing

Go back

Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?

** General comments **

We welcome the efforts made by the EBA in updating the 2006 CEPS guidelines and creating single guidelines for any kind of outsourcing embodying the currently coexisting 2006 CEPS guidelines and the 2017 Cloud outsourcing recommendations.
We also appreciate EBA’s resolution to attain regulatory harmonization by taking definitions and requirements already included in other EU financial regulations.
Nevertheless, we are concerned on the impact that the proposed guidelines on outsourcing could have in the competitive position, the cost structure and innovation potential of financial institutions. Therefore, despite fully endorsing the answers to this consultation presented by the European Banking Federation (EBF) and the Association for Financial Markets in Europe (AFME), which we have collaborated to draft, we feel compelled to highlight some issues that are of special relevance for us.
Although these issues are addressed in further detail in our reply to the specific questions, they refer to the following topics:
Level Playing Field. Financial Institutions offer a wide range of products and services and not all of them require a license. Consequently, financial institutions compete with a wide diversity of firms in activities such as payments, lending or financial advice. Those firms can have different legal forms, capital requirements or oversight controls, among others. Also, non-European affiliates of European entities need to be able to compete on an equal footing in their local markets.
Therefore, it is important ensuring that the application of these Guidelines do not hinder the ability of financial institutions to compete both with those usually more flexible and less regulated firms offering banking services and products in EU as well as with non-EU financial institutions in their local markets
Notification requirements. This requirement is currently subject to diverging interpretations of National Competent Authorities and already affects the time-to-market of new initiatives in those countries such as Spain, where this requirement could be understood as a kind of authorization process. In order to avoid this fragmentation and any potential impact on the competitive position of some institutions, this requirement should be removed or at least converted in an ex-post notification. Beyond pure notifications, the ongoing dialogue between entities and authorities within the supervision context will also facilitate that authorities have sight on the entities future plans and that the processes are transparent.
Outsourcing definition and criticality criteria. Although we positively value the EBA’s approach to harmonize outsourcing definitions among different regulations, the application of these GLs should not increase substantially the number of third party arrangements considered outsourcing. On the contrary, this could increase the compliance burden, the regulatory costs and the competitive position of financial institutions. Therefore, these Guidelines should be only applied to critical outsourcing and not to non-licensed activities or non-critical licensed activities. This would avoid that non-licensed companies offering non-exclusive financial services are given a competitive advantage before regulated financial institutions.
Moreover, we are concerned on the consideration of intragroup outsourcing arrangements as especially risky. We believe that these GLs overestimate the risks posed by intragroup outsourcing without taking into account the higher ability of outsourcing institutions to control companies within their consolidation perimeter nor the complementary measures and controls already required by other financial regulations such as the Bank Resolution and Recovery Directive.
Technology neutrality. These guidelines require any initiative using cloud to be informed and registered in a similar way to critical outsourcing. This could disincentivize the use of cloud computing, a technology that offers cost, resiliency and flexibility advantages and is widely used by innovative companies, some of them already offering financial services. Moreover, it seems contradictory with the initiatives under the Digital Single Market project aimed at promoting and eliminating obstacles to cloud adoption.
Extension of scope to any third party agreements. Existing regulations on IT risk assessment, governance, Resolution and Recovery, among others set requirements on financial institutions to assess and monitor third party relations. Therefore, requiring that any third party relation is assessed as if it were an outsourcing would increase the cost of compliance without providing any additional benefit.
Involvement of management body. The involvement of management body should be kept high-level. Therefore, management body should only be required to participate in the definition and approval of the high-level outsourcing policy and in the reporting of material risks.
Sub Outsourcing. Monitoring chain outsourcing may be challenging in some cases. Therefore, as far as the service provider is held liable of any activity performed by third parties and financial institutions are kept informed of any sub outsourcing by the service provider and can swiftly and costless exit the outsourcing agreement, they should be allowed to relax sub outsourcing controls.
This reply intends that these outsourcing guidelines are perfectly fitted for ensuring financial stability but do not harm the ability of financial institutions to compete with other players in the market, regardless their size, geographical presence or country of incorporation.

** Answer **

From the point of view of an European parent entity with non-European affiliates, to avoid any misunderstanding by supervisory teams, it should be made clear that when paragraph 9 of the guidelines and paragraph 18 of the background section require compliance with outsourcing requirements in solo, sub-consolidated and consolidated basis, they are only referring to subsidiaries subject to Directive 2013/36/EU and, therefore, that are located in EU.
On the contrary, extending the application of these guidelines to institutions outside EU could impact the ability to compete of those non-EU companies in their local markets, if local requirements on outsourcing are less strict than those set in these guidelines, or even their ability to comply with regulations, if the requirements established in these guidelines enter in conflict with requirements imposed by the competent non-EU authority.
Therefore, It must be the competent authority of the country where the subsidiary is located that must decide, based on its legislation, on the adequacy of an outsourcing, since it is the one that grants the authorization to operate. Additionally, the European Competent authorities have diverse mechanisms, either multilateral such as the college of supervisors or bilateral such as the memorandum of understanding - MOU- with authorities in third countries to guarantee the adequate supervision and identify weaknesses in the relationship and control procedures between the parent company and its subsidiaries.
Finally, European entities are obliged to comply with article 109 (2) of Directive 2013/36/EU that establishes obligations to ensure that systems, procedures and mechanisms are consistent and well integrated in the subsidiaries and that subsidiaries provide any type of data and information requested for supervision.
Therefore, we propose the following rewording of paragraph 9:
“Without prejudice to Directive 2014/65/EU (MiFID II), the Commission's delegated Regulation (EU) 2017/565 containing requirements regarding the outsourcing for institutions providing investment services and performing investment activities and respective guidance issued by the European Securities and Markets Authority regarding investment services and activities, institutions referred to in Directive 2013/36/EU should also comply with these guidelines on a solo basis, sub-consolidated basis and consolidated basis as set out in Articles 21, and Articles 108 to 110 of Directive 2013/36/EU. Nevertheless, parent or subsidiary institutions not located in the EU are not required to comply with these guidelines ”
With reference to the proposed definition of outsourcing, we feel that it is so wide that any arrangement with a third party could be considered outsourcing. Given that EBA has already made clear that this definition will be kept to ensure harmonization with MIFID regulation, we expect that EBA only sets requirements on outsourcing arrangements made with third parties in relation to core activities subject to approval/licensing by financial authorities.
Any outsourcing related with non-exclusive financial activities should be considered as not relevant and not be subject to any information, register or other obligation in these guidelines in order to ensure that financial entities can compete on an equal footing with non-financial firms offering products or services not requiring a specific license.

Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?

We agree that some smaller institutions could find challenging complying with these guidelines and need some flexibility. However, the principle of proportionality should be applied in a way that does not confer any competitive advantage for those smaller institutions in the provision of a given service. In addition, some reference criteria should be set so that it can be clearly established which institutions or activities are eligible for the application of the proportionality principle.

Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?

We feel that the scope of these Guidelines should be limited to agreements considered outsourcing and not to other kind of agreements that will have to follow precautions already covered in other regulations on risk governance, identification and monitoring. Thus, in order to avoid these GL imply a dramatic increase of the compliance burden or they even become unachievable if even specialized providers such as electricity suppliers or telecommunication companies have to be assessed, the risk assessment requirements in these GL should be restricted to the outsourcing arrangements within their scope and not be extended to any third party.
Therefore, we ask the EBA to remove paragraph 22 of the background section and reword paragraph 24 of the guidelines as follows:
“24. The risks, including in particular the operational risks, of the arrangements with third parties that fall under the definition of outsourcing and are related to a licensed activity should be assessed in line with paragraphs 53 and 55 and Section 9.3, taking into account the application of the proportionality principle as referred in Section 1.”
Finally, we are convinced that to ensure effective supervision and ease compliance, Competent Authorities should find mechanisms to directly supervise those non-financial service providers that concentrate a relevant number of activities outsourced by different financial institutions. In those cases, supervised non-financial companies would benefit from that status and be recognized as reliable providers of outsourcing services in the financial sector.

Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?

Clarification is required that the application of the GLs on sub-consolidated and consolidated basis is always restricted to licensed entities in the financial sector to which possible statutory outsourcing provisions are applicable, otherwise the scope of application according to the GLs could go far beyond possible statutory regulations. Therefore, it should be clearly stated that this policy is not to be implemented in those entities of the group being (i) licensed entities in the financial sector not located in EU Member States; and (ii) non-licensed entities in the financial sector.
From our point of view, compliance with this section could be costly and burdensome if, as already pointed out, third party arrangements to be assessed are not limited to those considered critical outsourcing nor only material conflicts of interest, as requested in our reply to Q5, are to be taken into account.
Regarding outsourcing policy,we find this section too prescriptive, imposing minimum documentation to be maintained and procedures to be defined that are too detailed for a high-level document.
From our point of view, a policy document adopted by the management body does not need such a level of detail. Therefore, elements in paragraph 34 such as the criteria to identify critical functions, procedures for mitigating conflicts of interest, business continuity planning, exit and termination plans and strategies or the documentation and records should be incorporated in lower corporate level documents such as internal GLs and/or handbooks.reflected in implementation procedures and not in the general policy.

Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?

We need clarification about what is considered “a material conflict of interests” in paragraph 38. It is particularly important to avoid having to identify and manage many hypothetical conflicts of interest, overall in those intra-group outsourcing arrangements already in place.

Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?

Regarding the documentation requirements, we feel that the terms arrangement, agreement and contracts are mixed along the guidelines and therefore it is not always clear what these terms refer to.
With reference to documentation and information to be maintained, we are specially concerned on the requirement of Information on functions outsourced to cloud service providers even though the outsourced function is not critical (paragraph 47.c.), since this is against the principle of technology-neutrality and the objective in the Digital Single Market project of promoting cloud adoption. Furthermore, this requirement will increase the compliance burden of cloud services before other traditional (not necessary less risky) technologies.
Therefore, we request the EBA to remove the last part of paragraph 47 c (“and outsourcing to cloud service providers”).
We believe that if the documentation to store and the information to be filled in the register are not kept to a minimum, the cost of compliance with these GLs could substantially increase.

Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?

In the pre-outsourcing analysis the requirement to “identify and assess conflicts of interest that the outsourcing may cause” (paragraph 48.d) should be rephrased as “identify and assess material conflicts of interest that the outsourcing may cause”, provided that a clear definition of what is a material conflict of interest is given and a reasonable management of conflicts of interest is possible.
The criteria to be considered to decide what is “critical or important” are too broad and therefore leave room for different interpretations by national competent authorities and a potential fragmentation in supervisory practices.
Regarding the substitutability of an outsourcing agreement, the requirement to assess the impact of a disruption of the service should be restricted to critical or important outsourcing arrangements, that are the only ones that can represent a risk for the financial performance of an institution. Therefore, we request the EBA to reword the paragraph 52 as follows:
“Where the institution or payment institution concludes that the critical outsourcing arrangement is not substitutable in an appropriate time frame or that its substitution would lead to a material business disruption, it should assess the overall impact of the disruption of the service on its financial position and on the orderliness of its business conduct.”

Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?

As we stated previously, it would be worth that EBA takes a role in supervising and monitoring directly and even certifying those providers that are used by a significant number of financial service providers. This would ease the due diligence process of those certified providers and help to communicate the importance of this process to those companies that currently do not really understand the need to provide the information required by the guidelines.

Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?

We feel the requirement in paragraph 57 to “identify, manage, monitor and report all risks they are or might be exposed to relating to arrangements with third parties, regardless of whether or not those arrangement are considered outsourcing arrangements” exceeds the objective of these guidelines and creates an unexpected additional compliance burden.
Therefore, paragraph 57 should be amended as follows:
Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, manage, monitor and report all risks they are or might be exposed to relating to outsourcing arrangements

Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?

Regarding chain outsourcing, in the contract the service provider is held liable of any sub-outsourced activity and has the obligation to ensure that sub-outsourcers have the same obligations that have been imposed on it. Provided this is the case and as long as the service provider is obliged to inform and duly update any sub-outsourcing and the financial institution has the right to terminate the agreement in case of undue sub-outsourcing, paragraph 65.h, point g (right to oppose subcontracting) should be optional.

Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?

We believe that paragraph 83 (“Institutions and payment institutions should monitor on an ongoing basis the performance by the service provider and, where applicable sub-contractors, with regard to all outsourcing arrangements with a particular focus on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured.) could have deep organization and compliance implications if it is required to implement a central control body in institutions whose functions are currently spread through the institution. Therefore, we need EBA to clarify if this paragraph requires the creation of a central monitoring body in institutions or it would be enough ensuring that this monitoring is performed by the institution’s area receiving the service.
In addition, we consider that confidentiality of information, security, continuity and data location and processing are issues already covered by specific regulations (i.e. the General Data Protection Regulation, NIS Directive) that both Financial Institutions and also CSPs shall comply with. Therefore, these guidelines should not refer to general regulations that financial institutions must already comply with and avoid setting any additional requirement to those already established by the regulations on these fields.
Paragraph 83 needs to be redrafted in order to clarify that the reporting escalation-process should not lead to any risk identified with regard to outsourcing arrangements being reported to the management body, but only to those deemed as material and, in any case, pursuant to the risk governance model defined by the entity. In that sense, the new proposed wording would be the following:

“Institutions should regularly update their risk assessment in accordance with Section 9.3 and periodically report to the management body on any material risks identified in respect of outsourcing of critical or important function, pursuant to the risk reporting governance framework in place in each entity.”"

Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.

The requirement to inform competent authorities about planned outsourcing of critical or important functions set in paragraph 93 is burdensome and duplicates the obligations in paragraph 92 and 95 to report all existing outsourcing at least every three years, whenever the supervisory authorities demand it or whenever a material change or a serious event occur.
Moreover, it could affect the time-to-market of those new initiatives that are subject to this requirement and create a competitive disadvantage before companies offering financial services not subject to license that do not have any constraints for launching new services. In addition, establishing that this notification is effected in a “timely manner” gives ground for different interpretations by each competent authority. As a result, it is possible that some competent authorities interpret this notification requirement as an authorization procedure, thus maintaining fragmentation in national practices.
Therefore, we ask EBA to remove this notification procedure. Should the notification requirement is maintained, it should be adapted so that:
it is thoroughly defined to avoid different interpretations by competent authorities,
it becomes an ex post requirement to avoid any competitive disadvantage between institutions subject to this requirement and those companies no required to inform any authority, and
before they intend to enter into the new outsourcing" is replaced by “after they enter into a new outsourcing”, so that there is no need to interpret in which project milestone (when choosing the provider, before signing the agreement, when going to production, when launching the pilot phase, …) is this communication to be effected and that it is possible to inform ex-post.
Similarly, the terms “without undue delay” and “material changes” in paragraph 95 are vague legal concepts that may lead to different interpretations. In fact, when talking about timing, more harmonisation is needed to guarantee a level playing field for all EU institutions regardless their country of origin."

Q15: Is the template in Annex I appropriate and sufficiently clear?

The excel in the annex has outsourcing categories that are not outsourcing from our point of view: private cloud, hardware, software, legal advice (department), human resources, Payroll accounting, … and lacks other services that can be subject to outsourcing (contact centers, for instance).
Also, as already said, it is paramount that the information to be filled in the register is kept to a minimum in order to avoid that the cost of compliance with these GLs substantially increases.

Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?

Regarding the scope of application in section D, as already stated, we could only agree on the exclusion of credit intermediaries, non-bank creditors and account information services if credit, payment and e-money institutions are also excluded from the obligation to inform of informing of any activity linked to those services
In case institutions under the scope of these GLs are required to comply with these GLs on any activity they perform, these guidelines should also be applicable to credit intermediaries, non-bank creditors and account information services to ensure that any institution providing similar services are subject to the same obligations and, therefore, there is a level playing field for offering those services.
With reference to the cost-benefit analysis in section E, we are not sure that the compliance cost is low, since, depending on the clarifications given by EBA, the compliance burden will be dramatically increased once these GLs enter into force. Therefore, we understand that the compliance cost could only be considered low if:

- the scope of the outsourcing definition or at least of what is considered a critical outsourcing is narrow,
- a general third party monitoring obligation is not imposed,
- non-EU parent or subsidiaries are out of the scope of these guidelines,
- a central outsourcing monitoring body is not required,
- a level playing field among all participants in financial markets is guaranteed,
- a softer approach to intra-group outsourcing is taken and
- the documentation to be stored and the information to be filled in the register are kept to a minimum.

On the contrary, the compliance burden for credit, payment and e-money institutions will be dramatically increased and they will be left in a disadvantageous competitive position before other companies offering non-exclusive financial services.

Name of organisation