Response to consultation on draft Guidelines on outsourcing

Go back

Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?

35. b. What is the need for the policy to differentiate between authorized and unauthorized service providers?

Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?

40. The Business Continuity Plan is a high sensible information, since it exposes situations that can compromise supplier safety, therefore many suppliers are reluctant to provide their plan or not provide it at all.
Is it possible to provide for the obligatory delivery of the Operational Continuity Plan by the Supplier?
Should the Bank be able to participate in the BCM tests carried out by the Supplier / Outsourcer?

44. d. This fulfilment presupposes that the service provider is required to adopt risk assessment criteria that are comparable with the institution’s ones. How to fulfil where the Service Provider is not obliged to formalize his risk appetite or does it follow different criteria than the institution’s ones?

Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?

47. b. The service provider could have a very complex sub-service network. To which level of sub-service is it necessary to include and which type of sub-service?

The Bank registers Suppliers (Outsourcers) and acquires all the information necessary to identify the outsourced processes / procedures; in the event that the outsourcer intends to make use of the collaboration of another supplier (sub-outsourcer), he must acquire and transmit to the Bank all the information necessary for the sub-supplier's census and communicate which part of the process has been entrusted to him?

Furthermore, should the supplier be contractually required to act as guarantor of the operational continuity aspects adopted by the sub-outsourcer?

47. c. viii What does “time critical” mean? Is there a precise classification than involves significant consequences?

Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?

51. g. What does “to be scaled up” mean?

Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?

54. In addition to the difficulty of obtaining such information when the service provider has its address abroad, it is assumed that the institution has the internal expertise to be able to assess aspects related to foreign regulation.

56. It is difficult to check that the service provider, and in the case the subcontractors, adhere to the international standards on human rights, the environment and adequate working conditions, including the prohibition of child labor.

Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?

57. We ask you to confirm that the monitoring and reporting process is internal to the institution

58. It is asked to clarify whether the indication of any increase / decrease in operational risk is qualitative


61. Please specify in detail what is meant by risk assessment during continuous monitoring"

61. e. Should security measures be foreseen and defined in the outsourcing agreement?"

Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?

63. e. What level of detail and punctuality should the relevant data be stored in the outsourcing agreement?
What do you mean by relevant?

70. What is meant by:
Sensitive data?
Sensitive payment data?
Specific data according to EU Regulation 2017/679?
Confidential data of the institution that outsources?

Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?

83. Does this mean that the institution should monitor the sub-sub-contractors?

85. Making periodic assessments in the absence of any variation may not be productive. It is proposed to carry out evaluations only if there are variations on the contract

Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?

90. b. Please clarify whether the scenario transition from one supplier to another" should be included in the business continuity plans and if this scenario should be tested."

Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.

92. Is an Excel sheet sufficient or should a dedicated software application be used?

93. Is the requirement adequately satisfied by a prior notificaton to the supervisory authority before the agreement finalization

Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?

99. Please clarify which risk analysis" activities are concerned, considering that on-site inspections are carried out by the Audit Function and not by the Risk Function"

Name of organisation

Banca Monte dei Paschi di Siena