Response to consultation on draft Guidelines on outsourcing
Go back
In addition, while some of the comments in our response are of general application, others are entity specific. We also highlight certain instances where the guidelines may pose special issues for entities which are CCPs and/or MTFs operated by investment firms.
We note that EBA Guidelines will apply to investment firms subject to Directive 2013/36/EU. As such, there will be MTFs operated by MiFID investment firms which will be subject to the EBA Guidelines contrary to MTFs operated by market operators. Furthermore, EBA Guidelines introduce a significant set of granular provisions in terms of internal procedures, policies and resources.
While we acknowledge that the proportionality principle will allow smaller investment firms to make appropriate adjustments in the development and implementation of internal procedures and processes under EBA Guidelines, such flexibility may not be sufficient for those investment firms that are authorised only to operate an MTF, are mono-product and not significant.
Article 95(1) of Regulation (EU) No 575/2013 (“CRR”) expressly recognises as a separate category those investment firms that are not authorised to provide investment services and activities other than the operation of an MTF. This category has a limited authorisation and a limited risk exposure, so ad hoc prudential and organisational requirements are justified.
EBA should clarify the scope of these guidelines when it comes to MTF according to CRR approach. This could entail not applying some of the requirements to these to MTFs or exempting them from these.
The EBA Guidelines state that the criteria for assessing “critical or important functions” are based on the provisions specified under Directive 2014/65/EU (MiFID II) and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II.
We note, however, that in Section 9.1, paragraph 49 of the proposed EBA Guidelines seems to extend their scope by also including other elements to be considered in the assessment of the criticality or importance of the outsourced function. For example, paragraph 49, (b) includes as a further element to consider the case when operational tasks of internal control functions are outsourced, which is not consistent with the criteria specified under A30 Delegated Regulation (EU) 2017/565.
We therefore kindly request EBA to align the criteria regarding the assessment of criticality or importance of the outsourced functions with Directive 2014/65/EU (MiFID II) and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II.
While we believe that such requirement may be reasonable with reference to banks, also as part of their recovery planning, we believe that the Guidelines should have a more risk-based approach conferring flexibility to institutions to develop their own risk assessment framework.
LSEG believes that testing with alternative providers should only be performed when serious concerns are raised with the main provider to successfully maintain integrity of internal systems and contractual obligations put in place between the investment firm/CCP and the existing supplier.
We hope that you will find LSEG’s input provided in this consultation paper useful and we remain at your disposal for any additional clarifications.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
The scope of the guidelines is clear. However, we understand that certain entities within the scope can include central counterparties (CCPs) holding a banking licence and multilateral trading facilities (MTFs) operated by investment firms. We believe that this should be clarified and as explained in our general remarks, due consideration should be given should be given as to whether they should be in the scope of these guidelines.In addition, while some of the comments in our response are of general application, others are entity specific. We also highlight certain instances where the guidelines may pose special issues for entities which are CCPs and/or MTFs operated by investment firms.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
LSEG supports EBA’s approach to provide detailed guidelines which should be applied considering the institution’s size, internal organisation and the nature, scope and complexity of their activities, by considering the criteria specified under EBA Guidelines on internal governance.We note that EBA Guidelines will apply to investment firms subject to Directive 2013/36/EU. As such, there will be MTFs operated by MiFID investment firms which will be subject to the EBA Guidelines contrary to MTFs operated by market operators. Furthermore, EBA Guidelines introduce a significant set of granular provisions in terms of internal procedures, policies and resources.
While we acknowledge that the proportionality principle will allow smaller investment firms to make appropriate adjustments in the development and implementation of internal procedures and processes under EBA Guidelines, such flexibility may not be sufficient for those investment firms that are authorised only to operate an MTF, are mono-product and not significant.
Article 95(1) of Regulation (EU) No 575/2013 (“CRR”) expressly recognises as a separate category those investment firms that are not authorised to provide investment services and activities other than the operation of an MTF. This category has a limited authorisation and a limited risk exposure, so ad hoc prudential and organisational requirements are justified.
EBA should clarify the scope of these guidelines when it comes to MTF according to CRR approach. This could entail not applying some of the requirements to these to MTFs or exempting them from these.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
LSEG confirms that the guidelines in Title II are clear and we do not consider that additional safeguards are necessary.Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
LSEG confirms that the guidelines in Section 4 are clear and appropriate.Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
LSEG confirms that the guidelines are clear. It should be noted that ESMA has issued strict guidelines on CCP conflict of interest management in February 2018. These guidelines include provisions on conflicts of interest in outsourcing arrangements where CCPs belong to a wider group. Given that the ESMA guidelines for CCPs are more specific than the EBA draft guidelines there appear to be no conflicting elements between the two. However, in finalising the guidelines we remind the EBA that CCPs with a banking licence would need to comply with strict EMIR requirements for outsourcing for CCPs and that broader alignment between the EBA guidelines should be the primary objective. In cases where CCPs are subject to both requirements, the EMIR requirements for CCPs should take precedence, and due consideration should be given on the need to include CCPs with a banking licence in the scope.Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
LSEG confirms that the guidelines in Section 8 are clear and appropriate.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
LSEG would welcome a more consistent approach with respect to the identification of the criteria regarding the assessment of criticality or importance of the outsourced functions.The EBA Guidelines state that the criteria for assessing “critical or important functions” are based on the provisions specified under Directive 2014/65/EU (MiFID II) and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II.
We note, however, that in Section 9.1, paragraph 49 of the proposed EBA Guidelines seems to extend their scope by also including other elements to be considered in the assessment of the criticality or importance of the outsourced function. For example, paragraph 49, (b) includes as a further element to consider the case when operational tasks of internal control functions are outsourced, which is not consistent with the criteria specified under A30 Delegated Regulation (EU) 2017/565.
We therefore kindly request EBA to align the criteria regarding the assessment of criticality or importance of the outsourced functions with Directive 2014/65/EU (MiFID II) and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
LSEG confirms that the guidelines in Section 9.2 are clear and appropriate.Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
Section 9.3 requires institutions to assess the impact of outsourcing agreements on operational risks based on the development of scenarios of risk events and requiring them to document the result of such analysis.While we believe that such requirement may be reasonable with reference to banks, also as part of their recovery planning, we believe that the Guidelines should have a more risk-based approach conferring flexibility to institutions to develop their own risk assessment framework.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
LSEG confirms that the guidelines in Section 10 are clear and appropriate.Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
LSEG confirms that the guidelines in Section 11 are clear and appropriate.Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
LSEG would welcome EBA’s clarity on how the guidelines suggest exit plans to be “tested”. We acknowledge that banks should have developed “exit” plans to satisfy their regulatory requirements and that they should develop dispositions to roll out those plans when needed. We do however need to highlight that such plans are maintained at a conceptual stage and reviewed at a regular basis. However, if the tests are meant to be active investigation of implementing exit strategies with alternative providers it would require a very significant level of resources and cost. Additionally, if it requires engaging with alternative suppliers, it raises concerns about intellectual property and confidentiality. LSEG believes that testing with alternative providers should only be performed when serious concerns are raised with the main provider in order to successfully maintain integrity of internal systems and contractual obligations put in place between the investment firms/CCP and the existing supplier.Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
LSEG broadly agrees with the guidelines in Section 13 and the importance of communicating any outsourcing arrangement to competent authorities with the help of an online register. We do believe however that, such register should be populated with the most relevant information such as, start & end date of the contract, the name of provider, a short description of service, whether the service is critical or not etc. If additional information is required, this should be determined by competent authorities and on a case by case basis, after determining whether an outsourcing arrangement is deemed critical or not.Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
LSEG confirms that the guidelines in Title V are appropriate and sufficiently clear. We agree that competent authorities should take a risk-based approach to monitoring outsourcing arrangements.Q15: Is the template in Annex I appropriate and sufficiently clear?
LSEG confirms that the template is clear. However, with regards to “last audit” dates, we would like to highlight that the date of the last on-site audit will generally not cover complete scope of outsourcing service at a group level merely due to the size and technicality required.Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?
LSEG would like to reiterate at this stage that although we acknowledge that banks should have developed “exit” plans to satisfy their regulatory requirements and that they should develop dispositions to roll out those plans when needed. As per our response to question 12, if the tests are meant to be active investigation of implementing exit strategies with alternative providers they would require a very significant level of resources and costs (both one-off and ongoing costs).LSEG believes that testing with alternative providers should only be performed when serious concerns are raised with the main provider to successfully maintain integrity of internal systems and contractual obligations put in place between the investment firm/CCP and the existing supplier.
We hope that you will find LSEG’s input provided in this consultation paper useful and we remain at your disposal for any additional clarifications.