Response to consultation on draft Guidelines on outsourcing
Go back
Para 11 of the draft guidelines provides a too wide definition of ‘outsourcing’:
‘an arrangement … between an institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution (…) itself’
A clarification is needed that the transfer of certain tasks in f.i. cooperative groups or networks to the central institution or other specialized separate legal entities is not considered as outsourcing (e.g. use of central institution services in an IPS or cooperative network, like liquidity lines/liquidity management, payment or securities clearing, custodian services based on relevant custody legislation, etc.).
An example is given by those networks consisting of central credit institutions and associated local banks which are legally or contractually responsible for cash-clearing operations within the network (see Article 400(2)(d) CRR).
Furthermore, especially in the case of small banks that are part of an IPS or part of a network a meaningful differentiation is of utmost importance. In those banking groups the service provider (e.g. the central institution or a specialized separate legal entity) has been set up mainly to perform standardised services for the affiliated institutions which would not be able to undertake those services by themselves (principle of subsidiarity). Small banks would not be able to bear the cost of fulfilling the tasks that are provided by the central institution or a specialized separate legal entity themselves or reach the level of quality safeguarded by the central institution or by a specialized separate legal entity.
The German supervisory authority has recognized the special situation of cooperative banking groups and on the decentralized banking sectors and has introduced a special definition for “acquired services” to avoid a huge bureaucratic impact for smaller banks.
Therefore, in para 11 the following separate definition of “acquisition of services” is needed to avoid misunderstandings “outsourcing” and other “acquired services ”:
“Acquired Services”:
”Singularly or regularly acquired services that couldn’t be provided by the institution itself due to factual circumstances or legal requirements.”
Furthermore, legal requirements by law shall not be part of the new reuirements provided in the guidelines. If for example a liquidity management by the central institution is required by national law (like in Austria), it should not fall within the scope of the guidelines. An explicit exemption for these legal requirements would be necessary in the guidelines.
If the interpretations of outsourcing and acquisition of services above are not shared, many separate explicit exemptions in the concerned provisions would be necessary, as smaller cooperative and savings banks could not provide the services themselves: For example, regarding the following requirements separate exemptions would have to be provided for cooperative banking groups:
• the oversight may be centralized to avoid the inefficiency of a multiple oversight (para 31 point c);
• the decisions related to these activities are not possible on a stand-alone basis. Instead, the only opportunity is a coordinated “democratic” process involving all the banks (for example to transfer as an exit strategy the critical function to another service provider) (para 32 point b and g; para 34);
• the concentration risk, resulting from multiple outsourcing to the central institution or its subsidiaries is not relevant, as there must not be supervisory pressure to break up those networks (nothing would be improved if not everybody joins in using the network services) (para 59 point a);
• it must be possible to rely solely on third party auditing reports made available by the central institution as a service provider and to avoid individual audits by each local bank (para 74, 75 point f).
For outsourcing activities within groups the Draft GL foresees several conditions to ease the requirements especially on the level of a single entity belonging to a central body, groups or members of an institutional protection scheme (IPS). It allows that by establishing uniform arrangements and centralized operational tasks. On the other side the Draft GL enables the transfer of all of its provisions to the central body as a whole if there have been waivers in accordance to Article 7 and 10 CRR or Article 21 of CRD IV granted.
While we acknowledge the systematics of the conditions within paragraph 21 (page 22) of the Draft GL as a waiver, Article 10 CRR demands a high level of integration and control mechanisms of institutions affiliated to a central body we question the understanding of other (sometimes similarly and/or) highly integrated groups, with centrally executed control and enforcement mechanisms. The major differences between these groups are the organisational structure and the capital participation. To give an example an IPS has to prove to be able to effectively monitor, manage and enforce own funds requirements to all its members by the central body without temporal delay, material practical or potential legal impediments. To enable such a transfer of own funds by monitoring, management and enforcement in fact the IPS has to establish the same level of organisational, technical, capital and staffed environment as any group that has been granted waivers in accordance to Art 7 and 10 CRR.
Therefore, we suggest the EBA reconsidering the approach for the chapter “Outsourcing within group application and institutional protection scheme” (para 17-21 of the Draft GL) and enabling the IPS at least a similar centrally organized outsourcing regime as groups where waivers have been granted. We would like to remind that IPS often face a situation of certain ownerships like foundations without a proprietor (e.g. in Austria), that want to cooperate and act as one group but have no other opportunity than to arrange themselves by an IPS-structure, that tries to achieve group-effects but cannot become a (usual) group such as by equity participation.
A more proportionate approach should be considered in case the waiver is not granted especially with regards to decentralised networks (with or without an IPS) where the functions of hundreds of affiliated institutions are centralised in the central institutions. In banking networks the transfer of certain tasks particularly exists in the area of reporting, risk management, treasury, payment transactions, information and communication technology (e.g. data centres as specialized separate legal entities) and customer relationship management (CRM). For efficiency and financial stability reasons these arrangements are also supported by the competent national supervisors, as this transfer of certain tasks reduces the operational risks of decentralized banking groups.
Against this background and to avoid an enormous bureaucratic effort (e.g. the notification of any planned outsourcing to the Competent Authority, the assessment of the service provider, etc.) for hundreds of small cooperative banks and to take into consideration also decentralised networks (with or without an IPS), para 21 should be changed as follows:
“Where waivers have been granted on an individual basis on the basis of articles 7, 10, 113(6), 113(7) of Regulation (EU) No 575/2013 of Article 21 of Directive 2013/36/EU or to a cooperative network in a Member State, the provisions of these guidelines should be applied by the parent undertaking in a Member State for it and its subsidiaries or by the central body and its affiliates as a whole.”
Supervisory should be interested in the cohesion of networks which means that only the whole network could have an exit strategy changing the provider on the basis of a coordinated “democratic” process.
Moreover, it has to be reflected that within networks (with our without an IPS) services are often transferred to providers that are owned by the network and exclusively service the network. Where a bank relies on such an internal service provider for decades and will most probably continue to do so in the future, an elaborated exit strategy seems disproportionate.
‘institutions should ensure that the conditions, including financial conditions, for the outsourced service are set at arm’s length’.
The number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of the guidelines should be only applied by the central institution (also in cooperative networks and in IPS). If no changes are made in para 11 and 21 (see Q1 and 2) the notion of arm’s length should not be intended in such a proposed strict manner and reflect the realities of a banking group and network. Within cooperative groups very often specific entities have been established to provide services to the affiliated institutions at better financial conditions than market providers. This exclusivity is reflected to some degree in the business relation, but also in the financial conditions and may significantly differ from those of free market providers. Sometimes those specific entities owned directly or indirectly by the members of the cooperative banking group are only working at cost, which obviously makes a difference towards market providers pursuing their own profit interests.
Moreover, if no changes are made in para 11 and 21 (see Q1 and 2) concerning Section 6 “Business continuity plans”, the GL should specify that - where business continuity plans for the case of technical failure should be in place - the outsourcing institution or/and the service provider do not necessarily have to provide different plans. For example, in the case of outsourcing of IT services to a data centre, it should be sufficient that the service provider establishes a business continuity plan (e.g. dual processing sides, back-up systems), which would then also be accepted for the bank.
In case all arrangements remained in the scope of the register, we consider that for the arrangements of non-critical or non-important functions, the documentation should be limited to the following information: a brief description of the function outsourced and the name of the service provider.
Any due diligence process performed by an affiliated institution within a cooperative group regarding a service provider within the same group would result in a formal process. Indeed, entities – such as the central institution – have been established with the main purpose of providing specific services to the affiliated institutions. Therefore, the ability, capacity, resources and the organisational structure of those entities are tailored to the needs and features of the affiliated institutions.
Against this background, in case of transferring tasks within groups/networks those institutions that are members of an IPS or a cooperative network without an IPS should be exempted from the due diligence process.
The Draft GL refers to the “sensitivity” measures in para 61. We suggest giving a definition or a clarification on the meaning of this term.
Once again, we want to emphasize that the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of these guidelines should be only applied by the central institution also in cooperative networks and in IPS. If no changes are made in para 11 and 21 (see Q1 and 2), it is necessary to specify the following aspects concerning concentration risk.
In many groups and networks the functions of hundreds of affiliated institutions are centralised in the central institutions. Those institutions have been established to provide services to the affiliated institutions and to create economies of scale (according to the principle of subsidiarity). In this context, Section 9.3 shall consider cooperative groups’ organisational structure and, therefore, the outsourcing in that central institution should not be considered as concentration risks.
If this aspect will not be taken into consideration, this could lead to significant changes in the organizational structure and the task division model of cooperative groups.
If the definition of outsourcing is interpreted in a too broad way on the basis of para 11 (see Q1), also including cases where a cooperative bank has economically no opportunity to fulfil the task provided by the central institution otherwise by itself at reasonable costs, the guidelines regarding the contractual phase are not appropriate and the proposals relating to the audit rights give rise to significant practical challenges to cooperative networks and networks of savings banks.
As labour sharing in banking groups and networks is an economic necessity and the only chance to create a level playing field with a “normal” business bank being a joint stock company with many branches within the same legal entity, it is crucial to keep the cost of auditing the service provider low. This is not possible if auditing on a stand-alone basis is required. In networks shared auditing must be sufficient. So it must be allowed to rely solely on third party reports (contradiction with para 74) and not to retain the contractual right to perform individual audits at the own discretion of any single small cooperative bank.
The execution of termination rights can only happen on the basis of coordinated “democratic” processes on the level of the whole IPS or cooperative network (without an IPS).
Moreover, if the definition of outsourcing is interpreted in a too broad way on the basis of para 11 (see Q1), it should be clarified what security goals are intended to be achieved with the defined security requirements with regard to Section 10.2 (Security of data and system). This clarification is necessary to choose appropriate security standards.
“90. Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients. To achieve this, they should:
a. develop and implement exit plans that are comprehensive, documented and sufficiently tested for the outsourcing of important or critical functions that are addressing the main considerations (e.g. by carrying out an analysis of the potential costs, impact, resource and timing implications of transferring an outsourced service to alternative provider) relevant to execute an exit and which are sufficiently documented;”
Once again we want to emphasize that due to the special situation of cooperative banking groups the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of these guidelines should be only applied by the central institution (also in cooperative networks and in IPS). If no changes are made in para 11 and 21 (see Q1 and 2), a more proportional approach should be taken into account. Indeed, it is not realistic requiring small cooperative or savings banks to have in place exit strategies for critical functions such as the IT system.
In this context, only a pooled exit strategy based on a coordinated “democratic” process that involves all the affiliated institutions within an IPS or a cooperative network (without an IPS), is sensible.
Moreover, where a specific function (such as the internal audit) of an affiliated institution is transfered to the central body due to a legal requirement, there is no reason for an exit strategy to exist.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
The Guidelines are not appropriate and sufficiently clear regarding the implementation and date of application. When reading the paragraphs 12 and 13 of the Draft GL it is not clear whether the transitional period of 31 December 2020 (i) refers only to a documentation requirement of outsourcing arrangements entered into before 30 June 2019 in accordance with the provisions of Title III Chapter 8 of the Draft GL or (ii) expresses the expectation that outsourcing arrangements entered into before 30 June 2019 need to be adapted in accordance with the entire provisions of the Draft GL. While regarding option (i) we understand the need to have a register that contains information on all existing outsourcing arrangements, we strongly disagree with option (ii) and recommend EBA to remove this requirement from the final version of the GL (if this is indeed the meaning of paragraphs 12 and 13 of the Draft GL). We deem option (ii) as an infringement of the legal certainty since it imposes to the contractual parties obligations which at the time of concluding the contract were unknown and not legally binding.Para 11 of the draft guidelines provides a too wide definition of ‘outsourcing’:
‘an arrangement … between an institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution (…) itself’
A clarification is needed that the transfer of certain tasks in f.i. cooperative groups or networks to the central institution or other specialized separate legal entities is not considered as outsourcing (e.g. use of central institution services in an IPS or cooperative network, like liquidity lines/liquidity management, payment or securities clearing, custodian services based on relevant custody legislation, etc.).
An example is given by those networks consisting of central credit institutions and associated local banks which are legally or contractually responsible for cash-clearing operations within the network (see Article 400(2)(d) CRR).
Furthermore, especially in the case of small banks that are part of an IPS or part of a network a meaningful differentiation is of utmost importance. In those banking groups the service provider (e.g. the central institution or a specialized separate legal entity) has been set up mainly to perform standardised services for the affiliated institutions which would not be able to undertake those services by themselves (principle of subsidiarity). Small banks would not be able to bear the cost of fulfilling the tasks that are provided by the central institution or a specialized separate legal entity themselves or reach the level of quality safeguarded by the central institution or by a specialized separate legal entity.
The German supervisory authority has recognized the special situation of cooperative banking groups and on the decentralized banking sectors and has introduced a special definition for “acquired services” to avoid a huge bureaucratic impact for smaller banks.
Therefore, in para 11 the following separate definition of “acquisition of services” is needed to avoid misunderstandings “outsourcing” and other “acquired services ”:
“Acquired Services”:
”Singularly or regularly acquired services that couldn’t be provided by the institution itself due to factual circumstances or legal requirements.”
Furthermore, legal requirements by law shall not be part of the new reuirements provided in the guidelines. If for example a liquidity management by the central institution is required by national law (like in Austria), it should not fall within the scope of the guidelines. An explicit exemption for these legal requirements would be necessary in the guidelines.
If the interpretations of outsourcing and acquisition of services above are not shared, many separate explicit exemptions in the concerned provisions would be necessary, as smaller cooperative and savings banks could not provide the services themselves: For example, regarding the following requirements separate exemptions would have to be provided for cooperative banking groups:
• the oversight may be centralized to avoid the inefficiency of a multiple oversight (para 31 point c);
• the decisions related to these activities are not possible on a stand-alone basis. Instead, the only opportunity is a coordinated “democratic” process involving all the banks (for example to transfer as an exit strategy the critical function to another service provider) (para 32 point b and g; para 34);
• the concentration risk, resulting from multiple outsourcing to the central institution or its subsidiaries is not relevant, as there must not be supervisory pressure to break up those networks (nothing would be improved if not everybody joins in using the network services) (para 59 point a);
• it must be possible to rely solely on third party auditing reports made available by the central institution as a service provider and to avoid individual audits by each local bank (para 74, 75 point f).
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
With regard to the wording of paragraph 20b (“where those institutions and payment institutions (…) rely on a central pre-outsourcing assessment (…)”) we believe that it needs to be aligned with the wording in Title IV Section 9 where a pre-outsourcing analysis is mentioned. We therefore recommend replacing the term “pre-outsourcing assessment” with “pre-outsourcing analysis”.For outsourcing activities within groups the Draft GL foresees several conditions to ease the requirements especially on the level of a single entity belonging to a central body, groups or members of an institutional protection scheme (IPS). It allows that by establishing uniform arrangements and centralized operational tasks. On the other side the Draft GL enables the transfer of all of its provisions to the central body as a whole if there have been waivers in accordance to Article 7 and 10 CRR or Article 21 of CRD IV granted.
While we acknowledge the systematics of the conditions within paragraph 21 (page 22) of the Draft GL as a waiver, Article 10 CRR demands a high level of integration and control mechanisms of institutions affiliated to a central body we question the understanding of other (sometimes similarly and/or) highly integrated groups, with centrally executed control and enforcement mechanisms. The major differences between these groups are the organisational structure and the capital participation. To give an example an IPS has to prove to be able to effectively monitor, manage and enforce own funds requirements to all its members by the central body without temporal delay, material practical or potential legal impediments. To enable such a transfer of own funds by monitoring, management and enforcement in fact the IPS has to establish the same level of organisational, technical, capital and staffed environment as any group that has been granted waivers in accordance to Art 7 and 10 CRR.
Therefore, we suggest the EBA reconsidering the approach for the chapter “Outsourcing within group application and institutional protection scheme” (para 17-21 of the Draft GL) and enabling the IPS at least a similar centrally organized outsourcing regime as groups where waivers have been granted. We would like to remind that IPS often face a situation of certain ownerships like foundations without a proprietor (e.g. in Austria), that want to cooperate and act as one group but have no other opportunity than to arrange themselves by an IPS-structure, that tries to achieve group-effects but cannot become a (usual) group such as by equity participation.
A more proportionate approach should be considered in case the waiver is not granted especially with regards to decentralised networks (with or without an IPS) where the functions of hundreds of affiliated institutions are centralised in the central institutions. In banking networks the transfer of certain tasks particularly exists in the area of reporting, risk management, treasury, payment transactions, information and communication technology (e.g. data centres as specialized separate legal entities) and customer relationship management (CRM). For efficiency and financial stability reasons these arrangements are also supported by the competent national supervisors, as this transfer of certain tasks reduces the operational risks of decentralized banking groups.
Against this background and to avoid an enormous bureaucratic effort (e.g. the notification of any planned outsourcing to the Competent Authority, the assessment of the service provider, etc.) for hundreds of small cooperative banks and to take into consideration also decentralised networks (with or without an IPS), para 21 should be changed as follows:
“Where waivers have been granted on an individual basis on the basis of articles 7, 10, 113(6), 113(7) of Regulation (EU) No 575/2013 of Article 21 of Directive 2013/36/EU or to a cooperative network in a Member State, the provisions of these guidelines should be applied by the parent undertaking in a Member State for it and its subsidiaries or by the central body and its affiliates as a whole.”
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
See answer to Q1 concerning the assessment whether an arrangement with a third party falls under the definition of acquisition of services or outsourcing.Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
Once again we want to emphasize that the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of this guidelines should be only applied by the central institution also in cooperative networks and in IPS. If no changes are made in para 11 an 21 (see Q1 and 2) with regard to para 34 point e on exit strategies, a more proportional approach should be taken into account. It is not realistic to require small institutions having in place exit strategies for critical functions such as the IT system. In this context it is worth mentioning that in case of smaller cooperative banks it is common to have a full transfer of IT systems, typically to a data centre as a specialized separate legal entity which is owned by the banks collectively. According to our understanding this is not even “outsourcing” because the smaller bank could not do the IT system “otherwise” itself.Supervisory should be interested in the cohesion of networks which means that only the whole network could have an exit strategy changing the provider on the basis of a coordinated “democratic” process.
Moreover, it has to be reflected that within networks (with our without an IPS) services are often transferred to providers that are owned by the network and exclusively service the network. Where a bank relies on such an internal service provider for decades and will most probably continue to do so in the future, an elaborated exit strategy seems disproportionate.
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
According to para 38 on conflicts of interest‘institutions should ensure that the conditions, including financial conditions, for the outsourced service are set at arm’s length’.
The number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of the guidelines should be only applied by the central institution (also in cooperative networks and in IPS). If no changes are made in para 11 and 21 (see Q1 and 2) the notion of arm’s length should not be intended in such a proposed strict manner and reflect the realities of a banking group and network. Within cooperative groups very often specific entities have been established to provide services to the affiliated institutions at better financial conditions than market providers. This exclusivity is reflected to some degree in the business relation, but also in the financial conditions and may significantly differ from those of free market providers. Sometimes those specific entities owned directly or indirectly by the members of the cooperative banking group are only working at cost, which obviously makes a difference towards market providers pursuing their own profit interests.
Moreover, if no changes are made in para 11 and 21 (see Q1 and 2) concerning Section 6 “Business continuity plans”, the GL should specify that - where business continuity plans for the case of technical failure should be in place - the outsourcing institution or/and the service provider do not necessarily have to provide different plans. For example, in the case of outsourcing of IT services to a data centre, it should be sufficient that the service provider establishes a business continuity plan (e.g. dual processing sides, back-up systems), which would then also be accepted for the bank.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
Due to the administrative burden this register would imply and in line with the low level of risk related to outsourcing of non-critical or non-important functions, we consider that its content should be limited to arrangements related to outsourcing of critical or important functions and outsourcing to cloud service providers.In case all arrangements remained in the scope of the register, we consider that for the arrangements of non-critical or non-important functions, the documentation should be limited to the following information: a brief description of the function outsourced and the name of the service provider.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
Once again, we want to emphasize that due to the special situation of cooperative banking groups the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of this guidelines should be only applied by the central institution also in cooperative networks and in IPS. If no changes are made in para 11 and 21 (see Q1 and 2), it is worth to specify the following concerning due diligence.Any due diligence process performed by an affiliated institution within a cooperative group regarding a service provider within the same group would result in a formal process. Indeed, entities – such as the central institution – have been established with the main purpose of providing specific services to the affiliated institutions. Therefore, the ability, capacity, resources and the organisational structure of those entities are tailored to the needs and features of the affiliated institutions.
Against this background, in case of transferring tasks within groups/networks those institutions that are members of an IPS or a cooperative network without an IPS should be exempted from the due diligence process.
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
When assessing the risks of an outsourcing arrangement within the meaning of paragraph 59a we do not consider necessary the performance of a separate assessment of concentration risks in case of intragroup outsourcings, since this is already ensured by the assessment of the resolvability of an institution or a group as required by Section C of the Annex to the BRRD.The Draft GL refers to the “sensitivity” measures in para 61. We suggest giving a definition or a clarification on the meaning of this term.
Once again, we want to emphasize that the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of these guidelines should be only applied by the central institution also in cooperative networks and in IPS. If no changes are made in para 11 and 21 (see Q1 and 2), it is necessary to specify the following aspects concerning concentration risk.
In many groups and networks the functions of hundreds of affiliated institutions are centralised in the central institutions. Those institutions have been established to provide services to the affiliated institutions and to create economies of scale (according to the principle of subsidiarity). In this context, Section 9.3 shall consider cooperative groups’ organisational structure and, therefore, the outsourcing in that central institution should not be considered as concentration risks.
If this aspect will not be taken into consideration, this could lead to significant changes in the organizational structure and the task division model of cooperative groups.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Once again, we want to emphasize that the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of these guidelines should be only applied by the central institution.If the definition of outsourcing is interpreted in a too broad way on the basis of para 11 (see Q1), also including cases where a cooperative bank has economically no opportunity to fulfil the task provided by the central institution otherwise by itself at reasonable costs, the guidelines regarding the contractual phase are not appropriate and the proposals relating to the audit rights give rise to significant practical challenges to cooperative networks and networks of savings banks.
As labour sharing in banking groups and networks is an economic necessity and the only chance to create a level playing field with a “normal” business bank being a joint stock company with many branches within the same legal entity, it is crucial to keep the cost of auditing the service provider low. This is not possible if auditing on a stand-alone basis is required. In networks shared auditing must be sufficient. So it must be allowed to rely solely on third party reports (contradiction with para 74) and not to retain the contractual right to perform individual audits at the own discretion of any single small cooperative bank.
The execution of termination rights can only happen on the basis of coordinated “democratic” processes on the level of the whole IPS or cooperative network (without an IPS).
Moreover, if the definition of outsourcing is interpreted in a too broad way on the basis of para 11 (see Q1), it should be clarified what security goals are intended to be achieved with the defined security requirements with regard to Section 10.2 (Security of data and system). This clarification is necessary to choose appropriate security standards.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
When evaluating the performance of service providers as defined in para 88 of the Draft GL it would be very helpful to have an indication of the character of key performance indicators (KPI) or key control indicators. To be more specific when it comes to certain service agreements the list of KPIs can be defined in a much more general way (e.g. high level KPIs as we see it with the BCBS 239 definitions) or indicators that are much more linked to the very content of the service agreement. A given indication of the KPI’s character would not just give a better understanding of the GL at this certain point but we would also see a higher stage of “level playing field” to all addressed institutions. That on the other side would also help all competent authorities when supervising outsourcing activities.Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
We believe that comprehensive exit strategies should be mandatorily developed for outsourcing of important and critical functions as exactly in such cases continuity of services are endangered. We further believe, that the term “tested” could be misinterpreted in a way that a successful transfer or in-housing of outsourced functions could be requested which would in fact be very burdensome (if not connected with major risks as some outsourcings are usually requiring several years of preparation, e.g. outsourcing of core-banking systems or move of services from captive providers to external providers). Therefore, we propose the rewording of paragraph 90a of the Draft GL as follows:“90. Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients. To achieve this, they should:
a. develop and implement exit plans that are comprehensive, documented and sufficiently tested for the outsourcing of important or critical functions that are addressing the main considerations (e.g. by carrying out an analysis of the potential costs, impact, resource and timing implications of transferring an outsourced service to alternative provider) relevant to execute an exit and which are sufficiently documented;”
Once again we want to emphasize that due to the special situation of cooperative banking groups the number of arrangements that fall under the definition of “outsourcing” has to be reduced and the fulfillment of the provisions of these guidelines should be only applied by the central institution (also in cooperative networks and in IPS). If no changes are made in para 11 and 21 (see Q1 and 2), a more proportional approach should be taken into account. Indeed, it is not realistic requiring small cooperative or savings banks to have in place exit strategies for critical functions such as the IT system.
In this context, only a pooled exit strategy based on a coordinated “democratic” process that involves all the affiliated institutions within an IPS or a cooperative network (without an IPS), is sensible.
Moreover, where a specific function (such as the internal audit) of an affiliated institution is transfered to the central body due to a legal requirement, there is no reason for an exit strategy to exist.