Response to consultation on draft Guidelines on outsourcing

Go back

Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?

(1) Definition of Critical and Important Functions

(a) We agree with the definition of the “critical and important function” for the purpose of the Guidelines. However, the central aspect in practice would be to define what the terminus “materially impair” means. In our opinion, this is more a continuum than a binary decision. An outsourcing is either more material or less material on a flexible scale, but it is in general not either fully material or not material at all. Also, it should be considered whether in the individual case, the additional requirements for outsourcing critical functions are adequate with regard to the objective size of the outsourced tasks. Otherwise there is the danger that small institutions would be bearing higher regulatory costs than bigger ones, just because a possible damage of e. g. € 1 million may be material for small institutions but totally insignificant for big ones when compared with the institution’s own funds. In other words, relatively small outsourcings may be judged material for small institutions, discouraging them with disproportionate additional requirements, while bigger institutions get a big competitive advantage. This would also be potentially detrimental to supervisory goals because outsourcing frequently makes sense especially for small institutions as regards quality assurance (e.g. IT security) and economies of scale.

Our proposal: Clarifying that the assessment of the materiality of outsourcing should also take into account the additional costs for compliance with additional requirements for outsourcing critical or important functions and compare these costs with the objective size/worth of the outsourcing. It should be avoided that the materiality test to determine critical or important functions works to the detriment of small institutions and discourages them from outsourcing.

(b) Outsourcing of functions within a national or an SSM-supervised group does not carry the same risks as in other cases, provided that both the outsourcing and the insourcing entity belong to the same group which is subject to supervision within the framework of SSM, i. e. supervised as regards corporate governance, business organization, risk management and solvability. Concentration risk is adequately dealt with because of that supervision also with regard to the insourcing entity.

Our proposal: Outsourcing within the same national or SSM-supervised group should be deemed less risky and requires no treatment as “material”. Therefore the additional requirements for outsourcing of critical or important functions should not apply.

(2) Definition of Outsourcing

In practice, there has been some uncertainty as to how the definition of outsourcing should be applied. More specifically: Whether the delegation of activities which have no direct link to licensable services can be outsourcing or not. Discussions were evolving around e. g. renting and technical caretaking for infrastructure or buildings, cleaning services, document shredding etc. We learned that in some Member States these activities can be deemed outsourcing because they might involve some operational risk. However, we think that not every external service is outsourcing merely because operational risk may be involved, because such understanding would at the end result in everything being outsourcing. The very specific outsourcing regulations should not be extended in scope in such a way, because they do not fit for every contractual service. The mentioned operational risks of service contracts that are not bank-specific should be dealt with otherwise, in the framework of operational risk and contract management.

We feel that the list of examples in Title II no. 23 is quite helpful in this respect, but however not instructive enough and should be accompanied by a clarification of the definition.

Our proposal: A common understanding should be agreed that outsourcing in the meaning of supervisory law means the outsourcing of activities that directly relate to or are a part of a licensable service.

Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?

With regard to outsourcing within groups, please refer to our answer to Question 1, (1) (b). Outsourcing of functions within a national or an SSM-supervised group does not carry the same risks as in other cases, provided that both the outsourcing and the insourcing entity belong to the same group which is subject to supervision within the framework of SSM, i. e. supervised as regards corporate governance, business organization, risk management and solvability. Concentration risk is adequately dealt with because of that supervision also with regard to the insourcing entity.

Our proposal: Outsourcing within the same national or SSM-supervised group should be deemed less risky and requires no treatment as “material”. Therefore the additional requirements for outsourcing of critical or important functions should not apply.

Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?

(1) Authorisation of the Service Provider

We think that Title II no. 25 needs clarification. The current draft wording is not practicable and leads to weird consequences.

Take the following example:
An IT provider of risk management and reporting software and related services for banks would under the current wording probably need a banking licence. But he does not conduct any banking services, e. g. granting loans or taking deposits, to neither the outsourcing institution nor any other clients. Other than in the field of asset management, the risk management according to CRR is by itself not a licensable activity. The current wording of the draft would oblige IT service providers to take on the business of granting credit and taking deposits, because the license cannot be granted without conducting those activities (cf. Art. 18 (a) CRD). Or it would require credit institutions to diversify in the field of IT servicing. Both is not an option.

Therefore we propose to clarify the wording of no. 25 in order to make sure that a service provider needs a licence only insofar as the service it performs for the institution is in itself a licensable activity or service:

“25. Without prejudice to the requirements within Title III, institutions and payment institutions should ensure that the performance of banking activities or payment services that requires authorisation or registration by a competent authority in the Member State where they are authorised are is only fully outsourced to a service provider located in the same Member State or another Member State, if one of the following conditions is met:

a. the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or

b. the service provider is otherwise allowed to carry out those services or activities in accordance with the relevant national legal framework.”

Title II no. 26 should be amended accordingly.

(2) Customer Relationship

It should be clear that a service provider acts under the full responsibility of the institution. The service provider either has no direct contact to clients, or it acts in the name and for the account of the institution. Therefore, it cannot be deemed to perform banking activities or payment services itself to the end customers. The institution holds the licence and is the fully responsible contract partner to the customers, and cannot delegate its responsibility to the service provider.

Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?

We think that the requirements in Section 4 are somewhat over-engineered. Especially, it is not necessary to rephrase documentation already made under other Sections of the guidelines and include it in the policy. The policy should be an overarching, more principle-based document laying down the policies of the institution as regards outsourcing. It should not be diluted by including / recycling / rephrasing the documentation made otherwise for individual cases of outsourcing.

E. g. the requirement to include the ongoing assessment of the service provider’s performance in the outsourcing policy leads to inflating and too frequently amending the policy. Or in other words, the operational initial and/or day-to-day implementation of outsourcing agreements should not be included. The operational implementation is not a “policy”. It should be documented exclusively according to other Sections of the guidelines.

Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?

Depending on how the definition of critical or important functions is implemented, the requirement of Section 6 no. 40 to periodically test business contingency plans can be disproportionate. In the great majority of individual cases, such testing exercises are very costly and will prove to be disproportionate as compared to the materiality of the outsourcing. Regular assessments of the viability of the contingency planning should suffice in most cases even of critical or important functions. Therefore, we propose to align the degree of materiality of the outsourced function with the requirement of business continuity testing. Institutions should be able to refrain from testing, resuming to assessing, the business continuity where a testing exercise would be disproportionately costly and therefore not economically sound.

Section 7 no. 44 (d) should be deleted. Service providers typically are not required to assess their risk appetite and manage their risks in a comparable way like credit institutions in line with CRD and CRR. Because of this, is will be practically impossible for internal audit to assess the service provider’s risk appetite and risk management due to the lack of documentation.

Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?

Section 8 no. 47 (c) (viii) is unclear as to whether the term time-critical refers to the urgency of the respective task being outsourced or the urgency to find alternative solutions in case the service providers does not perform adequately or fails.

Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?

The criteria to assess critical or important functions are not clear enough.

Section 9.1 no. 49 (b) is unclear because the term “operational task” is not adequately defined. At the end of the day, the current wording would leave so much leeway for interpretation that nearly every outsourcing could be deemed critical or important. In our opinion, the outsourcing of an operational task (whatever that exactly means) should only be regarded as critical or important if the criteria in no. 49 (a) and no. 51 are met. Therefore, they do not need to be included in (b), as the important ones are already covered by (a).

Section 9.1 no. 49 (c) is also unclear. First of all, in the banking field, outsourced activities will always remain under the full contractual and supervisory responsibility of the institution and the outsourced task is conducted in the name of the institution. The service provider will never be able to enter into a contract with an end customer. Therefore, the service provider will not come under licensing requirements for doing business with end customers. Also, it will not conduct banking services for the institution, because it will neither grant credit to nor take deposits from the institution. Section 9.1 no. 49 (c) only makes sense where the outsourcing results in the provision of a licensable service by the service provider to the institution, e. g. portfolio management. Section 9.1 no. 49 (c) should be amended in order to clarify this.

Section 9.1 no. 50 is not practical and should be deleted. Such particular attention besides the assessment pursuant to no. 49 (a) and no. 51 is not necessary. Especially sentence 2 of no. 50 would lead to every outsourcing be deemed critical. The description of “services relating to core business lines and critical functions” covers even the tiniest tasks. To assign these to the group of critical or important is clearly disproportionate.

Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?

n.a.

Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?

n.a.

Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?

Section 10.1 no. 66 cannot be implemented in practice and should be deleted. The compliance of sub-contractors with applicable laws etc. can and will be safeguarded by the service provider monitoring and overseeing its services in accordance with no. 65 (c) and more specifically no. 67. The audit should be indirectly carried out by way of auditing the service provider’s activities and documentation as well as the performance data regarding the sub-contractor.

Likewise, Section 10.3 no. 75 (f) should be deleted. In the case of pooled audits that comply with no. 75 (a)-(e) and no. 80, it is overly bureaucratic and not contractually conceivable to retain the right to perform individual audits in the way stated by the draft.

The requirements of Section 10.4 no. 82 should only be made subject to their appropriateness, feasibility or meaningfulness. Otherwise, they could be too burdensome in some individual cases, or spare in others.

Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?

The requirements set out under Section 12 must be clearly understood to be without prejudice to resolution planning, which might require specific action.

Second, the principle of proportionality is of utmost importance as regards this Section. It should only be applied to really critical or important functions. These requirements are one of the factors why the definition of criticality and importance should be clear and avoid outsourcing of minor importance becoming subject to Section 12, because that would be overdone in many aspects. We refer to our proposal for defining criticality and importance under Question 1 (1) and Question 7.

Third, the requirements under Sec. 12 no. 90 should not be applied to situations of intra-group outsourcing. In these situations, circumstances of the individual case might determine that the exit from an outsourcing is not possible at the discretion of the outsourcing subsidiary, because that would conflict with a group outsourcing policy and group governance and operational planning. Subsidiaries are in no position to oppose, if the carrying out of functions centrally at one group entity or service provider is decided on at the group level. Supervisors should, in the event that an outsourcing situation of this kind becomes defective, resort to other measures at their discretion and at their disposal at arm’s length, such as suitable measures against the group.

Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.

The new obligation to inform the supervisor about the outsourcing of critical or important function in advance lead to unnecessary bureaucratic burden for supervisors, institutions and service providers. This notification obligation should be deleted. Risks arising from the outsourcing of critical or important functions are handled via an adequate risk management. A notification does not bring any additional benefit, neither for the supervisor nor for the institution.

Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?

We were disappointed with the cost-benefit analysis, because it has various shortcomings. Let us briefly summarise:

• The whole cost-benefits analysis does not quantify or at least estimate any cost items that might be triggered. It fails to provide or quantify any benefit items as well. How will EBA analyse costs and benefits in a cost-benefit analysis with total disregard of quantifiable amounts of costs and benefits that are relevant? The relevant items are
 one-off implementation costs, ongoing operational costs for institutions, authorities and markets, and
 one-off implementation benefits, ongoing benefits for institutions, authorities and markets.

• The policy objectives of the CP are not evaluated, but defined beforehand (see Section B. of the analysis). That is, the “option not to act” is neither analyzed nor seriously taken into account.

• Policy options are discussed that really are no options, e. g. restricting the scope of applicability to credit institutions or deviating from the statutory definition of outsourcing. (Both is clearly not an option, because the legislation has to be accepted as is.)

• Due to the lacking calculation of costs and benefits, the assessment partly resorts to the discussion of public sentiment or political agenda, like e. g. under point D. (4) of the analysis (“desirable because of consumer protection aspects”). This is not methodologically sound.

Please let us explain why all this is important. The cost-benefit analysis would be the means by which to assess with diligence whether the benefits of a given supervisory measure outweigh the costs, because if the costs outweigh the benefits, the “option not to act” is preferable for the financial system.

EBA should actively safeguard and encourage that the marginal benefits of additional regulation measures for the financial system are never zero or negative. In an EU-wide situation where profit margins of institutions erode and this increasingly weakens the whole financial system by weakening the solvency of institutions, further regulatory costs that are not demonstrably outweighed by specified benefits should be avoided.

In order to achieve that, these costs and potential benefits have to be quantified with care, in order to be able to measure and compare the outcome on the cost and on the benefit side. If the costs outweigh the benefits, the respective policy options should be altered accordingly.

In all, the level of analysis in the CP suggests that to date, EBA seems to lack internal guidance on how to conduct a cost-benefit analysis. This is a shortcoming that should be addressed immediately in order to meet the requirements and demands of legislators and policymakers.

We therefore propose that such internal guidance should include the following parts of a cost-benefit analysis:
 Disclosing all policy objectives and options, including the “option not to act”, for each policy option, respectively,
 determining and quantifying (if no data available, plausibly estimating) both one-off implementation costs and ongoing operational costs for institutions, authorities and markets,
 determining and quantifying (if no data available, plausibly estimating) both one-off implementation benefits and ongoing benefits for institutions, authorities and markets,
 assessment for each policy option whether benefits demonstrably outweigh the costs,
 altering or giving up policy options where benefits do not demonstrably outweigh the costs.

Name of organisation

Association of Foreign Banks in Germany (Verband der Auslandsbanken in Deutschland)