Response to consultation on draft Guidelines on outsourcing
Go back
It is important to note, that any service, process or activity performed on group level e.g. by a central unit, either on a mandatory or optional basis, should not be deemed “outsourcing” in our view. Where institutions or payment institutions are explicitly allowed to delegate the function of e.g. an AML officer or a Compliance Officer on group level, it should not fall within the scope of outsourcing. Finally, while outsourcing agreements cannot be contracted on a consolidated level, a group-wide harmonised approach consisting of, among others, a group-wide strategy and policy on the use of third party services and in particular outsourcing, is of course possible and common. However, it needs to be clear, what is meant by referring to the application on a consolidated or sub-consolidated level.
Moreover, we consider the definition of outsourcing given and the transitional provisions as not fully appropriate or sufficiently clear. Part of the necessary definitions related to “outsourcing” are additionally given in paragraph 23 and a definition of “outsourcing arrangement” may be worth to be added.
Furthermore, the scope is limited to “outsourcing” and does not refer to any other use of third party services while nevertheless certain provisions (e.g. paragraphs 24 and 57) also refer to the applicability of certain provisions on third party services being not within the definition of “outsourcing”. As such, we recommend clarifying the application of the guideline on “other third party services” already in Section 2, Subsection “Subject matter” possibly with a clear reference to the applicable paragraphs (see also our comments below on paragraphs 24 and 57).
More specifically, we have comments on selected paragraphs as follows:
Para 5:
The wording of paragraph 5 should be (i) consistent with the definition of “outsourcing” and should also (ii) clearly cover any third party service like follows:
“… when by an arrangement of any form processes, services or activities are performed by a third party and in particular if the use of third parties for such processes, services or activities is regarded as an outsourcing as defined in this guideline and even more specific in case the outsourcing is related to critical and important functions.”
Para 6:
In order to specify which provisions of the EBA guidelines should also apply to “other third party services” a new paragraph should be added to address this by moving paragraph 57 after paragraph 6 (as a new paragraph 6a). In addition, paragraph 24 can be taken out in our view.
Para. 9:
As stated in the introductory part of our answer to this question, the full rule set on outsourcing cannot be applied on a consolidated level in the same manner as it applies to any institution or payment institution on a solo level. While policies, general principles etc. may be imposed in a harmonised manner – subject to conformity with national law in particular of third countries – to groups, applicability on individual agreements will always be on a solo level only and should only apply for institutions and payment institutions and in exceptional cases to financial holding companies. In order to include the consolidated application as requested by Article 109 of Directive 2013/36/EU more precisely the text could be changed as follows:
“… should also comply with these guidelines on a solo basis. In addition, any mandatory process, service or activity being necessary for groups under consolidated supervision as set out in Article 21, and Articles 108 to 110 of Directive 2013/36/EU on a consolidated or sub-consolidated level falls within the scope of this guideline irrespective if being mandatory for any institution or a financial holding company of the group. To the extent possible by national law, the guiding principles of this guideline should be applicable in a harmonised manner to all institutions and payment institutions in scope of a consolidated or sub-consolidated basis. As ancillary service undertakings and financial institutions do not perform regulated activities in scope of this guideline on their own, unless they are responsible to perform mandatory processes, services or activities for consolidated supervision purposes, the applicability of this guideline is limited to general principles and the application of paragraph 6a.”
Para. 11
As outlined under point 14 and 17 of the background section in the consultative document, the objective of the update of the EBA guidelines is to remain consistent with other (current) requirements, among others, with Directive 2014/65/EU (MiFiD II) and Commission Delegated Regulation (EU) 2017/565 specifying MiFID II.
Article 2 (3) of Commission Delegated Regulation (EU) 2017/565 defines ‘outsourcing’ as the performance of a process, service or activity by a service provider otherwise conducted by the respective entity itself. The CEBS Guidelines on Outsourcing of 14 December 2006 use a similar definition but refer to services “normally” performed by the outsourcing entity (corresponding to paragraph 23 of the draft EBA guidelines). In our view, the respective change of the wording is increasing the uncertainty of the definition further.
We consider the definition for the purpose of the EBA guidelines as inappropriate and too broad as it does not relate to the institution’s or payment institution’s core business (whereas we assume that the term “normally” used is meant to point exactly to this) and therefore encompassed any activity the institution or payment institution could theoretically perform itself. Following this, even activities clearly not to be regarded as outsourcing when performed by a third party (e.g. those outlined under paragraph 23 of the draft EBA guidelines), are included within the definition provided. In case not provided by a third party, even a canteen could “otherwise” be operated by the institution or payment institution itself. The definition at hand therefore contradicts EBA’s intended scope of outsourcing, as expressed in the consultative document, as well as industry’s general understanding of what is to be considered as outsourcing. In order to enhance supervisory convergence and avoid potential misinterpretations and inconsistencies, we strongly request to amend the definition to account for an appropriate treatment of varying natures of third party arrangements.
An appropriate reference to the institution’s and payment institution’s (core) business activities within the definition is crucial to ensure a consistent interpretation and application in order to reach the EBA guidelines’ objectives of consistency and appropriateness.
The definition of outsourcing used within the draft EBA guidelines slightly deviates from the definition used in Article 2 (3) of Commission Delegated Regulation (EU) 2017/565 as it adds “or parts thereof”. We are of the opinion that the reference to processes, services and activities within the definition already provides a very detailed level, such that appending “or parts thereof” is not adding substance. We kindly ask the EBA to take this out in order to be aligned with the MiFID II terminology where possible.
Against the background of the aforementioned remarks, we ask EBA to consider amending the definition as follows:
“Outsourcing means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, which is needed to perform or control the regulated activity for which the institution, the payment institution or the electronic money institution is authorised or which is required by the underlying legislative text to be performed as a consequence of being authorised and would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself. In addition, also processes, services or activities that relate to mandatory functions to be performed within a group or sub-group being under consolidated supervision and which are performed by a third party are to be regarded as outsourcing.”
In order align the wording with the terms used within the definition of “outsourcing” as well as such already provided under paragraph 11, we have included the term “function” within our suggested definition above. It is our understanding that the term “function” has been defined and used within the EBA draft guidelines in order to segregated “critical or important functions” from other functions. We are of the opinion that single processes, services or activities do not constitute a function in the targeted sense as a general rule. This is particularly true for “parts thereof”.
We strongly recommend therefore to (i) remove the term “…or parts thereof” in line with our arguments above and (ii) rephrase the definition provided under paragraph 11 as follows:
“Function – means any bundle of one or more processes, services or activities.”
We belief that such definition is more convenient to capture the aspect that “function” is generally a multitude of elements, i.e. more than one.
The draft EBA guideline defines critical or important functions also with a reference to include “any operational tasks performed by the internal control functions.”
Within the definition of “critical or important function” provided, the term “task” seems to be unclear and should possibly be rephrased similar to “function”. Furthermore, it is unclear to us whether according to the term “task” in combination with “any”, any relationship to control functions automatically constitutes a “critical or important function” or whether tasks of control functions outsourced to third parties shall be assessed on whether or not they are to be considered as critical or important (paragraph 49 is clear in this regard, see our comments there). For the latter case, we deem this as not being necessary in particular when considering the definition as proposed by us above. For the former case, we clearly reject considering any task as critical or important merely because it relates to a control function. As such, we kindly ask EBA to remove the term “including any operational tasks performed by the internal control functions”.
In case our proposal is not followed, the above mentioned part would need substantial clarifications:
• It is unclear, what is meant by “operational” in this sense.
• Furthermore, it is unclear what the intention of referring to parts of the control functions’ task is. This indicates either that other tasks of a more strategic nature cannot be outsourced while there is no such reference in the draft EBA guidelines (other than related to those activities which are by regulation reserved to the management) or that other – non-operational tasks – would not classify as “critical or important” per se. In this context, we also refer to our comments on paragraph 31 below.
• Related to the term “performed by the internal control function” it is not clear if that refers to tasks performed internally by the own control functions or if this refers to control tasks to be performed by internal control functions but which are outsourced to third parties.
Consequently, the final EBA guidelines should reconsider approach and / or wording of the definition of “critical or important functions”. The respective definition need to be appropriately interlink with paragraph 49.
Para. 12
The draft EBA guidelines is indicating 30 June 2019 as date for application. Depending on the concrete service, function or activity to be outsourced, negotiations with service providers on the legal and business terms of a contract can take more than 12 months. As such, negotiations on third party agreements may already be in process at the date of publication of the final EBA guideline and major renegotiations may be necessary. In addition, the outsourcing framework needs to be updated in order to apply for such revised outsourcings, which also might require substantial amendments. Consequently, we feel that the date of application should be at least 12 months after the EBA guidelines have been published.
Para. 13
According to para. 13, “documentation” of existing outsourcing arrangements in line with the EBA guidelines shall be completed with the next renewal but no later than by 31 December 2020. We kindly ask EBA to provide clarification on the term “documentation” used, and whether the term used refers to Section 8 “Documentation requirements” of Title III of the draft EBA guidelines or rather to the entire set of applicable requirements arising from the EBA guidelines.
As outlined in our comment to paragraph 12, renegotiations of contracts and adoptions of the outsourcing framework including its application will take time. Changing the existing framework applicable to multiple contracts and updating contracts with providers in multiple jurisdictions will even take longer than just adjusting the approach to targeted new outsourcings. As such, we assume a period of at least 18, better 24 months, as being necessary especially for larger institutions and in particular for groups in scope of the EBA guidelines. As peculiar items may even need longer to be adjusted, competent authorities should have the possibility to allow for a longer transitional period on a well-reasoned case-by-case basis. Account should be taken in particular to the BREXIT constituting an exemplary case for a difficult situation to be handled in parallel.
Para 16
When applying the principle of proportionality, institutions and competent authorities shall consider the criteria as outlined in Title 1 of the EBA Guidelines on Internal Governance. While we generally deem the criteria appropriate to assess the suitability of internal governance structure of an institution compared to its complexity and size, we are of the opinion that those criteria are less suitable to assess outsourcing arrangements and related structures, as the mere size or complexity of an institution does not necessarily provide insight on the institution’s complexity and scope of outsourcing.
In order to enable institutions and competent authorities to orderly assess proportionality, we ask EBA to provide further clarification on the application of the criteria listed in Title 1 of the EBA Guidelines on Internal Governance by not just referring to how proportionality can be determined but also on how this results in a reduced application of the EBA guidelines itself. This is currently in our view generally missing. The reference in paragraph 24 is not sufficient in our view.
Para. 17 - 18
As outlined in our response to Question 1, non-regulated entities of a group being under consolidated supervision, do not perform services which require authorisation. As such, the applicability of the full EBA guideline to such undertakings is not meaningful and also not imposed by Article 109 (1) of Directive 2013/36/EU. We therefore request EBA to refine paragraph 17 in this regard. We see paragraph 18 in this context as much better balanced.
Para. 19 – 21
Intra-group outsourcings are widely used as they allow for (i) an efficient allocation of resources, e.g. when supplying centralised functions on group level and (ii) the realisation of economies of scale.
The enforcement of outsourcing rules and regulations along the outsourcing chain can be much more powerful and effectively executed within a group than in the case of a third party service provider outside such groups. Effectiveness of those intra-group structures can be ensured irrespective of the country of service performance and irrespective of whether the service provider falls within the scope of the same consolidated supervision. In general, under due consideration of specifics of single group entities, the same standards and policies apply and there is a high likelihood of a common control framework. Further, a reasonable degree of management integration exists and common committees may be often in place to steer the business and control activities.
In particular, we miss consideration of aspects of group-wide recovery and resolution plans, which clearly capture intra-group outsourcings in a dedicated manner. Capturing risks and additional outsourcing controls in a group context also need to explicitly recognise the principle of proportionality. Consequently, those aspects need to be reflected more appropriately especially with regard to the requirements on due diligence (Section 9.2), concentration risk (para. 59) and exit strategies (Section 12), where we challenge the application in general and ask the EBA to consider dropping this requirement for intra-group outsourcings. They are for sure of less relevance or even inappropriate in such a context. Please refer to our answers to the respective questions covering due diligence, concentration risk and exit strategies further below.
Within the context of the required provision of individual institution’s register in case a group wide register is maintained, the term “without undue delay” is used in paragraph 19 lit. b, while in paragraphs 46 and 93 the term “in a timely manner” is used. We kindly ask EBA to align the wording or provide sufficient explanation on the difference of those terms used.
(i) Elements of procedural nature to identify whether or not a particular service, being performed by a third party, is deemed outsourcing. (paragraph 22),
(ii) Elements of procedural nature on risk assessment (only a reference to other parts of the EBA guideline in paragraph 24, which we consider as being redundant and ask for its removal),
(iii) Elements to clarify the definition of outsourcing (paragraph 23),
(iv) Limitations on outsourcing of regulated activities (paragraphs 25 – 26)
We deem it more appropriate to rename the title to “Title II – Identification of Outsourcing arrangements” and to delete paragraph 24 (see also our general comments under Section B of this document)
Following our comments on the definition of outsourcing provided (paragraph 11), the content of Titel II should therefore be more of a procedural nature and provide for some additional generic guidance to operationalise the definition while not putting particular examples (e.g. “advice of an architect”).
Moreover, we are of the opinion that a clear and appropriate distinction of requirements applicable to (i) all third party arrangements, (ii) non-critical and non-important outsourcing arrangements as well as (iii) critical or important outsourcing arrangements are of utmost importance. Particularly the application of requirements clearly designed for critical or important outsourcing on less risky arrangements is inappropriate. As such, the introduction of Paragraph 6a as proposed by us under Question 1 would mainly cover (i) while the distinction between (ii) and (iii) needs further amendments of the EBA draft guidelines.
Para. 22
The first sentence is (i) referring to the need to differentiate for third party services between outsourcing and non-outsourcing and (ii) to “establish” on outsourcings only if they are to be classified as “a critical or important function” or not. The second sentence of the paragraph is unclear to us in various regard. It refers to “the assessment” and it is unclear if both steps are meant or only the second one. Therefore, the language should be precise in the reference. We assume, reference is only taken to the second step.
Moreover, referring to the definition of outsourcing, the second sentence is also unclear in relation to the terms “otherwise” or “normally” (as per paragraph 23 of the EBA draft guidelines). We therefore recommend splitting the paragraph and including the intended content (at least as we understood it) into a separate paragraph dedicated to explain outsourcing in more detail (see our comments on paragraph 23 below).
Finally, we deem the term “function” as not entirely appropriate referring to outsourcing, as the definition of outsourcing stems from processes, services and activities (or even parts thereof), which is much more granular than a function. We also consider that the term here is not used as defined in paragraph 11.. As such, the paragraph needs to distinguish, if such analysis should be performed only if a whole function is outsourced or whether the analysis shall be conducted even if only parts of it (i.e. certain processes, services or activities) are outsourced. We propose to reword the remaining first sentence as follows:
“Institutions and payment institutions should assess whether an arrangement with a third party falls under the definition of outsourcing and, if so, whether the outsourced processes, services or activities are to be regarded as an outsourcing of a critical or important function in accordance with Section 9.1 of the guidelines.”
Para. 23
As stated in Section B of this document, we disagree to the approach taken for the definition of “outsourcing” implemented via paragraph 11 and specifications in paragraph 23. In particular, we disagree to the content of paragraph 23. We refer back to our proposal to rephrase the definition in our answer to Question 1.
Based on our proposal for a revised definition in paragraph 11 (see above), we are of the opinion that certain third party services are clearly excluded from the definition. Furthermore, the definition is limited to “processes, services or activities”, which excludes by definition the acquisition (purchase) of tangible and intangible goods as well as any agreement which allows usage of tangible or intangible goods (licenses, rent, leasing). Furthermore, activities which are either to be performed by undertakings with a different authorisation, explicitly excluded from the institution’s or payment institution’s own authorisation, and those for which the services provider has a dedicated authorisation, should not be regarded as an outsourcing. In particular, we deem our proposed amendments to paragraph 11 to define precisely what could be meant by “normally” such that the term is no longer required in paragraph 23.
As such, we propose to phrase paragraph 23 as follows:
“23. In order to assess, if an arrangement by which a process, service or activity is performed by a third party falls under the definition of outsourcing, the following guiding principles apply:
(i) General advice and one-time services are not regarded as being outsourcing;
(ii) The use of temporary staff and similar arrangements by which a natural persons owes its work to the institution or payment institution under the direction of the institution’s or payment institution’s management is regarded as being equal to own activities and therefore is not a third party service;
(iii) The use of third parties for processes, services or activities, for which these parties are dedicatedly authorised or recognised under EU financial services legislation or national law of the home member state of the institution or payment institution are not regarded as outsourcing;
(iv) The use of third parties for processes, services or activities, which are excluded by the own authorisation are not regarded as outsourcing;
(v) The use of third parties to perform standard services, which always requires a second party like correspondent banking, interbank transaction, custody or the use of central banks is not regarded as outsourcing;
For the avoidance of doubt, the pure acquisition of tangible and intangible goods including utilities (e.g. electricity, gas, water, telephone line) is not deemed to be a process, service or activity. Furthermore, any third party service is to be assessed if it falls in scope of the outsourcing definition irrespective of whether the institution or the payment institution has performed that process, service or activity in the past or would be able to perform it by itself.”
In addition to the proposal above, we oppose the inclusion of any kind of software development (irrespective of the kind of underlying arrangement) and any support related to standard software in general. As this may be a controversial point, we have not yet included this in our proposal above. Generally, we consider our proposal as in line with the industries’ perception and hence additionally refer to the reply of the European Banking Federation (EBF) to the consultation for similar views.
Para. 24
Paragraph 24 requires the assessment of risks of all arrangements with third parties, including those specifically excluded from the scope of outsourcing according to paragraph 23, under consideration of selected requirements on due diligence (paragraph 53) and in line with the full risk assessment on outsourcing arrangements as outlined under Section 9.3. As stated above, any applicability of the guideline for non-outsourcing arrangements is not included in the EBA guidelines in an appropriate manner. Under consideration of our proposal above to move paragraph 57 as new paragraph 6a and our comments on Title IV below, we recommend to delete paragraph 24 completely.
In case our recommendation is not followed, a clear distinction of what is necessary for outsourcing and what applies to other third party services should be supplemented. For the latter, only paragraph 57 of Section 9.3 should apply as all other paragraphs of that section in our view apply to outsourcing only. Even for outsourcings not qualified as “critical or important functions”, proportionality is necessary. As such, we rather recommend phrasing this in the respective paragraphs concretely than to have this listed in paragraph 24 in a generic manner only.
Para. 25 / 26
To our best understanding and in line with the general underlying sentiment of the EBA guidelines, the consultative document and the accompanying documents (Part 5.1 Section D 7) of the consultative document), the institution / payment institution remains responsible for the performance of the authorised business towards its clients. As such, to our understanding the use of a third party service provider can only be related to the operations, advice etc. of the institution but cannot result in an outsourcing of the regulated service per se. Consequently, we do not understand the need for paragraphs 25 and 26, which assume such an outsourcing. As such, EBA needs to reconsider the approach per se.
Having said this, we fail to understand the text and its intention as the proposal only seems appropriate in case of a complete outsourcing of licensable activities, which (as stated above) is prohibited in any case as the relationship between an institution or payment institution and its clients cannot be transferred to a third party. However, outsourcing typically covers mid-/back office and operating functions or IT services that merely constitute specific elements of the provision of licensable services by the outsourcing institution itself. In these cases, to our best understanding, the service provider does not incur an authorisation requirement under EU financial services legislation on its own either because they do not assume all relevant elements of the licensable activity and/or do not perform client-facing activities. Against this background, we ask EBA to clarify the purpose of the provisions and sharpen the text substantially.
Para. 31
Paragraph 31 lit c. refers to the outsourcing of “operational tasks” of internal control functions and adds a comment that this might occur within, for example, a group context.
This could be read that (i) only operational tasks can be outsourced and (ii) this may only be possible in a group context. However, no limitation is imposed as long as the mandatory elements for senior management or management body responsibility is kept. Against this background, we kindly ask to delete “operational” as well as the explanatory term in brackets.
In case dedicate limitations are targeted, EBA should explicitly state this and give a good reasoning as well as a legal basis. The alternative reading that non-operational tasks are not to be considered “critical or important” per se seems to be odd and inappropriate. Having said this, the intention is unclear and needs further clarification (We also refer to our comments related to the definition of “critical or important functions” in paragraph 11 and our comments related to paragraph 49.)
Para. 32
Paragraph 32 lists several criteria to be fulfilled at a minimum (“at least”) without giving credit to proportionality. Although we generally agree to all but lit. g, we ask EBA to consider adding a specific element of proportionality (could be included in the introduction sentence).
We object lit. g. in the context of intra-group outsourcings being understood as companies in scope of consolidation under the terms of the accounting directive (2013/34/EU). As such, we suggest adding a provision specifying that in the context of intra-group outsourcings a plan to secure continuous operations is to be maintained instead.
In addition, we miss a link to the recovery plan – where applicable – for the whole paragraph.
Para. 34
Paragraph 34 is listing an exhaustive number of minimum requirements while not accounting for proportionality. As the majority of elements might be needed anyway in case applicable, it should be made clear that no proportionality can apply. Otherwise, some opening clauses for proportionality should be included.
Furthermore, the paragraph is listing also procedures as part of the policy (paragraph 34, lit b. No. v.). In our view, procedures are accompanying policies are in the narrow sense not part of the general outsourcing policy. While we in general agree that policies require an appropriate management approval, the approval and maintenance of procedures in general may be delegated to the operationally responsible units. As such, we kindly ask EBA to consider shifting the requirements on procedures (“The policy should be accompanied by adequate procedures dealing at least with …”) as a last paragraph of the section on Outsourcing Policy.
Para. 35
Not all elements of paragraph 35 may be relevant for all institutions. As such and in order to reflect proportionality, we clearly recommend to add a “where relevant” within the introductory sentence of paragraph 35.
Para. 38
The requirement to set financial conditions for outsourced services at arm’s length in a group context is not expedient in the case of e.g. profit and loss transfer agreements between (insourcing) parent company and (outsourcing) subsidiary. While we support the idea of having appropriate financial conditions, e.g. reasonably priced service agreements, also within a group-context, we ask EBA to account for the aforementioned and consider amending the requirement or provide additional clarification respectively.
Moreover, paragraph 38 requires the management of “material conflicts of interest” potentially arising from outsourcing agreements. We kindly as the EBA to clarify what is to be considered as a material conflict of interest.
Para. 47
The whole list of elements is phrased as a mandatory list of minimum requirements (”at least”). We regard some elements of the list as unnecessary while we deem other elements as inappropriate under consideration of proportionality aspects. As such, the introductory part needs to be changed in order to reflect the aforementioned. We suggest adjusting the wording of paragraph 47 by phrasing “should include the following information for all existing outsourcing arrangements taking the principle of proportionality into account” instead requiring them “at least”.
The requirements related to the information to be kept on service providers as required by paragraph 47 lit. b are by far too prescriptive and in our view to a certain extend dispensable:
• A LEI or registration number is not adding value in an outsourcing context;
• The parent company is not an information we deem necessary to be collected mandatorily;
• The value of the storage of address information for outsourcing purposes is at least questionable. As such, we would limit the information to be stored to name and country of registration as well as the points listed in iv. to vi.
If deemed useful to name at least further elements as potential information to be stored, a paragraph could be added in saying “in addition the following information may be considered to be stored …”
Following the aforementioned comment, we are even more concerned about the minimum requirements on outsourcing of critical or important functions as listed in paragraph 47 lit. c.
Similarly to our comment on paragraph 47 lit. b above, we are of the opinion that the introductory sentence should not be formulated as a minimum requirements (“at least”) but as a guideline considering the principle of proportionality in an appropriate manner. Some items should be optional in the database as they exacerbate the management database through increasing complexity. It has to be noted that some information may only be available on an aggregated basis (e.g. charges for a number of services / services bundles and not per service or even activity). As such, the text of the introductory sentence should be adjusted as follows: “… should include where relevant and taking the principle of proportionality into account the …”
Further, we have comments on the dedicated requirements of paragraph 47 lit. c as follows:
v. Audits are scheduled according to the audit plan and may or may not be known by the auditee. The dates or intended timeframes are included in the audit documentation but should not be stored in the outsourcing database. We therefore propose to remove this documentation requirement at this place. In case deemed necessary, a link to audit documentation needs to be included in an appropriate manner as a separate paragraph (same may be true for certain risk etc. information).
vi. The requirements on the service provider’s suitability should not apply within a group context.
x. We consider the requirement to estimate yearly budget costs as overly burdensome. Budget processes are usually run independently from outsourcing and they are often dealt with on a more aggregated level as e.g. services providers perform frequently a bundle of different processes, services and activities.
Footnote 23
It is our understanding that it will be the outsourcing institution or payment institution to execute the choice given with regard to the usage of the template in Annex 1 (note: the footnote talks about Annex X instead). We clearly support this interpretation as this would also allow outsourcing institutions and payment institutions to develop own templates or systems to meet the documentation requirements listed under Section 8 instead and to take into account reduced or additional content and adequate workflows.
Para. 49
Related to lit. b, we refer back to our comments made regarding paragraphs 11 and 31. As paragraph 49 lit b. is – different from the text of the definition in paragraph 11 – clear, we even further object the targeted approach. Even if we have some sympathy to consider the outsourcing of tasks allocated by regulations to internal control functions as in general more critical compared to operational functions, we disagree to qualify each activity related to internal control functions as critical or important in the sense of the EBA guideline. While we agree to qualifying all tasks – irrespective of whether they are operational or not – related to internal control functions, which are performed based on adequate arrangements by third parties, as an outsourcing as defined in the EBA guideline (as per our proposal), we disagree to the approach of paragraph 49. As for any other function performed by a third party, the outsourcing of tasks allocated to internal control functions should be assessed with regard to their impact. As such, we propose to delete lit b. but to add a paragraph iv. to lit. a. as follows:
“iv. the ability to perform material tasks of the Internal Control Functions in a timely manner.”
Our proposal has two additional advantages: (i) it also relates to outsourcing of tasks, which are not related to internal control functions itself but could cut off of internal control functions from the ability to perform their duties in a material manner and (ii) includes also such tasks of Internal Control Functions which are not of operational nature but are material or time critical.
As already stated in relation to paragraphs 25 and 26, in our view the institution or payment institution is always responsible for the performance of the regulated activities it is authorised for towards its clients. As such, it is our firm understanding that the services or even parts thereof cannot be outsourced. A completely different element is the outsourcing of a multitude of activities, services and processes being needed to perform or control the authorised business or being required as a consequence of the authorisation. As such, we do not share the EBA concept in this regard, as something that is prohibited by legislation to be outsourced does not require a detailed guideline. Consequently, we kindly ask to remove lit c. of paragraph 49.
Para. 50
According to paragraph 50, sentence 2 “Outsourcing arrangements regarding activities, processes or services relating to core business lines and critical functions should always be considered as critical or important for the purpose of these guidelines”. Outsourcing arrangements or other third party arrangements “relating to core business lines and critical functions” can contain pure support or operational services with limited or no risk for the performance of the respective core business lines or critical functions.
We therefore strongly request the deletion of the aforementioned sentence of paragraph 50 as such broad definition of critical or important function would dramatically increase the number of critical or important functions, even if the criteria for identifying critical or important functions stated under the remainder of Section 9.1 would not indicate such classification. As a result, not only proportionality would be contradicted but also the aim of the guideline to focus on risk would be missed while the operational burden for institutions and payment institutions would increase considerably. Following our comments on the operational tasks related to internal control functions, we consider the guideline as too restrictive.
Para. 51
Similar to various other paragraphs, paragraph 51 does not capture proportionality in an appropriate manner. Again, the regulation requires a very prescriptive set of requirements as a minimum (“at least”), which in our view does not allow for a proportionate approach. In addition, the criteria listed go far beyond a reasonable approach.
Moreover, we have difficulties to understand the link between paragraph 49 and 51. While we understand that paragraph 49 sets mandatory criteria which automatically qualify a function as being “critical or important” in case being in scope of outsourcing, paragraph 51 lists similar items to be taken into account for such an assessment. We therefore urge the EBA to better clarify the relationship of the two paragraphs.
We propose to rephrase it like follows:
“… should take into account criteria like the following based on the application of the principle of proportionality:”
Furthermore, some of the criteria need to be seen within the context, i.e. in combination with each other. For example. the mere fact of having limited or no substitutability in combination with an uncritical activity would in our view not lead to a classification as “critical or important” per se. Cloud solutions are currently only offered by a very few providers in a regulatory acceptable manner. For certain ancillary services in controls or operations the use of cloud solution would not classify as “critical or important in our view. As such, EBA should also address the need to possibly consider the aspects in conjunction with each other.
Finally, we are missing the case of being embedded in a group context as a potentially risk reducing measure.
We disagree to some of the elements in content as follows:
Lit. a.: It is unclear to us how the difference between direct or indirect connection to the provision of banking or payment services (or investment services as the case may be) is to be derived. As we propose to integrate this already for the differentiation of outsourcing from other third party services, we have doubts that this is a reliable criterion. There is a high likelihood, that this would capture more or less the full scope of the activities in particular in combination with paragraph 50 as proposed by EBA.
Lit. c. no. iii: We generally acknowledge the importance of an institution’s ability to audit, according to its audit methodology and based on its risk assessment, any function regardless of whether it is performed with own staff or by using a third party. This hold particularly true in case of critical or important functions however defined. Notwithstanding this, we do not see how the ability to perform audits shall be an indicator for assessing an outsourcing arrangement on whether it is critical or important, as the ability is to be given in any case. As such, the ability is a requirement and not a differentiating factor. The actual audit risk assessment and the need, frequency and intensity of the performance of audits are in addition a consequence of assessing the outsourcing arrangement as critical or important. We therefore suggest deleting point iii. of paragraph 50 lit. c.
Para. 52
We disagree to paragraph 52 in its entirety. In our view, the necessary quantification is already requested in the analysis under paragraph 51. There is no need to repeat this and consequently, the whole paragraph should be deleted. Moreover, as stated in our comments on paragraph 51, the substitutability is no criterion per se to derive a function’s classification as “critical or important”. Under due consideration of the aforementioned, applicability of the paragraph should be limited to those services which are deemed to be “critical or important” outsourcings, in case the paragraph is maintained.
With regard to third party arrangements not considered outsourcing, we consider the application of the whole set of factors as overly burdensome compared to the risks posed by non-outsourcing arrangements to the institution or payment institution. We therefore suggest to limit the performance of due diligence on non-outsourcing service providers to service provider’s business model and financial situation. We clearly agree, that paragraph 55 should be applicable anyway where relevant, but doubt that the EBA guidelines is the right place to remind institutions and payment institutions what is in scope of data protection rules.
In addition, we seek clarification particularly on requirements related to the adherence to human rights, environmental protection and appropriate working conditions when performing due diligence on service providers. We regard this clearly as going beyond the EBA mandate and do not see an EBA guideline as being the adequate place for such considerations.
Para. 53
When performing a due diligence, benefits including increased information and overarching control and enforcement mechanisms as well as risk related consideration should be considered appropriately. A thorough due diligence including an analysis of the service provider’s capacity, its resources and operational structure should only be conducted in case of critical or important outsourcing arrangements with third parties not belonging to the same group.
Para. 54
Following the aforementioned comment, we suggest to exclude intra-group outsourcing arrangements from a due diligence as required under paragraph 54. Furthermore, the elements should not be applied mandatorily in its entirety but should rather be split into mandatory optional ones.
Moreover, we seek clarification on how a service provider’s nature, scale and complexity shall provide information on the service provider’s ability and suitability to provide critical or important services, whereas we would further appreciate clarification what to consider as service provider’s “nature”.
Para. 56
As stated in our introductory remarks on Question 8, paragraph 56 should be limited to the adherence of the code of conduct. As such, paragraph 56 should be limited to the first sentence, potentially accompanied by a supplement that this is in particular true in case of a location in a third country.
Summing up or comments on Section 9.2 (due diligence), we recommend to structure the section in a way that items being relevant for all third party services should come first, followed by those requirements which are relevant for all outsourcings and concluding with those elements, which are only valid for critical or important outsourcings.
Para. 57
For the sake of clarity, paragraph 57 should be moved out of Section 9.3 and put in Section 1 (paragraph 6a as per our proposal in this document). This already clarifies that Section 9.3 only applies to outsourcings which assume to be the intention of EBA.
Para. 59
Referring to our comments on para. 18-21, we consider the assessment of concentration risk in intra-group arrangements as inappropriate as it does not account for specific risk-mitigating measures available when outsourcing to affiliated companies, among others, group wide control-, information- and oversight structures. We therefore ask to exclude intra-group outsourcing arrangements from the application of para. 59 lit. a. Moreover, we ask EBA to consider, that assessing concentration risks is reasonably only possible on a portfolio bases and not on the level of single outsourcing agreements.
Para 61:
In our opinion, paragraph 61 does not account for proportionality in an appropriate manner and is by far too prescriptive. It should not be defined as a minimum set of requirements but rather account for proportionality. We suggest to rephrase the ending of the introductory sentence to “… should as appropriate and proportionate…”. As our concerns relate mainly to the ongoing legal checks as required under lit. d, a staggered approach with making only lit. d not mandatory may also be acceptable.
As a general remark, we recommend to rephrase the section to “contractual requirements” or a similar name as the content sets requirements on the contract but is not related to a process or phase.
In order to apply the requirements on sub-outsourcing appropriately, we ask EBA further to specify what is to be considered as sub-outsourcing. Particularly in case of outsourcing IT- infrastructures or related activities and functions, the respective service outsourced by the institution or payment institution to the IT- service provider, is often provided involving (support) services of affiliated entities at potentially different locations (states) and different legal entities being related to each other. Provided that the respective processing locations and the legal entity performing (parts of) the service have been contractually agreed, we consider such a structure to be one outsourcing agreement. In case our understanding does not map EBAs understanding, we kindly ask to provide further clarification.
Moreover, we consider the requirement of institution’s or payment institution’s unrestricted audit and access rights for any outsourcing as far reaching and challenging for non-material services and suggest to limit this to critical or important outsourcing only. Institutions and payment institutions should be free to decide based on a risk assessment whether the reliance on third party certificates sufficives to meet their obligation to exercise diligence. The EBA guidelines should allow institutions and payment institutions to suspend the general audit rights as far and as long as the agreed audit surrogates are reliable and delivered in a timely manner.
Moreover, if EBA does not follow our suggestion to exclude services performed on contractual arrangements by undertakings, which have a particular authorisation or recognition under EU financial services law, limitations of audit rights for the use of such services should be considered. This is in particular true for the case, where the regulation requires dedicated audits and the unqualified auditor’s statements are made available to the outsourcer.
Finally, especially the provisions of paragraphs 64 and 65 are once more very demanding and prescriptive and should be reconsidered taking the principle of proportionality into account.
Para. 63
Referring to paragraph 63 lit. a., service descriptions in a multi-tenant structure (in particular relating to cloud services) are usually not included in the contractual agreement itself but refer to external sources instead (e.g. service descriptions on a website). We ask EBA to consider whether this approach is valid for standardised services that are offered to a multitude of customers.
Paragraph 63 lit. h. requires an unrestricted right to audit and access the service provider, irrespective of whether the outsourcing is considered as critical or important.
While we consider unrestricted rights to audit and access as generally reasonable, we are of the opinion that such are only of limited relevance for non-critical and non-important outsourcing arrangements, as the decision to perform an audit on third parties is based on a thorough assessment of risks arising from the outsourcing relationship to the outsourcing institution or payment institution.
Under due consideration of the relevance of unrestricted audit rights for non-critical and non-important outsourcing arrangements as well as the duration for negotiating such in certain cases with service providers, we propose to include alternative measures as a possible solution to be specified further in Section 10.3.
Para 64
Referring to paragraph 64 lit.d., we are of the opinion that the price algorithm should be included but not the financial obligation. Depending on the use, the total amount may vary. In addition, also cost-sharing arrangement may be applied in particular in a group context. As such, the wording should be adjusted.
Para. 74
In addition to explicitly naming outsourcing institutions and payment institutions final responsibility, paragraph 74 clearly excludes exclusive reliance on third party certifications and reports. We support the possibility to consider third party certifications and reports to assess service providers and argue that institutions and payment institutions should be explicitly allowed to decide on the necessity, depth and scope of audits as well as on the performance of audits of third party providers independently and based on defined risk related criteria.
We would further appreciate additional specification criteria on the execution of audit rights, particularly in case the respective service provided by the third party requires dedicating authorization and is subject to supervision by national (competent) authorities. We generally support a risk-based approach under consideration of risks arising from the respective outsourcing relationship, as it is already the practice today. Having regard to this, we are nevertheless of the opinion that services, although critical or important for the outsourcing institution or payment intuition, should not be mandatorily audited by the outsourcing institution or payment institution, given that the respective service provided by the third party is subject to authorization, ongoing supervision by a competent authority and adequately audited. This is of particular interest for e.g. the usage of data reporting services provided by authorized data reporting services providers authorized according to Article 59 of MiFID II.
Further, we suggest to delete sentence 2 of paragraph 74 as sentence 2 of paragraph 73 provides for an appropriate guidance on the main criteria on executing the right to access and audit. Institution’s and payment institution’s individual assessment should not be restricted to such an large extent under no consideration of risk-related criteria indicating the need.
Para. 75
We strongly support the possibility to perform joint audits with other clients and highly appreciate that EBA has decided to explicitly include such possibility into the updated outsourcing guidelines, such that in excess to cloud outsourcing arrangements further outsourcing arrangements can benefit from such an approach. DBG has already gained experience in performing pooled audits and regards the resulting decrease of the operational burden compared to individually performed audits as considerable.
The section addresses pooled audits but the requirements in lit. a. to f. seem to relate to the use of third-party certifications and reports as addressed in paragraph 74. We ask EBA to consider amending the respective paragraphs.
Para. 78
While outsourcing institutions and payment institutions can contractually ensure competent authorities right to audit and access against service providers, further actions to “make sure that service providers cooperate fully with competent authorities” as required by paragraph 78 might not be within the outsourcing institutions or payment institutions sphere of influence and control. We therefore ask EBA to either delete the subset cited or provide further specification.
Para. 79
The unrestricted right to audit may not only conflict with the confidentiality of other customers’ data but also with intellectual property and security-related information of the service provider itself. Service providers might seek to limit the audit scope accordingly. Referring to our comments on paragraphs 72 – 80, the guidelines should give directions how to address this conflict.
Para. 80
Paragraph 80 requires the institution in case of a technically complex outsourcing to ensure that whoever is performing the audit “either its internal auditors, the pool of auditors or external auditors acting on its behalf”, is sufficiently skilled to do so. While we generally support EBA’s view, that audits should be conducted by sufficiently skilled persons, we would like to point out that in case of a pooled audit, single institution’s can only ensure its own auditing persons’ skills and knowledge but not of the whole pool of auditors, where auditors might be provided by different institutions or payment institutions.
Against the background of an already successfully conducted pooled audit on a cloud service provider with further entities of the financial sector, we suggest EBA to consider revising paragraph 80 in such way, that within a pooled audit, each participating entity shall be free to conceive an own opinion based on transparently provided evidence by the audit group, whereas each participating entity is free to request further information. We are of the opinion that such a proceeding should be preferred over assuming another auditor’s assessment and therefore ensuring other auditor’s skills and knowledge.
Para. 81
The reference to termination right “in accordance with national law” is unclear. EBA might want to consider whether this should refer to the respective governing law of the outsourcing agreement instead.
Para. 87
The requirement to “receive” appropriate reports from the service provider as required by paragraph 87 lit. a might be misinterpreted in the sense that the service provider is obliged to actively send reports. As service providers might also maintain tools enabling clients to extract relevant information on their own, we suggest to replace “receive” with “obtain”. Alternatively, we seek clarification on the issue outlined above.
Para. 90
As outlined under Section 9.1, potential impacts of disruptions or outages of the outsourcing arrangement shall be taken into account duly, when assessing whether an outsourcing arrangement is to be classified as critical or important. Outsourcing arrangements potentially causing disruptions or other severe adverse effects, which might impede the institution’s ability to comply with regulatory requirements, will be classified consequently as critical or important outsourcing arrangement.
Paragraph 90 requires again an assessment of potential disruptions and the development of exit plans for such outsourcing arrangements potentially causing disruptions. As only critical or important outsourcing arrangements will be in scope of paragraph 90, we ask to explicitly limit the requirement to maintain exit plans to critical or important outsourcing arrangements.
Para. 92
Paragraph 92 requires a standardised format and as such, EBA should issue a template for this purpose to avoid different formats between competent authorities.
Para. 93
Paragraph 93 requires an ex-ante notification of competent authorities “in a timely manner”, when outsourcing critical or important functions, whereas the minimum information to the provided is being further specified.
We consider the notification to be for information purpose only, which should be clearly stated under Section 13, where appropriate. In order to avoid any undue delays on the usage of the service in question, we suggest to explicitly clarify that the outsourcing institution or payment institution shall not be obliged to await an approval of its competent authority. Moreover, EBA should consider to specify the term “in a timely manner”.
In case the purpose of the notification is not limited to information only, competent authorities’ response time should be explicitly stated and should not exceed four weeks, in order to avoid unnecessary delays and insecurities arising for the outsourcing institution. Moreover, competent authorities’ potential objections of the outsourcing in question should be transparent and clearly communicated to the outsourcing institution or payment institution. Any objection should be based on clear and transparent criteria specified in advance.
Under consideration of the different notification requirements across the EU on outsourcing arrangements, we would welcome further alignment in EU supervisory practice, particularly with regard to the information to be provided.
Para. 100
Referring to lit. b of paragraph 100 and following our comment on paragraph 90, competent authorities should ask outsourcing institutions or payment institutions on exit plans exclusively for critical or important outsourcing arrangements.
Para. 103
Referring to our comments made on the exclusion of intra-group outsourcing arrangements from specific requirements, as exit plans, concentration risk and due diligence made before, we ask EBA to amend paragraph 103 respectively.
Having said this, we consider selected aspects of the Annex 1 as inappropriate or not sufficiently clear.
Worksheet “Submission of information”
- Column B: It is unclear whether a description or only a category should be inserted. While the title of the column would suggest a description, the explanation provided call only for a classification of the service.
- Column I: In order to avoid unnecessary duplication of rows, in case more than one sub-contractor is related to the provision of one outsourcing arrangement, we suggest separating information on sub-contractors from information on outsourcing arrangements. Sub-contractors could be listed in a separate worksheet where reference to the related outsourcing agreement can be provided in form of the unique identifier.
In line with the requirements of Section 10.1, only subcontractors of critical or important functions that might affect the ability of the service provider to meet its responsibilities, shall be considered and documented in Annex 1.
- Column Q: Please provide further clarification on whether “stored” refer to backups conducted.
- Column S: Referring to our comment made on Section 8, we consider the documentation, including the regular update of the expected budget cost as inappropriate and suggest deleting of this information within this list. Budgetary implications are documented within the respective budget planning and cost analyses and can be requested if deemed necessary.
- Column X and Y: We would like to note, that assessing risks can be conducted through various individual risk assessments. It should be clarified that outsourcing institutions and payment institutions should be free to structure their risk assessments according to their needs and operational structure. Hence, clarification is demanded on what should be filed in case the risk assessment consists of various assessments potentially conducted separately.
- Column AB: The worksheet “Explanation” does not contain information on what to fill into column AB. Please clarify your explanation.
Worksheet “List of activities”
The guidelines do no provide explanation on the concrete purpose of the activities listed in the worksheet and their relation to the main worksheet “Submission of Information”. We assume that the activities listed constitute potential activities that might be considered as outsourcing in case a third party is performing the respective activity for the institution or payment institution in question.
In case our understanding is correct, we particularly object the assessment that hardware, software or payroll accounting shall be considered by default outsourcing. The classification of a third party arrangement as outsourcing shall solely depend on each individual institutions’ or payment institutions’ assessment under consideration of fix criteria.
We seek further information on the content and intended use of the list of activities, concretely of how rows 1, 2 and 3-12 relate to each other and how the “List of activities” should be considered when filling the main template “Submission of Information”.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
DBG considers the draft EBA guidelines as being in general sufficiently clear with regard to the application on a solo level. However, we are missing clarity regarding the potential application on financial institutions (including financial holding companies) and ancillary service undertakings in the context of consolidated supervision. Outsourcing can only occur by a legal entity and as such, any outsourcing agreement on the use of third party services can never occur on a consolidated or sub-consolidated level but only on companies being part of a group of consolidated companies (being under consolidated supervision). Moreover, financial institutions and ancillary services undertakings do not perform services regulated by the financial services legislations in scope of the EBA guidelines themselves. As such, more clarity is needed on how such companies may be effected on a solo basis by the EBA guidelines. Deviating from this, we do agree that the use of third parties for regulatory required activities, which are necessary on a group level (certain control functions like Internal Audit, Risk, Compliance, Remuneration Strategy, etc.) and that are outsourced by the superordinate financial holding company, are in scope of the EBA guideline.It is important to note, that any service, process or activity performed on group level e.g. by a central unit, either on a mandatory or optional basis, should not be deemed “outsourcing” in our view. Where institutions or payment institutions are explicitly allowed to delegate the function of e.g. an AML officer or a Compliance Officer on group level, it should not fall within the scope of outsourcing. Finally, while outsourcing agreements cannot be contracted on a consolidated level, a group-wide harmonised approach consisting of, among others, a group-wide strategy and policy on the use of third party services and in particular outsourcing, is of course possible and common. However, it needs to be clear, what is meant by referring to the application on a consolidated or sub-consolidated level.
Moreover, we consider the definition of outsourcing given and the transitional provisions as not fully appropriate or sufficiently clear. Part of the necessary definitions related to “outsourcing” are additionally given in paragraph 23 and a definition of “outsourcing arrangement” may be worth to be added.
Furthermore, the scope is limited to “outsourcing” and does not refer to any other use of third party services while nevertheless certain provisions (e.g. paragraphs 24 and 57) also refer to the applicability of certain provisions on third party services being not within the definition of “outsourcing”. As such, we recommend clarifying the application of the guideline on “other third party services” already in Section 2, Subsection “Subject matter” possibly with a clear reference to the applicable paragraphs (see also our comments below on paragraphs 24 and 57).
More specifically, we have comments on selected paragraphs as follows:
Para 5:
The wording of paragraph 5 should be (i) consistent with the definition of “outsourcing” and should also (ii) clearly cover any third party service like follows:
“… when by an arrangement of any form processes, services or activities are performed by a third party and in particular if the use of third parties for such processes, services or activities is regarded as an outsourcing as defined in this guideline and even more specific in case the outsourcing is related to critical and important functions.”
Para 6:
In order to specify which provisions of the EBA guidelines should also apply to “other third party services” a new paragraph should be added to address this by moving paragraph 57 after paragraph 6 (as a new paragraph 6a). In addition, paragraph 24 can be taken out in our view.
Para. 9:
As stated in the introductory part of our answer to this question, the full rule set on outsourcing cannot be applied on a consolidated level in the same manner as it applies to any institution or payment institution on a solo level. While policies, general principles etc. may be imposed in a harmonised manner – subject to conformity with national law in particular of third countries – to groups, applicability on individual agreements will always be on a solo level only and should only apply for institutions and payment institutions and in exceptional cases to financial holding companies. In order to include the consolidated application as requested by Article 109 of Directive 2013/36/EU more precisely the text could be changed as follows:
“… should also comply with these guidelines on a solo basis. In addition, any mandatory process, service or activity being necessary for groups under consolidated supervision as set out in Article 21, and Articles 108 to 110 of Directive 2013/36/EU on a consolidated or sub-consolidated level falls within the scope of this guideline irrespective if being mandatory for any institution or a financial holding company of the group. To the extent possible by national law, the guiding principles of this guideline should be applicable in a harmonised manner to all institutions and payment institutions in scope of a consolidated or sub-consolidated basis. As ancillary service undertakings and financial institutions do not perform regulated activities in scope of this guideline on their own, unless they are responsible to perform mandatory processes, services or activities for consolidated supervision purposes, the applicability of this guideline is limited to general principles and the application of paragraph 6a.”
Para. 11
As outlined under point 14 and 17 of the background section in the consultative document, the objective of the update of the EBA guidelines is to remain consistent with other (current) requirements, among others, with Directive 2014/65/EU (MiFiD II) and Commission Delegated Regulation (EU) 2017/565 specifying MiFID II.
Article 2 (3) of Commission Delegated Regulation (EU) 2017/565 defines ‘outsourcing’ as the performance of a process, service or activity by a service provider otherwise conducted by the respective entity itself. The CEBS Guidelines on Outsourcing of 14 December 2006 use a similar definition but refer to services “normally” performed by the outsourcing entity (corresponding to paragraph 23 of the draft EBA guidelines). In our view, the respective change of the wording is increasing the uncertainty of the definition further.
We consider the definition for the purpose of the EBA guidelines as inappropriate and too broad as it does not relate to the institution’s or payment institution’s core business (whereas we assume that the term “normally” used is meant to point exactly to this) and therefore encompassed any activity the institution or payment institution could theoretically perform itself. Following this, even activities clearly not to be regarded as outsourcing when performed by a third party (e.g. those outlined under paragraph 23 of the draft EBA guidelines), are included within the definition provided. In case not provided by a third party, even a canteen could “otherwise” be operated by the institution or payment institution itself. The definition at hand therefore contradicts EBA’s intended scope of outsourcing, as expressed in the consultative document, as well as industry’s general understanding of what is to be considered as outsourcing. In order to enhance supervisory convergence and avoid potential misinterpretations and inconsistencies, we strongly request to amend the definition to account for an appropriate treatment of varying natures of third party arrangements.
An appropriate reference to the institution’s and payment institution’s (core) business activities within the definition is crucial to ensure a consistent interpretation and application in order to reach the EBA guidelines’ objectives of consistency and appropriateness.
The definition of outsourcing used within the draft EBA guidelines slightly deviates from the definition used in Article 2 (3) of Commission Delegated Regulation (EU) 2017/565 as it adds “or parts thereof”. We are of the opinion that the reference to processes, services and activities within the definition already provides a very detailed level, such that appending “or parts thereof” is not adding substance. We kindly ask the EBA to take this out in order to be aligned with the MiFID II terminology where possible.
Against the background of the aforementioned remarks, we ask EBA to consider amending the definition as follows:
“Outsourcing means an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, which is needed to perform or control the regulated activity for which the institution, the payment institution or the electronic money institution is authorised or which is required by the underlying legislative text to be performed as a consequence of being authorised and would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself. In addition, also processes, services or activities that relate to mandatory functions to be performed within a group or sub-group being under consolidated supervision and which are performed by a third party are to be regarded as outsourcing.”
In order align the wording with the terms used within the definition of “outsourcing” as well as such already provided under paragraph 11, we have included the term “function” within our suggested definition above. It is our understanding that the term “function” has been defined and used within the EBA draft guidelines in order to segregated “critical or important functions” from other functions. We are of the opinion that single processes, services or activities do not constitute a function in the targeted sense as a general rule. This is particularly true for “parts thereof”.
We strongly recommend therefore to (i) remove the term “…or parts thereof” in line with our arguments above and (ii) rephrase the definition provided under paragraph 11 as follows:
“Function – means any bundle of one or more processes, services or activities.”
We belief that such definition is more convenient to capture the aspect that “function” is generally a multitude of elements, i.e. more than one.
The draft EBA guideline defines critical or important functions also with a reference to include “any operational tasks performed by the internal control functions.”
Within the definition of “critical or important function” provided, the term “task” seems to be unclear and should possibly be rephrased similar to “function”. Furthermore, it is unclear to us whether according to the term “task” in combination with “any”, any relationship to control functions automatically constitutes a “critical or important function” or whether tasks of control functions outsourced to third parties shall be assessed on whether or not they are to be considered as critical or important (paragraph 49 is clear in this regard, see our comments there). For the latter case, we deem this as not being necessary in particular when considering the definition as proposed by us above. For the former case, we clearly reject considering any task as critical or important merely because it relates to a control function. As such, we kindly ask EBA to remove the term “including any operational tasks performed by the internal control functions”.
In case our proposal is not followed, the above mentioned part would need substantial clarifications:
• It is unclear, what is meant by “operational” in this sense.
• Furthermore, it is unclear what the intention of referring to parts of the control functions’ task is. This indicates either that other tasks of a more strategic nature cannot be outsourced while there is no such reference in the draft EBA guidelines (other than related to those activities which are by regulation reserved to the management) or that other – non-operational tasks – would not classify as “critical or important” per se. In this context, we also refer to our comments on paragraph 31 below.
• Related to the term “performed by the internal control function” it is not clear if that refers to tasks performed internally by the own control functions or if this refers to control tasks to be performed by internal control functions but which are outsourced to third parties.
Consequently, the final EBA guidelines should reconsider approach and / or wording of the definition of “critical or important functions”. The respective definition need to be appropriately interlink with paragraph 49.
Para. 12
The draft EBA guidelines is indicating 30 June 2019 as date for application. Depending on the concrete service, function or activity to be outsourced, negotiations with service providers on the legal and business terms of a contract can take more than 12 months. As such, negotiations on third party agreements may already be in process at the date of publication of the final EBA guideline and major renegotiations may be necessary. In addition, the outsourcing framework needs to be updated in order to apply for such revised outsourcings, which also might require substantial amendments. Consequently, we feel that the date of application should be at least 12 months after the EBA guidelines have been published.
Para. 13
According to para. 13, “documentation” of existing outsourcing arrangements in line with the EBA guidelines shall be completed with the next renewal but no later than by 31 December 2020. We kindly ask EBA to provide clarification on the term “documentation” used, and whether the term used refers to Section 8 “Documentation requirements” of Title III of the draft EBA guidelines or rather to the entire set of applicable requirements arising from the EBA guidelines.
As outlined in our comment to paragraph 12, renegotiations of contracts and adoptions of the outsourcing framework including its application will take time. Changing the existing framework applicable to multiple contracts and updating contracts with providers in multiple jurisdictions will even take longer than just adjusting the approach to targeted new outsourcings. As such, we assume a period of at least 18, better 24 months, as being necessary especially for larger institutions and in particular for groups in scope of the EBA guidelines. As peculiar items may even need longer to be adjusted, competent authorities should have the possibility to allow for a longer transitional period on a well-reasoned case-by-case basis. Account should be taken in particular to the BREXIT constituting an exemplary case for a difficult situation to be handled in parallel.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
While DBG supports the application of the principle of proportionality to be considered when applying the EBA guidelines, we are of the opinion that further clarification is required on the application of proportionality criteria outlined under Title 1 of the EBA Guidelines on Internal Governance as of 26 September 2017. In particular, the requirements list already in various places only minimum criteria (“at least”) which is indicating that this is to be fulfilled in any case and the principle of proportionality cannot reduce but may be respected with regard to potentially even further elements. As such, the respective sections (see our general comments under Part B of this document) need to be rephrased in order to account for proportionality in a more appropriate manner. Furthermore, we are of the opinion that the requirements on intra-group outsourcing require further amendments as they do not consider all relevant aspects in an adequate manner. Para 16
When applying the principle of proportionality, institutions and competent authorities shall consider the criteria as outlined in Title 1 of the EBA Guidelines on Internal Governance. While we generally deem the criteria appropriate to assess the suitability of internal governance structure of an institution compared to its complexity and size, we are of the opinion that those criteria are less suitable to assess outsourcing arrangements and related structures, as the mere size or complexity of an institution does not necessarily provide insight on the institution’s complexity and scope of outsourcing.
In order to enable institutions and competent authorities to orderly assess proportionality, we ask EBA to provide further clarification on the application of the criteria listed in Title 1 of the EBA Guidelines on Internal Governance by not just referring to how proportionality can be determined but also on how this results in a reduced application of the EBA guidelines itself. This is currently in our view generally missing. The reference in paragraph 24 is not sufficient in our view.
Para. 17 - 18
As outlined in our response to Question 1, non-regulated entities of a group being under consolidated supervision, do not perform services which require authorisation. As such, the applicability of the full EBA guideline to such undertakings is not meaningful and also not imposed by Article 109 (1) of Directive 2013/36/EU. We therefore request EBA to refine paragraph 17 in this regard. We see paragraph 18 in this context as much better balanced.
Para. 19 – 21
Intra-group outsourcings are widely used as they allow for (i) an efficient allocation of resources, e.g. when supplying centralised functions on group level and (ii) the realisation of economies of scale.
The enforcement of outsourcing rules and regulations along the outsourcing chain can be much more powerful and effectively executed within a group than in the case of a third party service provider outside such groups. Effectiveness of those intra-group structures can be ensured irrespective of the country of service performance and irrespective of whether the service provider falls within the scope of the same consolidated supervision. In general, under due consideration of specifics of single group entities, the same standards and policies apply and there is a high likelihood of a common control framework. Further, a reasonable degree of management integration exists and common committees may be often in place to steer the business and control activities.
In particular, we miss consideration of aspects of group-wide recovery and resolution plans, which clearly capture intra-group outsourcings in a dedicated manner. Capturing risks and additional outsourcing controls in a group context also need to explicitly recognise the principle of proportionality. Consequently, those aspects need to be reflected more appropriately especially with regard to the requirements on due diligence (Section 9.2), concentration risk (para. 59) and exit strategies (Section 12), where we challenge the application in general and ask the EBA to consider dropping this requirement for intra-group outsourcings. They are for sure of less relevance or even inappropriate in such a context. Please refer to our answers to the respective questions covering due diligence, concentration risk and exit strategies further below.
Within the context of the required provision of individual institution’s register in case a group wide register is maintained, the term “without undue delay” is used in paragraph 19 lit. b, while in paragraphs 46 and 93 the term “in a timely manner” is used. We kindly ask EBA to align the wording or provide sufficient explanation on the difference of those terms used.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
The name of Title II “Outsourcing arrangements” is misleading and does not fit the content of the title in our view. The title can be misread as “outsourcing contracts”, which does not seem to be the envisaged content. The content of the title comprises of various elements, which cover(i) Elements of procedural nature to identify whether or not a particular service, being performed by a third party, is deemed outsourcing. (paragraph 22),
(ii) Elements of procedural nature on risk assessment (only a reference to other parts of the EBA guideline in paragraph 24, which we consider as being redundant and ask for its removal),
(iii) Elements to clarify the definition of outsourcing (paragraph 23),
(iv) Limitations on outsourcing of regulated activities (paragraphs 25 – 26)
We deem it more appropriate to rename the title to “Title II – Identification of Outsourcing arrangements” and to delete paragraph 24 (see also our general comments under Section B of this document)
Following our comments on the definition of outsourcing provided (paragraph 11), the content of Titel II should therefore be more of a procedural nature and provide for some additional generic guidance to operationalise the definition while not putting particular examples (e.g. “advice of an architect”).
Moreover, we are of the opinion that a clear and appropriate distinction of requirements applicable to (i) all third party arrangements, (ii) non-critical and non-important outsourcing arrangements as well as (iii) critical or important outsourcing arrangements are of utmost importance. Particularly the application of requirements clearly designed for critical or important outsourcing on less risky arrangements is inappropriate. As such, the introduction of Paragraph 6a as proposed by us under Question 1 would mainly cover (i) while the distinction between (ii) and (iii) needs further amendments of the EBA draft guidelines.
Para. 22
The first sentence is (i) referring to the need to differentiate for third party services between outsourcing and non-outsourcing and (ii) to “establish” on outsourcings only if they are to be classified as “a critical or important function” or not. The second sentence of the paragraph is unclear to us in various regard. It refers to “the assessment” and it is unclear if both steps are meant or only the second one. Therefore, the language should be precise in the reference. We assume, reference is only taken to the second step.
Moreover, referring to the definition of outsourcing, the second sentence is also unclear in relation to the terms “otherwise” or “normally” (as per paragraph 23 of the EBA draft guidelines). We therefore recommend splitting the paragraph and including the intended content (at least as we understood it) into a separate paragraph dedicated to explain outsourcing in more detail (see our comments on paragraph 23 below).
Finally, we deem the term “function” as not entirely appropriate referring to outsourcing, as the definition of outsourcing stems from processes, services and activities (or even parts thereof), which is much more granular than a function. We also consider that the term here is not used as defined in paragraph 11.. As such, the paragraph needs to distinguish, if such analysis should be performed only if a whole function is outsourced or whether the analysis shall be conducted even if only parts of it (i.e. certain processes, services or activities) are outsourced. We propose to reword the remaining first sentence as follows:
“Institutions and payment institutions should assess whether an arrangement with a third party falls under the definition of outsourcing and, if so, whether the outsourced processes, services or activities are to be regarded as an outsourcing of a critical or important function in accordance with Section 9.1 of the guidelines.”
Para. 23
As stated in Section B of this document, we disagree to the approach taken for the definition of “outsourcing” implemented via paragraph 11 and specifications in paragraph 23. In particular, we disagree to the content of paragraph 23. We refer back to our proposal to rephrase the definition in our answer to Question 1.
Based on our proposal for a revised definition in paragraph 11 (see above), we are of the opinion that certain third party services are clearly excluded from the definition. Furthermore, the definition is limited to “processes, services or activities”, which excludes by definition the acquisition (purchase) of tangible and intangible goods as well as any agreement which allows usage of tangible or intangible goods (licenses, rent, leasing). Furthermore, activities which are either to be performed by undertakings with a different authorisation, explicitly excluded from the institution’s or payment institution’s own authorisation, and those for which the services provider has a dedicated authorisation, should not be regarded as an outsourcing. In particular, we deem our proposed amendments to paragraph 11 to define precisely what could be meant by “normally” such that the term is no longer required in paragraph 23.
As such, we propose to phrase paragraph 23 as follows:
“23. In order to assess, if an arrangement by which a process, service or activity is performed by a third party falls under the definition of outsourcing, the following guiding principles apply:
(i) General advice and one-time services are not regarded as being outsourcing;
(ii) The use of temporary staff and similar arrangements by which a natural persons owes its work to the institution or payment institution under the direction of the institution’s or payment institution’s management is regarded as being equal to own activities and therefore is not a third party service;
(iii) The use of third parties for processes, services or activities, for which these parties are dedicatedly authorised or recognised under EU financial services legislation or national law of the home member state of the institution or payment institution are not regarded as outsourcing;
(iv) The use of third parties for processes, services or activities, which are excluded by the own authorisation are not regarded as outsourcing;
(v) The use of third parties to perform standard services, which always requires a second party like correspondent banking, interbank transaction, custody or the use of central banks is not regarded as outsourcing;
For the avoidance of doubt, the pure acquisition of tangible and intangible goods including utilities (e.g. electricity, gas, water, telephone line) is not deemed to be a process, service or activity. Furthermore, any third party service is to be assessed if it falls in scope of the outsourcing definition irrespective of whether the institution or the payment institution has performed that process, service or activity in the past or would be able to perform it by itself.”
In addition to the proposal above, we oppose the inclusion of any kind of software development (irrespective of the kind of underlying arrangement) and any support related to standard software in general. As this may be a controversial point, we have not yet included this in our proposal above. Generally, we consider our proposal as in line with the industries’ perception and hence additionally refer to the reply of the European Banking Federation (EBF) to the consultation for similar views.
Para. 24
Paragraph 24 requires the assessment of risks of all arrangements with third parties, including those specifically excluded from the scope of outsourcing according to paragraph 23, under consideration of selected requirements on due diligence (paragraph 53) and in line with the full risk assessment on outsourcing arrangements as outlined under Section 9.3. As stated above, any applicability of the guideline for non-outsourcing arrangements is not included in the EBA guidelines in an appropriate manner. Under consideration of our proposal above to move paragraph 57 as new paragraph 6a and our comments on Title IV below, we recommend to delete paragraph 24 completely.
In case our recommendation is not followed, a clear distinction of what is necessary for outsourcing and what applies to other third party services should be supplemented. For the latter, only paragraph 57 of Section 9.3 should apply as all other paragraphs of that section in our view apply to outsourcing only. Even for outsourcings not qualified as “critical or important functions”, proportionality is necessary. As such, we rather recommend phrasing this in the respective paragraphs concretely than to have this listed in paragraph 24 in a generic manner only.
Para. 25 / 26
To our best understanding and in line with the general underlying sentiment of the EBA guidelines, the consultative document and the accompanying documents (Part 5.1 Section D 7) of the consultative document), the institution / payment institution remains responsible for the performance of the authorised business towards its clients. As such, to our understanding the use of a third party service provider can only be related to the operations, advice etc. of the institution but cannot result in an outsourcing of the regulated service per se. Consequently, we do not understand the need for paragraphs 25 and 26, which assume such an outsourcing. As such, EBA needs to reconsider the approach per se.
Having said this, we fail to understand the text and its intention as the proposal only seems appropriate in case of a complete outsourcing of licensable activities, which (as stated above) is prohibited in any case as the relationship between an institution or payment institution and its clients cannot be transferred to a third party. However, outsourcing typically covers mid-/back office and operating functions or IT services that merely constitute specific elements of the provision of licensable services by the outsourcing institution itself. In these cases, to our best understanding, the service provider does not incur an authorisation requirement under EU financial services legislation on its own either because they do not assume all relevant elements of the licensable activity and/or do not perform client-facing activities. Against this background, we ask EBA to clarify the purpose of the provisions and sharpen the text substantially.
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
In general, the guidelines in Section 4 are clear and appropriate. However, some items need clarification and adjustments. Para. 31
Paragraph 31 lit c. refers to the outsourcing of “operational tasks” of internal control functions and adds a comment that this might occur within, for example, a group context.
This could be read that (i) only operational tasks can be outsourced and (ii) this may only be possible in a group context. However, no limitation is imposed as long as the mandatory elements for senior management or management body responsibility is kept. Against this background, we kindly ask to delete “operational” as well as the explanatory term in brackets.
In case dedicate limitations are targeted, EBA should explicitly state this and give a good reasoning as well as a legal basis. The alternative reading that non-operational tasks are not to be considered “critical or important” per se seems to be odd and inappropriate. Having said this, the intention is unclear and needs further clarification (We also refer to our comments related to the definition of “critical or important functions” in paragraph 11 and our comments related to paragraph 49.)
Para. 32
Paragraph 32 lists several criteria to be fulfilled at a minimum (“at least”) without giving credit to proportionality. Although we generally agree to all but lit. g, we ask EBA to consider adding a specific element of proportionality (could be included in the introduction sentence).
We object lit. g. in the context of intra-group outsourcings being understood as companies in scope of consolidation under the terms of the accounting directive (2013/34/EU). As such, we suggest adding a provision specifying that in the context of intra-group outsourcings a plan to secure continuous operations is to be maintained instead.
In addition, we miss a link to the recovery plan – where applicable – for the whole paragraph.
Para. 34
Paragraph 34 is listing an exhaustive number of minimum requirements while not accounting for proportionality. As the majority of elements might be needed anyway in case applicable, it should be made clear that no proportionality can apply. Otherwise, some opening clauses for proportionality should be included.
Furthermore, the paragraph is listing also procedures as part of the policy (paragraph 34, lit b. No. v.). In our view, procedures are accompanying policies are in the narrow sense not part of the general outsourcing policy. While we in general agree that policies require an appropriate management approval, the approval and maintenance of procedures in general may be delegated to the operationally responsible units. As such, we kindly ask EBA to consider shifting the requirements on procedures (“The policy should be accompanied by adequate procedures dealing at least with …”) as a last paragraph of the section on Outsourcing Policy.
Para. 35
Not all elements of paragraph 35 may be relevant for all institutions. As such and in order to reflect proportionality, we clearly recommend to add a “where relevant” within the introductory sentence of paragraph 35.
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
In our view, the guidelines on conflict of interest, business continuity plans and internal audit function are sufficiently clear, expect for the term “material conflict” used. Further, the guidelines do not account for specifics such as profit and loss transfer agreements. Para. 38
The requirement to set financial conditions for outsourced services at arm’s length in a group context is not expedient in the case of e.g. profit and loss transfer agreements between (insourcing) parent company and (outsourcing) subsidiary. While we support the idea of having appropriate financial conditions, e.g. reasonably priced service agreements, also within a group-context, we ask EBA to account for the aforementioned and consider amending the requirement or provide additional clarification respectively.
Moreover, paragraph 38 requires the management of “material conflicts of interest” potentially arising from outsourcing agreements. We kindly as the EBA to clarify what is to be considered as a material conflict of interest.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
We consider the documentation requirements under Section 8 as in general clear, but considerably too broad. We deem several requirements as by far too exhaustive and prescriptive and value them as not catering for the principle of proportionality. In addition, some requirements seem inadequate for the context of intra group outsourcing and should therefore be reduced. Paragraph 46 is referring to outsourcing only and we therefore do want to stress that this limitation (i.e. not applicable to other third party arrangements) is clearly necessary and intended. Para. 47
The whole list of elements is phrased as a mandatory list of minimum requirements (”at least”). We regard some elements of the list as unnecessary while we deem other elements as inappropriate under consideration of proportionality aspects. As such, the introductory part needs to be changed in order to reflect the aforementioned. We suggest adjusting the wording of paragraph 47 by phrasing “should include the following information for all existing outsourcing arrangements taking the principle of proportionality into account” instead requiring them “at least”.
The requirements related to the information to be kept on service providers as required by paragraph 47 lit. b are by far too prescriptive and in our view to a certain extend dispensable:
• A LEI or registration number is not adding value in an outsourcing context;
• The parent company is not an information we deem necessary to be collected mandatorily;
• The value of the storage of address information for outsourcing purposes is at least questionable. As such, we would limit the information to be stored to name and country of registration as well as the points listed in iv. to vi.
If deemed useful to name at least further elements as potential information to be stored, a paragraph could be added in saying “in addition the following information may be considered to be stored …”
Following the aforementioned comment, we are even more concerned about the minimum requirements on outsourcing of critical or important functions as listed in paragraph 47 lit. c.
Similarly to our comment on paragraph 47 lit. b above, we are of the opinion that the introductory sentence should not be formulated as a minimum requirements (“at least”) but as a guideline considering the principle of proportionality in an appropriate manner. Some items should be optional in the database as they exacerbate the management database through increasing complexity. It has to be noted that some information may only be available on an aggregated basis (e.g. charges for a number of services / services bundles and not per service or even activity). As such, the text of the introductory sentence should be adjusted as follows: “… should include where relevant and taking the principle of proportionality into account the …”
Further, we have comments on the dedicated requirements of paragraph 47 lit. c as follows:
v. Audits are scheduled according to the audit plan and may or may not be known by the auditee. The dates or intended timeframes are included in the audit documentation but should not be stored in the outsourcing database. We therefore propose to remove this documentation requirement at this place. In case deemed necessary, a link to audit documentation needs to be included in an appropriate manner as a separate paragraph (same may be true for certain risk etc. information).
vi. The requirements on the service provider’s suitability should not apply within a group context.
x. We consider the requirement to estimate yearly budget costs as overly burdensome. Budget processes are usually run independently from outsourcing and they are often dealt with on a more aggregated level as e.g. services providers perform frequently a bundle of different processes, services and activities.
Footnote 23
It is our understanding that it will be the outsourcing institution or payment institution to execute the choice given with regard to the usage of the template in Annex 1 (note: the footnote talks about Annex X instead). We clearly support this interpretation as this would also allow outsourcing institutions and payment institutions to develop own templates or systems to meet the documentation requirements listed under Section 8 instead and to take into account reduced or additional content and adequate workflows.
Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
The criteria provided needs further adjustment in our view. We refer to our comment made on the definitions of “critical or important functions” and “functions” related to paragraph 11 above. Furthermore, we refer to our comments related to the restrictions on outsourcing and our open questions on the regulations as laid out in paragraphs 25 and 26 of the draft EBA guidelines. Finally, we clearly see some elements as overly burdensome and inadequate and we are missing sufficient elements of the principle of proportionality. Para. 49
Related to lit. b, we refer back to our comments made regarding paragraphs 11 and 31. As paragraph 49 lit b. is – different from the text of the definition in paragraph 11 – clear, we even further object the targeted approach. Even if we have some sympathy to consider the outsourcing of tasks allocated by regulations to internal control functions as in general more critical compared to operational functions, we disagree to qualify each activity related to internal control functions as critical or important in the sense of the EBA guideline. While we agree to qualifying all tasks – irrespective of whether they are operational or not – related to internal control functions, which are performed based on adequate arrangements by third parties, as an outsourcing as defined in the EBA guideline (as per our proposal), we disagree to the approach of paragraph 49. As for any other function performed by a third party, the outsourcing of tasks allocated to internal control functions should be assessed with regard to their impact. As such, we propose to delete lit b. but to add a paragraph iv. to lit. a. as follows:
“iv. the ability to perform material tasks of the Internal Control Functions in a timely manner.”
Our proposal has two additional advantages: (i) it also relates to outsourcing of tasks, which are not related to internal control functions itself but could cut off of internal control functions from the ability to perform their duties in a material manner and (ii) includes also such tasks of Internal Control Functions which are not of operational nature but are material or time critical.
As already stated in relation to paragraphs 25 and 26, in our view the institution or payment institution is always responsible for the performance of the regulated activities it is authorised for towards its clients. As such, it is our firm understanding that the services or even parts thereof cannot be outsourced. A completely different element is the outsourcing of a multitude of activities, services and processes being needed to perform or control the authorised business or being required as a consequence of the authorisation. As such, we do not share the EBA concept in this regard, as something that is prohibited by legislation to be outsourced does not require a detailed guideline. Consequently, we kindly ask to remove lit c. of paragraph 49.
Para. 50
According to paragraph 50, sentence 2 “Outsourcing arrangements regarding activities, processes or services relating to core business lines and critical functions should always be considered as critical or important for the purpose of these guidelines”. Outsourcing arrangements or other third party arrangements “relating to core business lines and critical functions” can contain pure support or operational services with limited or no risk for the performance of the respective core business lines or critical functions.
We therefore strongly request the deletion of the aforementioned sentence of paragraph 50 as such broad definition of critical or important function would dramatically increase the number of critical or important functions, even if the criteria for identifying critical or important functions stated under the remainder of Section 9.1 would not indicate such classification. As a result, not only proportionality would be contradicted but also the aim of the guideline to focus on risk would be missed while the operational burden for institutions and payment institutions would increase considerably. Following our comments on the operational tasks related to internal control functions, we consider the guideline as too restrictive.
Para. 51
Similar to various other paragraphs, paragraph 51 does not capture proportionality in an appropriate manner. Again, the regulation requires a very prescriptive set of requirements as a minimum (“at least”), which in our view does not allow for a proportionate approach. In addition, the criteria listed go far beyond a reasonable approach.
Moreover, we have difficulties to understand the link between paragraph 49 and 51. While we understand that paragraph 49 sets mandatory criteria which automatically qualify a function as being “critical or important” in case being in scope of outsourcing, paragraph 51 lists similar items to be taken into account for such an assessment. We therefore urge the EBA to better clarify the relationship of the two paragraphs.
We propose to rephrase it like follows:
“… should take into account criteria like the following based on the application of the principle of proportionality:”
Furthermore, some of the criteria need to be seen within the context, i.e. in combination with each other. For example. the mere fact of having limited or no substitutability in combination with an uncritical activity would in our view not lead to a classification as “critical or important” per se. Cloud solutions are currently only offered by a very few providers in a regulatory acceptable manner. For certain ancillary services in controls or operations the use of cloud solution would not classify as “critical or important in our view. As such, EBA should also address the need to possibly consider the aspects in conjunction with each other.
Finally, we are missing the case of being embedded in a group context as a potentially risk reducing measure.
We disagree to some of the elements in content as follows:
Lit. a.: It is unclear to us how the difference between direct or indirect connection to the provision of banking or payment services (or investment services as the case may be) is to be derived. As we propose to integrate this already for the differentiation of outsourcing from other third party services, we have doubts that this is a reliable criterion. There is a high likelihood, that this would capture more or less the full scope of the activities in particular in combination with paragraph 50 as proposed by EBA.
Lit. c. no. iii: We generally acknowledge the importance of an institution’s ability to audit, according to its audit methodology and based on its risk assessment, any function regardless of whether it is performed with own staff or by using a third party. This hold particularly true in case of critical or important functions however defined. Notwithstanding this, we do not see how the ability to perform audits shall be an indicator for assessing an outsourcing arrangement on whether it is critical or important, as the ability is to be given in any case. As such, the ability is a requirement and not a differentiating factor. The actual audit risk assessment and the need, frequency and intensity of the performance of audits are in addition a consequence of assessing the outsourcing arrangement as critical or important. We therefore suggest deleting point iii. of paragraph 50 lit. c.
Para. 52
We disagree to paragraph 52 in its entirety. In our view, the necessary quantification is already requested in the analysis under paragraph 51. There is no need to repeat this and consequently, the whole paragraph should be deleted. Moreover, as stated in our comments on paragraph 51, the substitutability is no criterion per se to derive a function’s classification as “critical or important”. Under due consideration of the aforementioned, applicability of the paragraph should be limited to those services which are deemed to be “critical or important” outsourcings, in case the paragraph is maintained.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
Referring to our comments made to Question 1 to 3, we are of the opinion that the guidelines on due diligence are neither appropriate for intra-group outsourcing arrangements nor for third party arrangements not considered outsourcing. It should clarified (in paragraph 6a as proposed by us) to which extent they should apply considering our concerns. The different wording in paragraph 53 (only limited to critical and important functions) and paragraphs 54 – 56 needs to be resolved and a clear allocation of what items are required in which case (also considering proportionality once again) is required.With regard to third party arrangements not considered outsourcing, we consider the application of the whole set of factors as overly burdensome compared to the risks posed by non-outsourcing arrangements to the institution or payment institution. We therefore suggest to limit the performance of due diligence on non-outsourcing service providers to service provider’s business model and financial situation. We clearly agree, that paragraph 55 should be applicable anyway where relevant, but doubt that the EBA guidelines is the right place to remind institutions and payment institutions what is in scope of data protection rules.
In addition, we seek clarification particularly on requirements related to the adherence to human rights, environmental protection and appropriate working conditions when performing due diligence on service providers. We regard this clearly as going beyond the EBA mandate and do not see an EBA guideline as being the adequate place for such considerations.
Para. 53
When performing a due diligence, benefits including increased information and overarching control and enforcement mechanisms as well as risk related consideration should be considered appropriately. A thorough due diligence including an analysis of the service provider’s capacity, its resources and operational structure should only be conducted in case of critical or important outsourcing arrangements with third parties not belonging to the same group.
Para. 54
Following the aforementioned comment, we suggest to exclude intra-group outsourcing arrangements from a due diligence as required under paragraph 54. Furthermore, the elements should not be applied mandatorily in its entirety but should rather be split into mandatory optional ones.
Moreover, we seek clarification on how a service provider’s nature, scale and complexity shall provide information on the service provider’s ability and suitability to provide critical or important services, whereas we would further appreciate clarification what to consider as service provider’s “nature”.
Para. 56
As stated in our introductory remarks on Question 8, paragraph 56 should be limited to the adherence of the code of conduct. As such, paragraph 56 should be limited to the first sentence, potentially accompanied by a supplement that this is in particular true in case of a location in a third country.
Summing up or comments on Section 9.2 (due diligence), we recommend to structure the section in a way that items being relevant for all third party services should come first, followed by those requirements which are relevant for all outsourcings and concluding with those elements, which are only valid for critical or important outsourcings.
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
The requirements lack clarity on their applicability to outsourcing and other third party services (please refer to our comment on paragraph 24). In addition, we consider it as appropriate to exclude intra-group arrangements from the assessment of concentration risks, as potential risks posed from affiliated companies can be mitigated through exclusive control-, information- and oversight structures not available in case of third-party arrangements. Para. 57
For the sake of clarity, paragraph 57 should be moved out of Section 9.3 and put in Section 1 (paragraph 6a as per our proposal in this document). This already clarifies that Section 9.3 only applies to outsourcings which assume to be the intention of EBA.
Para. 59
Referring to our comments on para. 18-21, we consider the assessment of concentration risk in intra-group arrangements as inappropriate as it does not account for specific risk-mitigating measures available when outsourcing to affiliated companies, among others, group wide control-, information- and oversight structures. We therefore ask to exclude intra-group outsourcing arrangements from the application of para. 59 lit. a. Moreover, we ask EBA to consider, that assessing concentration risks is reasonably only possible on a portfolio bases and not on the level of single outsourcing agreements.
Para 61:
In our opinion, paragraph 61 does not account for proportionality in an appropriate manner and is by far too prescriptive. It should not be defined as a minimum set of requirements but rather account for proportionality. We suggest to rephrase the ending of the introductory sentence to “… should as appropriate and proportionate…”. As our concerns relate mainly to the ongoing legal checks as required under lit. d, a staggered approach with making only lit. d not mandatory may also be acceptable.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
While we appreciate the clear structure of the guidelines in this Section, we seek clarification on several contractual specification as the phrasing of some paragraphs indicates inappropriate requirements particularly related to sub-outsourcing.As a general remark, we recommend to rephrase the section to “contractual requirements” or a similar name as the content sets requirements on the contract but is not related to a process or phase.
In order to apply the requirements on sub-outsourcing appropriately, we ask EBA further to specify what is to be considered as sub-outsourcing. Particularly in case of outsourcing IT- infrastructures or related activities and functions, the respective service outsourced by the institution or payment institution to the IT- service provider, is often provided involving (support) services of affiliated entities at potentially different locations (states) and different legal entities being related to each other. Provided that the respective processing locations and the legal entity performing (parts of) the service have been contractually agreed, we consider such a structure to be one outsourcing agreement. In case our understanding does not map EBAs understanding, we kindly ask to provide further clarification.
Moreover, we consider the requirement of institution’s or payment institution’s unrestricted audit and access rights for any outsourcing as far reaching and challenging for non-material services and suggest to limit this to critical or important outsourcing only. Institutions and payment institutions should be free to decide based on a risk assessment whether the reliance on third party certificates sufficives to meet their obligation to exercise diligence. The EBA guidelines should allow institutions and payment institutions to suspend the general audit rights as far and as long as the agreed audit surrogates are reliable and delivered in a timely manner.
Moreover, if EBA does not follow our suggestion to exclude services performed on contractual arrangements by undertakings, which have a particular authorisation or recognition under EU financial services law, limitations of audit rights for the use of such services should be considered. This is in particular true for the case, where the regulation requires dedicated audits and the unqualified auditor’s statements are made available to the outsourcer.
Finally, especially the provisions of paragraphs 64 and 65 are once more very demanding and prescriptive and should be reconsidered taking the principle of proportionality into account.
Para. 63
Referring to paragraph 63 lit. a., service descriptions in a multi-tenant structure (in particular relating to cloud services) are usually not included in the contractual agreement itself but refer to external sources instead (e.g. service descriptions on a website). We ask EBA to consider whether this approach is valid for standardised services that are offered to a multitude of customers.
Paragraph 63 lit. h. requires an unrestricted right to audit and access the service provider, irrespective of whether the outsourcing is considered as critical or important.
While we consider unrestricted rights to audit and access as generally reasonable, we are of the opinion that such are only of limited relevance for non-critical and non-important outsourcing arrangements, as the decision to perform an audit on third parties is based on a thorough assessment of risks arising from the outsourcing relationship to the outsourcing institution or payment institution.
Under due consideration of the relevance of unrestricted audit rights for non-critical and non-important outsourcing arrangements as well as the duration for negotiating such in certain cases with service providers, we propose to include alternative measures as a possible solution to be specified further in Section 10.3.
Para 64
Referring to paragraph 64 lit.d., we are of the opinion that the price algorithm should be included but not the financial obligation. Depending on the use, the total amount may vary. In addition, also cost-sharing arrangement may be applied in particular in a group context. As such, the wording should be adjusted.
Para. 74
In addition to explicitly naming outsourcing institutions and payment institutions final responsibility, paragraph 74 clearly excludes exclusive reliance on third party certifications and reports. We support the possibility to consider third party certifications and reports to assess service providers and argue that institutions and payment institutions should be explicitly allowed to decide on the necessity, depth and scope of audits as well as on the performance of audits of third party providers independently and based on defined risk related criteria.
We would further appreciate additional specification criteria on the execution of audit rights, particularly in case the respective service provided by the third party requires dedicating authorization and is subject to supervision by national (competent) authorities. We generally support a risk-based approach under consideration of risks arising from the respective outsourcing relationship, as it is already the practice today. Having regard to this, we are nevertheless of the opinion that services, although critical or important for the outsourcing institution or payment intuition, should not be mandatorily audited by the outsourcing institution or payment institution, given that the respective service provided by the third party is subject to authorization, ongoing supervision by a competent authority and adequately audited. This is of particular interest for e.g. the usage of data reporting services provided by authorized data reporting services providers authorized according to Article 59 of MiFID II.
Further, we suggest to delete sentence 2 of paragraph 74 as sentence 2 of paragraph 73 provides for an appropriate guidance on the main criteria on executing the right to access and audit. Institution’s and payment institution’s individual assessment should not be restricted to such an large extent under no consideration of risk-related criteria indicating the need.
Para. 75
We strongly support the possibility to perform joint audits with other clients and highly appreciate that EBA has decided to explicitly include such possibility into the updated outsourcing guidelines, such that in excess to cloud outsourcing arrangements further outsourcing arrangements can benefit from such an approach. DBG has already gained experience in performing pooled audits and regards the resulting decrease of the operational burden compared to individually performed audits as considerable.
The section addresses pooled audits but the requirements in lit. a. to f. seem to relate to the use of third-party certifications and reports as addressed in paragraph 74. We ask EBA to consider amending the respective paragraphs.
Para. 78
While outsourcing institutions and payment institutions can contractually ensure competent authorities right to audit and access against service providers, further actions to “make sure that service providers cooperate fully with competent authorities” as required by paragraph 78 might not be within the outsourcing institutions or payment institutions sphere of influence and control. We therefore ask EBA to either delete the subset cited or provide further specification.
Para. 79
The unrestricted right to audit may not only conflict with the confidentiality of other customers’ data but also with intellectual property and security-related information of the service provider itself. Service providers might seek to limit the audit scope accordingly. Referring to our comments on paragraphs 72 – 80, the guidelines should give directions how to address this conflict.
Para. 80
Paragraph 80 requires the institution in case of a technically complex outsourcing to ensure that whoever is performing the audit “either its internal auditors, the pool of auditors or external auditors acting on its behalf”, is sufficiently skilled to do so. While we generally support EBA’s view, that audits should be conducted by sufficiently skilled persons, we would like to point out that in case of a pooled audit, single institution’s can only ensure its own auditing persons’ skills and knowledge but not of the whole pool of auditors, where auditors might be provided by different institutions or payment institutions.
Against the background of an already successfully conducted pooled audit on a cloud service provider with further entities of the financial sector, we suggest EBA to consider revising paragraph 80 in such way, that within a pooled audit, each participating entity shall be free to conceive an own opinion based on transparently provided evidence by the audit group, whereas each participating entity is free to request further information. We are of the opinion that such a proceeding should be preferred over assuming another auditor’s assessment and therefore ensuring other auditor’s skills and knowledge.
Para. 81
The reference to termination right “in accordance with national law” is unclear. EBA might want to consider whether this should refer to the respective governing law of the outsourcing agreement instead.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
We consider the guidelines on the oversight of outsourcing arrangements as generally sufficiently clear, expect for one point: Para. 87
The requirement to “receive” appropriate reports from the service provider as required by paragraph 87 lit. a might be misinterpreted in the sense that the service provider is obliged to actively send reports. As service providers might also maintain tools enabling clients to extract relevant information on their own, we suggest to replace “receive” with “obtain”. Alternatively, we seek clarification on the issue outlined above.
Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
As already outlined before, we are of the opinion that exit strategies should not be mandatory for intra-group outsourcing. Further, we consider the requirements on exit strategies as inappropriate for outsourcing of non-critical and non-important functions. Para. 90
As outlined under Section 9.1, potential impacts of disruptions or outages of the outsourcing arrangement shall be taken into account duly, when assessing whether an outsourcing arrangement is to be classified as critical or important. Outsourcing arrangements potentially causing disruptions or other severe adverse effects, which might impede the institution’s ability to comply with regulatory requirements, will be classified consequently as critical or important outsourcing arrangement.
Paragraph 90 requires again an assessment of potential disruptions and the development of exit plans for such outsourcing arrangements potentially causing disruptions. As only critical or important outsourcing arrangements will be in scope of paragraph 90, we ask to explicitly limit the requirement to maintain exit plans to critical or important outsourcing arrangements.
Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
We consider further specification on competent authorities’ possible rights following the ex-ante notification as of particular importance and ask EBA to supplement the EBA draft guidelines respectively. Para. 92
Paragraph 92 requires a standardised format and as such, EBA should issue a template for this purpose to avoid different formats between competent authorities.
Para. 93
Paragraph 93 requires an ex-ante notification of competent authorities “in a timely manner”, when outsourcing critical or important functions, whereas the minimum information to the provided is being further specified.
We consider the notification to be for information purpose only, which should be clearly stated under Section 13, where appropriate. In order to avoid any undue delays on the usage of the service in question, we suggest to explicitly clarify that the outsourcing institution or payment institution shall not be obliged to await an approval of its competent authority. Moreover, EBA should consider to specify the term “in a timely manner”.
In case the purpose of the notification is not limited to information only, competent authorities’ response time should be explicitly stated and should not exceed four weeks, in order to avoid unnecessary delays and insecurities arising for the outsourcing institution. Moreover, competent authorities’ potential objections of the outsourcing in question should be transparent and clearly communicated to the outsourcing institution or payment institution. Any objection should be based on clear and transparent criteria specified in advance.
Under consideration of the different notification requirements across the EU on outsourcing arrangements, we would welcome further alignment in EU supervisory practice, particularly with regard to the information to be provided.
Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
Under considerations of our comments made on the appropriateness of the guidelines when answering the question before, we ask EBA to amend the EBA draft guidelines on outsourcing addressed to competent authorities such that they reflect amendments on the requirements’ scope and depth. We ask EBA to particularly to account for the comments and suggested adjustments above respectively when phasing responsibilities of competent authorities. Para. 100
Referring to lit. b of paragraph 100 and following our comment on paragraph 90, competent authorities should ask outsourcing institutions or payment institutions on exit plans exclusively for critical or important outsourcing arrangements.
Para. 103
Referring to our comments made on the exclusion of intra-group outsourcing arrangements from specific requirements, as exit plans, concentration risk and due diligence made before, we ask EBA to amend paragraph 103 respectively.
Q15: Is the template in Annex I appropriate and sufficiently clear?
Under consideration of footnote 23 on paragraph 47, we deem Annex 1 rather illustrative and assume that outsourcing institutions and payment institutions will be allowed to develop own templates or other means (e.g. software solutions) of meeting the documentation requirements outlined under Section 8.Having said this, we consider selected aspects of the Annex 1 as inappropriate or not sufficiently clear.
Worksheet “Submission of information”
- Column B: It is unclear whether a description or only a category should be inserted. While the title of the column would suggest a description, the explanation provided call only for a classification of the service.
- Column I: In order to avoid unnecessary duplication of rows, in case more than one sub-contractor is related to the provision of one outsourcing arrangement, we suggest separating information on sub-contractors from information on outsourcing arrangements. Sub-contractors could be listed in a separate worksheet where reference to the related outsourcing agreement can be provided in form of the unique identifier.
In line with the requirements of Section 10.1, only subcontractors of critical or important functions that might affect the ability of the service provider to meet its responsibilities, shall be considered and documented in Annex 1.
- Column Q: Please provide further clarification on whether “stored” refer to backups conducted.
- Column S: Referring to our comment made on Section 8, we consider the documentation, including the regular update of the expected budget cost as inappropriate and suggest deleting of this information within this list. Budgetary implications are documented within the respective budget planning and cost analyses and can be requested if deemed necessary.
- Column X and Y: We would like to note, that assessing risks can be conducted through various individual risk assessments. It should be clarified that outsourcing institutions and payment institutions should be free to structure their risk assessments according to their needs and operational structure. Hence, clarification is demanded on what should be filed in case the risk assessment consists of various assessments potentially conducted separately.
- Column AB: The worksheet “Explanation” does not contain information on what to fill into column AB. Please clarify your explanation.
Worksheet “List of activities”
The guidelines do no provide explanation on the concrete purpose of the activities listed in the worksheet and their relation to the main worksheet “Submission of Information”. We assume that the activities listed constitute potential activities that might be considered as outsourcing in case a third party is performing the respective activity for the institution or payment institution in question.
In case our understanding is correct, we particularly object the assessment that hardware, software or payroll accounting shall be considered by default outsourcing. The classification of a third party arrangement as outsourcing shall solely depend on each individual institutions’ or payment institutions’ assessment under consideration of fix criteria.
We seek further information on the content and intended use of the list of activities, concretely of how rows 1, 2 and 3-12 relate to each other and how the “List of activities” should be considered when filling the main template “Submission of Information”.