Comment 1. Page 17, section 5. It would be helpful if the EBA could introduce one set of rules / guidance which would apply to all in-scope outsourcings by all relevant institutions and using one set of definitions. If this is the EBA’s intention, it would be helpful if this was expressly stated. Different definitions are used in different regulations and the proposed definition in the draft guidelines appears to be even wider than them. In particular there should be one clear definition of what outsourcings the guidelines apply to, together with non-exhaustive examples explaining what outsourcing is subject to the guidance and what is not.
Comment 2. Page 18, section 11. Definition of “Outsourcing”. Account should be taken of the fact that many arrangements with service providers involve the institution procuring “components” which it then uses as part of an overall solution – like “building blocks” used to build a larger solution. In this scenario the institution should be able to take a more risk based approach taking into account the limited scope of what is being provided by the service provider. The guidelines make no distinction between a full scale business process or technology outsourcing and contracting for such components or building blocks. Applying minimum requirements / content for all outsourcing, including procuring components or building blocks, will require institutions to undertake or request disproportionate and in some cases, irrelevant, activities and contract terms.
Although there is reference to proportionality, the guidance should expressly permit a more risk based approach and make it clear that sections of the guidance need not be applied in cases where it is not relevant or appropriate or if the same end can be achieved by other means.
Comment 3. Page 19, section 3, 12. The implementation arrangements are unclear in relation to existing outsourcing agreements. It should be clarified whether outsourcing agreements entered into before the effective date of the guidelines (proposed for 30 June 2019) would have to be reviewed and, if necessary, amended to comply with the guidelines. There may not be a scheduled “review date”. Even if there is, some service providers may refuse to agree to required changes or charge a ransom payment for doing so.
Comment 4. Page 20, section 3, 13. This suggests that all outsourcing agreements, including those already in place, need to be made compliant with the guidelines by no later than 31 December 2020. Some service providers may refuse to agree to required changes or charge a ransom payment for doing so.
It is recommended that the Guidelines should only apply to outsourcing agreements entered into after the commencement date.
Comment 5. Page 20, section 15. The statement that institutions should apply the guidelines in a proportionate manner is inconsistent with the highly prescriptive content elsewhere in the guidelines. A proportionate, risk base approach would be appropriate. It is suggested that this section should be expanded to clarify that institutions may apply the Guidelines in a proportionate, risk based manner and that all sections of the Guidance are therefore not mandatory.
Comment 6. Page 21, section 2. A lighter touch, risk based approach would be more appropriate for intra-group outsourcing within the institution’s corporate group. Many of the prescribed activities, such as pre-outsourcing risk assessments and exit plans are less appropriate and will create unnecessary work and expense in relation to intra-group outsourcings. For example, services provided by an internal service provider may never be moved to an alternative service provider or integrated into the outsourcing legal entity. Similarly, the documentation, monitoring and reporting requirements for intra-group outsourcings should allow for a lighter touch to be adopted.
Comment 7. As mentioned in response to Q1, paragraph 23 should include non-exhaustive examples explaining what outsourcing is subject to the guidelines and what is not.
Comment 8. The Guidelines should (1) expressly state that institutions are permitted to have different policies for (a) external outsourcings, and (b) intra-group outsourcings, reflecting the different risks, issues and controls that are relevant and appropriate to each, and (2) enable institutions flexibility to include the details in appropriate governance documents that align with an institution’s framework, for example in mandatory procedure documents or handbooks (the requirements are too detailed for a policy document).
Comment 9. Institutions are increasingly adopting Resilience management approaches (which incorporate Business Continuity). Can the EBA incorporate within the items of this section the acceptability of Service Continuity Planning and Service Continuity Plans as both complimentary to Business Continuity Planning and Business Continuity Plans and, where applicable, alternatives to them.
Comment 10. Can the EBA clarify the material differences between item 39 and 41 as both require continuity planning and BC plans?
Comment 11. Statement 40 refers to ‘Continuity plans for disaster recovery’. Can the EBA clarify if this in any way differentiates these plans from Continuity plans (without the disaster recovery qualifier) used elsewhere and, if so, how?
Comment 12. Institutions should be allowed discretion to document their external and intra-group outsourcings using different contractual terms. A lighter touch approach is more appropriate for arrangements within the corporate group where the parties are under common control.
Comment 13. The terms “banking and payment services” are used in section 49.a.iii but are not defined. These should be clarified.
Comment 14. Page 33, section 51. The extensive generalised criteria for assessing criticality or importance has the potential to blur lines and with the elements within paragraph 49 could result in the vast majority of outsourcings being classified as critical or important. This could make it more difficult to identify those critical arrangements most impacting an institution and have the knock on operational impact of significantly increasing reporting to the competent authorities.
Paragraphs 48 to 52 make very little distinction between outsourcing within the firm’s corporate group and outsourcing to an external service provider. While that may be the correct approach in relation to the initial assessment of criticality or importance, it should be made clear that different approaches to the governance, oversight and management of outsourced services may be adopted, based on the overall pre-outsourcing assessment, depending on whether the service provider is an external service provider or is under common control within the institution’s own corporate group.
Comment 15. The full risk assessment requirements appear disproportionately onerous for intra-group outsourcings. Institutions should be free to tailor their pre-outsourcing due diligence / risk assessments depending on whether the service provider is external or a member of its corporate group.
Comment 16. Page 35, section 58. Scenario analysis for each outsource (even allowing for the principle of proportionality) is too prescriptive. Firms should be able to adopt their own risk assessment approach.
Comment 17. Page 37, section 10. Some service providers, and cloud service providers in particular, may refuse to agree to all of the mandated contract content, particularly where the services are standardised “off the shelf” services provided on a “one to many” basis rather than services provided specifically for one institution. A more flexible, risk based approach would be more appropriate, allowing the nature, purpose and criticality of the particular services to be taken into account.
Comment 18. Page 38, section 64.j. This requirement is not clear.
Comment 19. Page 40, section 10.3. Many cloud service providers (and other service providers) may not grant all of the access, information and audit rights set out in this section. Some cloud service providers may only provide third party certifications and reports and refuse to permit individual audits in multi-tenanted environments. A more flexible, risk based approach should be proposed, allowing for the possibility of audit by way of independent audit reports and certifications to be shared with multiple service recipients. The statement (on page 41, section 74) that institutions should not rely solely on third party certification and third party reports substantially reduces their usefulness. Unless, these requirements are modified, the guidelines may prevent the use of many cloud services, hamper innovation and make European institutions less competitive.
The application of section 79 is not clear. In this scenario, is the institution able to take a more flexible, risk based approach?
Generally, section 10 is too detailed and prescriptive. The institution should be able to take a risk based approach and be free to adjust its contract terms for each scenario – rather than having to include all the prescribed terms in every case.
Comment 20. Statement 75 refers to ‘pooled’ audits with the retained right to perform individual audit at institutions discretion. Can the EBA clarify expectation re suppliers who will not agree to this – particularly Cloud providers?
Comment 21. Page 44, section 12. The exit requirements are disproportionately onerous for intra-group outsourcings. For example, in the context of an intra-group outsourcing, material deterioration in service is more likely to be resolved by escalation and management intervention, rather than moving to a different service provider. Institutions should have more latitude in making exit arrangements for intra-group outsourcings.
Comment 22. Page 45, section 93. The requirements to notify all critical or important functions are disproportionately onerous for intra-group outsourcings. There should be a risk based approach for intra-group notifications focused on functions that will have a material impact on an institution meeting its conditions of authorisation or fundamental obligations under the regulatory system.
Comment 23. Page 45, section 94. To enable competent authorities to maintain an up to date view on critical and important outsourced functions they would also need to be informed when a previously notified function is no longer a critical or important outsourced function, for example bringing a function back in house from a service provider. The guidelines in 93 & 94 only make provision to notify competent authorities before entering into a new agreement and when an existing arrangement becomes critical or important.
Comment 24. The wide definition of outsourcing combined with the reporting obligations could lead to over-reporting. We suggest this should be made outcome based, with the guidance setting out what outsourcings must be notified to the competent authority in advance.
Comment 25. Statement 100 in the Title V section indicates ‘competent authorities’ should seek evidence of supplier Business Continuity Plans suited to the service they are providing. Can the EBA use Section 6 of the Guidelines to clarify expectations of Suppliers’ Continuity planning and plans and Institutions accountabilities and responsibilities in their respect?
Comment 26. Statement 103 in the Title V section indicates ‘competent authorities’ should seek evidence of institutions management of ‘step-in’ risk. Can the EBA clarify their expectations of institutions and definition for ‘step-in’ risk management?
Comment 27. Page 60. The assertion that clear mandatory contractual requirements, especially in relation to access and audit, will be non-debatable is incorrect. Many service providers, especially cloud service providers, may well still refuse to agree to them. Unless institutions are given latitude to apply the Guidelines on a risk based, proportionate manner, the Guidelines may lead to institutions not being able to use some cloud services, innovation will be stifled and European institution’s costs will be increased in comparison with non-European institutions.