With regard to point d. of paragraph 44 which requires, among other things, that the internal audit function ascertains that the risk appetite of the service provider is in line with the institution’s or payment institution’s strategy we would ask for further clarification how the risk appetite (which should not be confused with the term “risk profile”!) can be assessed in practice given the fact that service providers from the real sector of the economy do not disclose their risk appetite framework in a sufficient detail.
We would welcome additional clarification as presented below.
First sentence of paragraph 46 on p. 30 reads:
»Institutions and payment institutions should maintain a register of all outsourcing arrangements at institution and group level where applicable as referred to in Section 2, document and record all current outsourcing arrangements, distinguishing the outsourcing of critical or important functions and other outsourcing arrangements«.
It follows that all existing outsourcing arrangements should be included in such a register, which is not reasonable. For example: for those service providers who have been identified as least risky already at the initial risk assessment (for example, they do not even reach the minimum internally set threshold of materiality), it is not necessary to collect and manage entire documentation, but only the most critical part. In view of this, we ask for a more detailed explanation of the term other outsourcing arrangements", since also the general definition of outsourcing in the Guidelines is not entirely clear.
A possible proposal for a solution is to set criteria for determining "significant" or “material” outsourcing arrangements, which should be included in the register (for example, by assessing its impact on capital, liquidity, reputation...of the institution) and / or allow the materiality threshold to be determined at this point or in the definition of outsourcing in chapter 2 of the Guidelines.
The definition of outsourcing should therefore be more closely linked to those external contractors where the realization of risks could (materially) affect the profit, capital and / or liquidity of the institution, as this is, in our opinion, crucial for linking this part of the bank's operations with risk appetite framework, ICAAP and ILAAP."
We would propose one amendment as described below.
According to paragraph 24 (on p. 23) which reads
»The risks, including in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraph 22 and 23, should be assessed in line with paragraphs 53 and 55 and Section 9.3, taking into account the application of the proportionality principle as referred in Section 1.«,
institutions and payment institutions need to conduct risk assessment for all arrangements with third parties (i.e. also for those services which are not considered outsourcing in accordance with paragraph 23) in line with paragraphs 53 and 55 of the Guidelines.
Paragraph 53 requires institutions and payment institutions to carry out an appropriate assessment whether the service provider has “appropriate and sufficient ability, capacity, resources, organisational structure and, if applicable, required regulatory authorisation(s) to perform the critical or important function« before signing the contract, so we propose to change the title of subchapter 9.2 from “Due diligence” to “Due diligence within selection process”.
Paragraph 90 requires preparation of exit strategies/termination of the contracts without undue disruption of institutions’ and payment institutions’ business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of their provision of their services to clients. Given the dominant or even monopoly position of some service providers, institutions have extremely limited possibilities (or no possibilities whatsoever) to negotiate appropriate exit strategies in the contracts, which they could actually implement in practice in the manner defined above.
Considering the above we propose the rewording of this paragraph, e.g. by inserting the words “where applicable” so that the new wording would be as follows:
»Institutions and payment institutions should ensure, where applicable, that they are able to exit outsourcing arrangements, without undue disruption of their business activities or adverse effects on their compliance with the regulatory framework and without detriment to the continuity and quality of its provision of services to clients.«
We are fully aware of the importance of provision of timely and relevant information about outsourcing to competent supervisory authorities in order to achieve comprehensive overview of the outsourcing of institutions and the identification of possible concentration of outsourcing. Nevertheless, we are very interested in how the outsourcing institutions’ obligation arising from Chapter 13 of the draft Guidelines (“Duty to adequately inform supervisors”) will be implemented in practice. Specifically, according to paragraph 93, institutions are required to notify competent authorities in advance, i.e. before they intend to enter into the new outsourcing agreement / prior to conclusion of the contract (!). In practice, the risk analysis processes are time-consuming, as is the process of selecting the contractor and negotiating all the provisions contained in the agreement with him so this information should come to the supervisory authority towards the end of the approval process after the outsourcing institution has gathered all the important elements to take a final (go / no go) decision. We would appreciate if you could elaborate on the practical implications of a prior notification especially in terms of the cost/benefit analysis of the Option D explained on page 55, which would “ensure that competent authorities would be informed about upcoming outsourcing arrangements and have the opportunity to intervene if they had concerns about the risk they encounter…” What would actually be the means of exerting this opportunity to intervene? As “a prior approval or non-objection procedure by the competent authority” have been abandoned together with the option E, we would like to know how this prior information could impact the go / no go decision and the conclusion of the contract with the pre-selected outsourced service provider.