Response to consultation on draft Guidelines on outsourcing

Go back

Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?

- Regarding the application of the guidelines, it would be helpful for the EBA to suggest a list of functions not concerned as critical and important (even if not complete).
- We suggest to include in the definition of outsourcing, the criteria of durability and regularity.
- we also suggest to draft guidelines from Joint Committee guidelines of the European Supervisory Authorities (EBA, ESMA and EIOPA).

Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?

Clear for us for proportionality, with regard to intragroup application. We agree with the fact that activities outsourced in the group have to follow the same obligation as others outsourcing arrangements and adapt the process of intragroup control, taking into consideration results of control already done by the Group.

Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?

We suggest that it would not be necessary to do a prior request for outsourcing with a third party, as long as the institutions establish a register and respect governance requirements, in particular:
 Framework contract;
 Control process.

Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?

We have another point of view concerning the paragraph 30 {c}, page 25, concerning the establishment of an outsourcing function or the appointment of a senior staff member for outsourcing management issues. We suggest to let the institutions decide how to organize the supervision of these outsourcing functions, without a mandatory specific function.

Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?

The point 5 on “Conflicts on Interests” needs to be clarified.

Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?

Concerning the sections 8, we suggest the following concerning the information contained in the register:
- For all outsourcing arrangements, it would be logical to include information detailed in the (a) of the point 47.
- Only for important and critical outsourcing functions, include part (b);
- We suggest not to include the paragraph (c) of the point 47.

Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?

Clear for us.

Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?

We suggest to define standards contractual terms for cloud service provider.

Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?

We suggest to remove the sentences where you refer to “…regardless of whether or not those arrangements are considered outsourcing arrangement”, and keep these guidelines exclusively for outsourcing arrangement. (cf. Point 57)

Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?

We suggest to add, “Accept that the competent authority has access to the information on essential and important outsourced functions for the exercise of its mission, including control on site.”

Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?

We suggest to add and refer in this section to the 3 lines of defense “1st level of control, 2nd level and third level”.

Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?

Clear for us.

Q13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.

As long as the institutions establish a register and respect governance requirements, in particular framework contract and control process, it would not be necessary to do a prior request.

Q14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?

Clear for us.

Q15: Is the template in Annex I appropriate and sufficiently clear?

We suggest to simplify the Annex I.

Q16: Are the findings and conclusions of the impact assessments appropriate and correct; where you would see additional burden, in particular financial costs, please provide a description of the burden and to the extent possible an estimate of the cost to implement the guidelines, differentiating one-off and ongoing costs and the cost drivers (e.g. human resources, IT, administrative costs, etc.)?

We suggest to release financial costs in this reporting.

Name of organisation

Centre des professions financières