Centre des professions financières

- Regarding the application of the guidelines, it would be helpful for the EBA to suggest a list of functions not concerned as critical and important (even if not complete).
- We suggest to include in the definition of outsourcing, the criteria of durability and regularity.
- we also suggest to draft guidelines from Joint Committee guidelines of the European Supervisory Authorities (EBA, ESMA and EIOPA).
Clear for us for proportionality, with regard to intragroup application. We agree with the fact that activities outsourced in the group have to follow the same obligation as others outsourcing arrangements and adapt the process of intragroup control, taking into consideration results of control already done by the Group.
We suggest that it would not be necessary to do a prior request for outsourcing with a third party, as long as the institutions establish a register and respect governance requirements, in particular:
 Framework contract;
 Control process.
We have another point of view concerning the paragraph 30 {c}, page 25, concerning the establishment of an outsourcing function or the appointment of a senior staff member for outsourcing management issues. We suggest to let the institutions decide how to organize the supervision of these outsourcing functions, without a mandatory specific function.
The point 5 on “Conflicts on Interests” needs to be clarified.
Concerning the sections 8, we suggest the following concerning the information contained in the register:
- For all outsourcing arrangements, it would be logical to include information detailed in the (a) of the point 47.
- Only for important and critical outsourcing functions, include part (b);
- We suggest not to include the paragraph (c) of the point 47.
Clear for us.
We suggest to define standards contractual terms for cloud service provider.
We suggest to remove the sentences where you refer to “…regardless of whether or not those arrangements are considered outsourcing arrangement”, and keep these guidelines exclusively for outsourcing arrangement. (cf. Point 57)
We suggest to add, “Accept that the competent authority has access to the information on essential and important outsourced functions for the exercise of its mission, including control on site.”
We suggest to add and refer in this section to the 3 lines of defense “1st level of control, 2nd level and third level”.
Clear for us.
As long as the institutions establish a register and respect governance requirements, in particular framework contract and control process, it would not be necessary to do a prior request.
Clear for us.
We suggest to simplify the Annex I.
We suggest to release financial costs in this reporting.
Marie-Agnès NICOLET