In relation to the proposed definition of outsourcing in paragraph 11, consideration should be given to permitting institutions to self-identify their own excluded activities based on criticality and proportionality.
In reference to the definition of a critical or important function, the guidelines state that the definition includes “any operational tasks performed by the internal control functions”. However, it is important to note that internal control functions perform a range of tasks some of which have a bearing on the institution’s risk profile and others which do not (e.g. routine administrative tasks). Therefore, we believe it should be up to the institution to determine whether the particular task being outsourced is in fact “critical or important”. Also, in addition to the criteria laid out in section 9.1 of the guidelines, we would welcome the use of examples to further help firms identify critical or important functions as otherwise there is a risk that different firms will interpret the guidelines differently and have significantly different approaches to implementation.
We would welcome clarification on what priority firms should apply to the requirements under MIFID II and BRRD in reference to recovery and resolution planning, resolvability and operational continuity. We understand from the draft guidelines that, as suggested in paragraph 50, the definition in MiFID II would generally be applicable when determining whether a function is critical or important. However, paragraph 51 contains a reference to recovery and resolution planning, resolvability and operational continuity. We would welcome clarification whether this means that in a recovery and resolution scenario a firm must take into account the definition in both the BRRD and MiFID II or only in the BRRD.
Lastly, the guidelines contain multiple use of the term ‘location’ and we would welcome clarification that references to ‘location’ mean the country level.
We note that in the proposed guidelines, no proportionality based on risk profile is afforded to intra-group outsourcing. In our view, this does not recognize the degree of integration reached within many banking groups, where centralized functions at group level act as a service provider for the other entities of the group. For example, a number of the proposed requirements such as those relating to due diligence, concentration risk and exit strategies are not directly relevant to groups with intra-group outsourcing arrangements and as such we believe that intra-group outsourcing should be subject to calibrated requirements for due diligence and exit strategies. Similarly, we believe that proportionality based on a risk-based approach should be applied to the provision of corporate functions by parent organizations.
In relation to paragraph 20(b), and the ability for institutions in groups with a centralized outsourcing function to delegate the pre-outsourcing assessment in appropriate cases, we believe the requirement for each institution to receive the assessment at the time of outsourcing should only apply to the outsourcing of critical or important functions or arrangements. All assessments could be provided on a regular basis for information as part of the financial institution governance.
Paragraph 26(b) places the onus on institutions to ensure that an appropriate cooperation agreement is in place between their own supervisory authority and the service provider’s supervisory authority. We believe it would be more efficient for each local supervisory authority to issue a list of countries to which outsourcing is, or is not, appropriate, rather than for each institution to undertake its own assessment.
Further to this, standard market practice in the financial industry involves providing services to clients in the EU27 and certain activities are outsourced to affiliates, including affiliates operating in third countries. Therefore industry participants will be dependent on cooperation agreements being put in place between competent authorities otherwise firms, as well as the wider financial services industry in addition to end consumers across Europe, could face significant disruption and additional costs. Instead of requiring Memorandums of Understanding (MoUs) between Competent Authorities we advocate the adoption of an outcomes focused approach which would allow for more flexibility and which would not make the ability to outsource dependent on MoUs over which institutions have no control.
In relation to Business Continuity Plans, we believe the proposed requirement in paragraph 40 to involve a service provider in testing where the failure to provide a critical or important function would lead to severe business disruption. It further would potentially have significant impact on providers, especially if they are external. It is therefore important that the final guidelines are clear on the expected level of involvement between the provider and client in such a process. We would recommend giving consideration to reliance on continuity testing done by a service provider for a service where results can be shared across multiple financial institutions. This reduces the burden on the providers for continuity testing to meet these guidelines for every individual institution.
We would welcome clarification of the wording in paragraphs 43 and 44 as it relates to the exercise and enforcement of audit rights. In our view, the current proposal could be interpreted to suggest that the corporate audit function is responsible for audit enforcement rights. We would therefore recommend clarifying that it is the outsourcing arrangement owners who should enforce audit rights to enable them to effectively oversee outsourced activities. Placing responsibility to enforce audit rights on the corporate audit function would risk creating an inherent conflict of interest as the corporate audit function’s mandate is to review the oversight arrangement controls and the structuring of oversight is the role of the first line of defence and not the third line.
In relation to paragraph 44(d), we believe the draft guidelines should make clear that the assessment of the service provider’s risk appetite statement and control procedures should be assessed by the outsourcing arrangement owner as part of the risk assessment and continued oversight over the outsourced activity, rather than being the responsibility of the corporate audit function. The audit function has a role to ensure this is effective.
We are fully supportive of the need to maintain a register. However, we believe that firms should have the flexibility to maintain data that is substantially equivalent to that listed in the guidelines, but without having to meet all data points. The data points to be included in the outsourcing register are quite prescriptive, do not necessarily fully align with the current data points, and may not yield a significant benefit. In particular, data regarding sub-service providers should only be necessary for critical or important functions or functions in scope of GDPR due to the administrative burden it would place on firms to source this. We believe the most appropriate and proportionate approach would be for each institution to determine which data points should be captured having regard to the overall group structure, the criticality of each outsourcing arrangement, and relevant regulatory requirements.
With reference to paragraph 50, we believe not all processes or services relating to core business lines should be considered as “critical or important”. A core business line may be comprised of numerous sub-processes, some of which will have little bearing on the institution’s risk profile. As highlighted earlier, we believe it should ultimately be up to the institution to determine whether the function being outsourced is, in fact, “critical or important”.
Paragraph 54 specifies the need to take into consideration additional factors such as the financial situation of a potential external service provider when conducting due diligence. However, we believe it is important to highlight that an institution may not always be able to gain access to the relevant financial information, esp. if it is not publicly available.
We believe the proposed requirements in paragraph 60 relating to sub-outsourcing should be linked to the materiality of the risk posed or whether it relates to a critical or important function.
In reference to para 63(b), it should not be necessary for each outsourcing agreement to specify an end-date provided that appropriate termination provisions are included. We would also advocate that not all but only material changes to the outsourcing agreement would require to be expressly approved by the financial institution’s responsible person or relevant legal entity board.
In relation to para 63(h), 66(b) and 72, the requirement for “unrestricted” or “complete” access and audit rights is not realistic. Such rights need to be balanced against the need for each service provider to manage issues of confidentiality, privacy, conflicts of interest, and business disruption that accompany audits and information requests. The service provider should be required to cooperate with requests from supervisory authorities and to grant appropriate audit and access rights with regard to the criticality of the function being outsourced. Additionally, it should not be necessary for the institution to have direct rights of audit and access to sub-outsourcing service providers provided that the original service provider carries out appropriate monitoring and oversight and gives appropriate contractual warranties to the service recipient institution.
As a general point on section 10, we wish to emphasise that the requirements on sub-outsourcing will be impossible for institutions to implement unless the competent authority has authority over these vendors since the firms themselves cannot require sub-outsourcers, particularly those which are IT related, to allow them oversight of their activities.
In reference to section 10.3 as it relates to the use of auditors and pooled auditors, we suggest there is a need for clarification as to whose auditors these would be in the context of intra-group outsourcing arrangements; for example would it be sufficient to use auditors from the wider group? We would also welcome clarification as to whether arrangements for the use of pooled auditors only relevant to external outsourcing arrangements? As highlighted earlier, we believe the draft guidelines should clarify that the enforcement of audit rights is that of the outsourcing arrangement owner and not that of the corporate audit function.
As highlighted earlier, we believe the proposed requirement for firms to be able to have oversight of sub-contractors as they relate to IT sub-contractors is unrealistic, given that there are no legal requirements on IT sub-contractors to allow firms oversight, and bears no relation to materiality, criticality/importance or risk.
The requirements in section 12 on exit strategies should reflect whether an outsourcing arrangement is with an intra-group or external provider and also be calibrated on risk posed to the institution from a failure of the specific service provider or a material deterioration in the service provided.
We support the guidance to make available the full register of outsourcing arrangements to the competent authority. However, in relation to paragraph 92, we consider that in absence of a request, it would be more proportionate for institutions to provide the competent authority with only a subset of that register, consisting of critical or important outsourced functions.
In relation to paragraph 93, we do not consider that all of the information in paragraphs 47(a), (b) and (c) is of value to a competent authority and therefore it should be open to an institution’s supervisors to determine what they would like to see.
Further to this, and as highlighted early, we believe some of the proposed requirements for the register would necessitate firms that have intra-group outsourcing arrangements to collect data that would not have a bearing on an outsourcing assessment of internal providers and collecting this would pose a significant unnecessary burden.
We believe the conclusions of the impact assessments do not reflect the additional burden resulting from the increased scope of the guidelines on sub-outsourcing as well as their implications for current IT outsourcing arrangements.
We believe an important way of limiting undue burden and expense for firms would be to allow for calibration of the documentation requirements to be based on the criticality of provider and not just service.