EPIF believes that certain provisions, as currently drafted, will increase costs and impose additional burdens on businesses to invest in order to ensure the application of the Guidelines. These will have a financial impact on the companies, will impose additional compliance requirements on businesses and to this end, the business community would welcome greater detail on certain points to ensure that resources are properly allocated when building out the appropriate outsourcing framework. For further information, see our paper attached.
The definition of outsourcing (paragraph 11 of the draft Guidelines) notes that ‘outsourcing’ means an arrangement of any form in which a service provider performs an activity/service/process that would otherwise be undertaken by the financial institution itself. We would appreciate more clarity on what is meant by “would otherwise be undertaken”. Innovative payment institutions (PIs) typically focus on core activities and will partner with other financial institutions for the performance of activities that the PI itself does not undertake. This could be due to the prohibitive costs associated with those activities, or the regulatory and technical complexity of setting up such activities in the first place, or the lack of having the appropriate licence. We believe that there should be a reasonableness test incorporated in the definition of outsourcing. There are many activities that a PI could perform but which it does not, for example, reasonably do for the reasons set out above. These could include, for example, credit or data checks, sponsor bank services, payment processing or settlement. The theoretical possibility of being able to perform the activities – for example by having the appropriate licence – does not mean that a payment institution would be outsourcing when it makes use of service providers to provide services which it does not reasonably wish to do itself. Leaving an overly broad and ambiguous definition of outsourcing could stifle innovation. It also leads to a lack of clarity as to roles when service providers contract with PSPs or other financial services players.
Paragraph 25 introduces the requirement that banking or payment services that require authorisation or registration by a Competent Authority (CA) in the Member State where the firm is authorised are outsourced only to a service provider located in the same Member State or in another Member State if (a) the service provider is authorised by a competent authority to perform such services; or (b) the service provider is otherwise allowed to carry out those services or activities in accordance with the relevant national legal framework.
In most cases, firms would not be outsourcing a banking or payment service in its entirety, but would outsource parts thereof (for example: the settlement between different entities involved in the provision of the payment service). We would therefore ask the EBA to confirm that this provision only applies to a banking or payment service that is fully outsourced. Alternatively, if it applies also to the outsourcing of “parts” of regulated services, we would ask the EBA to specify which parts would be deemed to be subject to this provision.
Furthermore, we would ask the EBA to confirm that the EU PIs (Payment Institutions) may engage service providers to offer regulated services through a system of chain outsourcing which also includes non-regulated entities.
In addition, Paragraph 26 introduces the requirement that banking or payment services that require authorisation or registration by a CA in the Member State where they are authorised are only outsourced to a service provider located in a third country if certain conditions are met. We note that while outsourcing within the EU is allowed under the relevant national legal framework of the service provider (see above and in the attached paper), outsourcing outside the EU is subject to a much more stringent set of rules.
We would ask the EBA to clarify the type of cooperation agreements that should be considered as valid. We believe that the existing list of cooperation agreements must be made publicly available and regularly updated by the public authorities. We would also ask to clarify if those agreements should be signed with the European Union authorities or on Member States level.
This EBA provision has an “extraterritorial reach” and imposes European legal obligations on third countries. We believe, that this requirement would be very difficult to apply in practice due to the lack of cooperation agreements between Member States and certain third countries, potential difficulties related to the obligation, and due to the short timing of the entry into force of the Guidelines. For further detail, please see our attached paper.
The EBA in its impact assessment indicates that for the requirements of outsourcing to third countries two options have been considered.
We believe that Option B is preferable to Option A. As the EBA rightly indicated in its impact assessment, Option A would require CAs to enter into multiple, lengthy negotiations with third countries. In contrast, Option B would offer more flexible and pragmatic approach. We think that this policy of=objective can be better achieved by including supervisory authority rights and PSP’s obligations to respond to request of information/documents, as part of the contractual obligations between the EU PSPs and non-EU service providers.
Title III, Part 5 describes the situations where the PSPs should identify, assess and manage conflicts of interest with regards to their outsourcing arrangements. Due to very detailed obligations for the PSPs and the sensitivity of the area, we would like to ask further guidance on clarifying the terms of “material conflicts of interest” and of “appropriate measures to manage the conflict of interest” and its application in practice.
EPIF believes that the information that should be included in the register is too detailed. In the case of complex chain outsourcing to third parties, it would be very difficult to include details of all sub-service providers down the chain and to manage changes thereto. This would be a very burdensome requirement for PSP and their service providers. There should be a materiality threshold (e.g. critical or important functions, critical or important sub-outsourcing) where it should be allowed to draw the line. The focus must be not on “who” performs the outsourced service, but “how” it is performed. Contractual arrangements and appropriate oversight should be enough to provide that level of quality assurance.
Therefore, we believe the requirements stated in parts b) and c) are not necessary and should be removed.
Title IV point 63 e) requires PIs to allocate rights and obligations in a written agreement which should include the location where the critical or important functions will be provided or where relevant data will be kept. EPIF is concerned that this provision will create additional time and financial investments, as locations can change, management of the modification would be burdensome and finally not necessary as long as the service provider agrees to comply with all applicable laws.
Moreover the provision in Title IV point 10.1 requires PSP sub-outsourcing services to be able to control and oversee different levels of sub-outsourcing services providers of critical or important functions and guarantee that the availability, integrity, security of data and systems is ensured. EPIF is concerned that this will create practical issues related to a high level of control requirements of chain outsourcing service providers (see paper attached).
Section 83 requires PSPs to monitor on an ongoing basis the performance by the service provider and, where applicable, sub-contractors. We suggest applying these requirements to chain outsourcing on a risk-based approach (e.g. oversight should apply to material sub-contractors and PSPs should be able to rely on the service provider monitoring the sub-contractor’s performance, review the results of such monitoring (if needed) and conduct direct oversight of sub-contractors only in situations where PSPs determine that this is appropriate).
We believe this should form part of the business continuity plan. We suggest it not to be so prescriptive and that in its current form, it is very detailed and rather onerous to comply with. Companies should have more flexibility to form their own exit plans.