Response to consultation on draft Guidelines on outsourcing
Go back
Specific position of critical service providers
SWIFT is a critical service provider to the global financial industry. With more than 11,000 institutions in over 200 countries and territories exchanging financial messages over its network, SWIFT plays a vital role in the functioning of the global financial community. A large and growing number of systemically important payment and securities settlement systems have become dependent on SWIFT, which has thereby acquired a systemic character.
As SWIFT’s messaging activities are critical to the smooth functioning, safety and efficiency of major payment and securities settlement systems worldwide, the central banks of the G10 countries have made SWIFT subject to cooperative central bank oversight.
Because SWIFT is incorporated in Belgium, the National Bank of Belgium acts as the lead overseer in cooperation with the other G10 central banks. By jointly interacting with SWIFT and formulating joint recommendations, these central banks aim to raise efficiency of their actions as well as the effectiveness of SWIFT’s own actions taken in response to their recommendations. Complementary to this arrangement, a structure is in place to inform the senior overseers from the G20 countries about SWIFT oversight conclusions.
The oversight objectives centre on: risk identification and management, information security, reliability and resilience, technology planning, and communication with users. In their review, overseers seek assurances that SWIFT has put in place appropriate governance arrangements, structures, processes, risk management procedures and controls that enable it to effectively manage potential risks to financial stability and to the soundness of financial infrastructures, to the extent that they are under SWIFT’s control.
As a result, SWIFT is subject to very high standards and controls in terms of security, confidentiality, availability, and resilience and is audited annually by its third-party auditors based on the ISAE 3000 standard. Since SWIFT provides customers access to all relevant information via such ISAE 3000 audit reports, customers do not have individual access or audit rights on SWIFT. Granting such access or audit rights to thousands of customers would create operational and security risks for SWIFT, which would jeopardise the very essence of its role as a critical service provider.
SWIFT’s services have therefore always been explicitly exempted from outsourcing guidelines by the Outsourcing circular (The National Bank of Belgium Circulaire PPB 2004/5 - sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement; Guidance letter of 22 June 2004 (PPB 2004/5) regarding sound practices in relation to outsourcing by credit institutions and investment firms) of its lead overseer, the National Bank of Belgium. This circular includes an exemption for the purchase of third-party services and products that support banks’ core activities, such as the purchase of information (e.g. Reuters, Bloomberg) and standardised services for the material execution of financial transactions (e.g. SWIFT, Euroclear, Banksys). A similar exemption was recognised by regulators outside Europe, such as, for instance, by the Monetary Authority of Singapore (MAS):“global financial messaging infrastructures which are subject to oversight by relevant regulators (e.g. SWIFT)” (MAS Guidelines on outsourcing, 27 July 2016).
Because of their specific position, the Guidelines on Outsourcing arrangements should confirm that critical service providers are not subject to the Guidelines, provided that they are already under adequate supervision or oversight by financial regulators.
Activities undertaken by the institution itself
By definition, outsourcing implies the capability of an institution to perform an activity in-house, at least hypothetically. This is confirmed by the definition of outsourcing provided in the draft Guidelines (§ 11): “a service or an activity, or parts therefore that would otherwise be undertaken by the institution (…) itself”. This definition is in line with the Commission delegated regulation (EU) 2017/565 supplementing MiFID II, as confirmed in the EBA Guidelines (§ 17, Background section).
Also, § 23 of the draft Guidelines confirms that “The acquisition of services…that are not normally performed by the institutions or payment institutions are not considered outsourcing”.
However, later in the draft Guidelines, EBA considers that it is not relevant “whether or not the institution has performed that function in the past or would be able to perform it by itself (§22)”.
For consistency with both the above EU Commission regulation, as well as the definition used in the EBA Guidelines, it would be useful to remove such statement from §22.
Critical or important functions
Directive 2014/65/EU (MiFID II) and the Commission delegated regulation (EU) 2017/565 only apply to “the outsourcing of critical or important functions”. We understand that EBA wants to include non-critical forms of outsourcing within the scope of its draft Guidelines. However, it does not clearly identify the requirements applicable to each of the two categories.
Given that several requirements are very far reaching (e.g. right of access; right of audit; reporting), we believe it would be overly complex to impose them on outsourcing of non-critical functions, especially when the third-party certifications and assurance reports could satisfactorily meet the objectives of the draft Guidelines.
Whilst the Guidelines establish two categories of functions: first, critical and important and, second – all other functions, they do not specify which requirements are applicable for the critical and important functions and which are not. We would respectfully suggest the final Guidelines clearly set out which requirements apply to which category of functions.
Acquisition of services
To clarify the use of standard communication services, it would be useful to complement the list of services as set out in § 23 (which already includes ‘telephone lines’,) to include email services, financial messaging services, etc.
Based on our experience as a critical service provider to the financial industry, we are concerned that the proposal relating to the exercise of access and audit rights is overly broad and could give rise to significant security and legal challenges for financial institutions and their critical service providers. Complete access to all relevant business premises and unrestricted rights of inspection and auditing pose significant operational and security risks to critical service providers and their customers.
Critical service providers that are already subject to adequate financial supervision or oversight, typically provide their customers assurance via third-party audit reports, but are not in a position to grant individual access and audit rights to their customers or their customers’ regulators.
As drafted the Guidelines seem to indicate that third-party certifications and reports are not sufficient (customers ‘should not rely solely on those’) and that institutions should retain the contractual right to perform individual audits at their discretion. Retaining such individual rights on a critical service provider that is already subject to a financial supervision or oversight mechanism and which provides third-party assurance reports, risks defeating the purpose and the objectives of this model.
We would welcome the introduction of a clear and unambiguous provision that would allow for third-party certifications and reports to be provided to customers, in lieu of the individual access and audit rights, as set out in § 74, and a clarification that in such circumstances, third-party assurance reports can serve as an alternative to access and audit rights.
Contractual Phase
Under § 63, the draft Guidelines require that outsourcing agreements include information on the location of the data storage and data processing. For security reasons, many service providers do not disclose the exact location of their data centres. It would be helpful to clarify that the exact location is not required and that information on the region or country is sufficient.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
To leverage the advantages of border free technology, the EU plays a key role in adopting harmonised and flexible rules, aligned with the already existing rules and regulations governing the financial industry. In this context, we are pleased to note that EBA wants to align its new Guidelines on Outsourcing arrangements and its definition of outsourcing with the existing rules already covering this topic, including in particular Directive 2014/65/EU (MiFID II) and the Commission delegated regulation (EU) 2017/565.Specific position of critical service providers
SWIFT is a critical service provider to the global financial industry. With more than 11,000 institutions in over 200 countries and territories exchanging financial messages over its network, SWIFT plays a vital role in the functioning of the global financial community. A large and growing number of systemically important payment and securities settlement systems have become dependent on SWIFT, which has thereby acquired a systemic character.
As SWIFT’s messaging activities are critical to the smooth functioning, safety and efficiency of major payment and securities settlement systems worldwide, the central banks of the G10 countries have made SWIFT subject to cooperative central bank oversight.
Because SWIFT is incorporated in Belgium, the National Bank of Belgium acts as the lead overseer in cooperation with the other G10 central banks. By jointly interacting with SWIFT and formulating joint recommendations, these central banks aim to raise efficiency of their actions as well as the effectiveness of SWIFT’s own actions taken in response to their recommendations. Complementary to this arrangement, a structure is in place to inform the senior overseers from the G20 countries about SWIFT oversight conclusions.
The oversight objectives centre on: risk identification and management, information security, reliability and resilience, technology planning, and communication with users. In their review, overseers seek assurances that SWIFT has put in place appropriate governance arrangements, structures, processes, risk management procedures and controls that enable it to effectively manage potential risks to financial stability and to the soundness of financial infrastructures, to the extent that they are under SWIFT’s control.
As a result, SWIFT is subject to very high standards and controls in terms of security, confidentiality, availability, and resilience and is audited annually by its third-party auditors based on the ISAE 3000 standard. Since SWIFT provides customers access to all relevant information via such ISAE 3000 audit reports, customers do not have individual access or audit rights on SWIFT. Granting such access or audit rights to thousands of customers would create operational and security risks for SWIFT, which would jeopardise the very essence of its role as a critical service provider.
SWIFT’s services have therefore always been explicitly exempted from outsourcing guidelines by the Outsourcing circular (The National Bank of Belgium Circulaire PPB 2004/5 - sur les saines pratiques de gestion en matière de sous-traitance par des établissements de crédit et des entreprises d’investissement; Guidance letter of 22 June 2004 (PPB 2004/5) regarding sound practices in relation to outsourcing by credit institutions and investment firms) of its lead overseer, the National Bank of Belgium. This circular includes an exemption for the purchase of third-party services and products that support banks’ core activities, such as the purchase of information (e.g. Reuters, Bloomberg) and standardised services for the material execution of financial transactions (e.g. SWIFT, Euroclear, Banksys). A similar exemption was recognised by regulators outside Europe, such as, for instance, by the Monetary Authority of Singapore (MAS):“global financial messaging infrastructures which are subject to oversight by relevant regulators (e.g. SWIFT)” (MAS Guidelines on outsourcing, 27 July 2016).
Because of their specific position, the Guidelines on Outsourcing arrangements should confirm that critical service providers are not subject to the Guidelines, provided that they are already under adequate supervision or oversight by financial regulators.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
We do have some concerns on the scope, which, as currently defined in the draft Guidelines, seems to broadly expand beyond what was previously defined as outsourcing. Since EBA specifically confirmed its intent to ensure alignment amongst existing EU rules and regulations, it might be useful to further clarify the scope and definitions used in the draft Guidelines so as to achieve greater alignment and avoid any potential confusion.Activities undertaken by the institution itself
By definition, outsourcing implies the capability of an institution to perform an activity in-house, at least hypothetically. This is confirmed by the definition of outsourcing provided in the draft Guidelines (§ 11): “a service or an activity, or parts therefore that would otherwise be undertaken by the institution (…) itself”. This definition is in line with the Commission delegated regulation (EU) 2017/565 supplementing MiFID II, as confirmed in the EBA Guidelines (§ 17, Background section).
Also, § 23 of the draft Guidelines confirms that “The acquisition of services…that are not normally performed by the institutions or payment institutions are not considered outsourcing”.
However, later in the draft Guidelines, EBA considers that it is not relevant “whether or not the institution has performed that function in the past or would be able to perform it by itself (§22)”.
For consistency with both the above EU Commission regulation, as well as the definition used in the EBA Guidelines, it would be useful to remove such statement from §22.
Critical or important functions
Directive 2014/65/EU (MiFID II) and the Commission delegated regulation (EU) 2017/565 only apply to “the outsourcing of critical or important functions”. We understand that EBA wants to include non-critical forms of outsourcing within the scope of its draft Guidelines. However, it does not clearly identify the requirements applicable to each of the two categories.
Given that several requirements are very far reaching (e.g. right of access; right of audit; reporting), we believe it would be overly complex to impose them on outsourcing of non-critical functions, especially when the third-party certifications and assurance reports could satisfactorily meet the objectives of the draft Guidelines.
Whilst the Guidelines establish two categories of functions: first, critical and important and, second – all other functions, they do not specify which requirements are applicable for the critical and important functions and which are not. We would respectfully suggest the final Guidelines clearly set out which requirements apply to which category of functions.
Acquisition of services
To clarify the use of standard communication services, it would be useful to complement the list of services as set out in § 23 (which already includes ‘telephone lines’,) to include email services, financial messaging services, etc.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Access rights and Audit rightsBased on our experience as a critical service provider to the financial industry, we are concerned that the proposal relating to the exercise of access and audit rights is overly broad and could give rise to significant security and legal challenges for financial institutions and their critical service providers. Complete access to all relevant business premises and unrestricted rights of inspection and auditing pose significant operational and security risks to critical service providers and their customers.
Critical service providers that are already subject to adequate financial supervision or oversight, typically provide their customers assurance via third-party audit reports, but are not in a position to grant individual access and audit rights to their customers or their customers’ regulators.
As drafted the Guidelines seem to indicate that third-party certifications and reports are not sufficient (customers ‘should not rely solely on those’) and that institutions should retain the contractual right to perform individual audits at their discretion. Retaining such individual rights on a critical service provider that is already subject to a financial supervision or oversight mechanism and which provides third-party assurance reports, risks defeating the purpose and the objectives of this model.
We would welcome the introduction of a clear and unambiguous provision that would allow for third-party certifications and reports to be provided to customers, in lieu of the individual access and audit rights, as set out in § 74, and a clarification that in such circumstances, third-party assurance reports can serve as an alternative to access and audit rights.
Contractual Phase
Under § 63, the draft Guidelines require that outsourcing agreements include information on the location of the data storage and data processing. For security reasons, many service providers do not disclose the exact location of their data centres. It would be helpful to clarify that the exact location is not required and that information on the region or country is sufficient.