Bundesverband der Zahlungsinstitute e.V.

Scope of the Guidelines
1.1 We agree with the general approach that there are general outsourcing principles which should apply to all financial institutions. This being said, the actual outsourcing and risk management requirements will depend on the individual financial institution and will differ between credit institutions and other financial institutions, in particular payment and e-money institutions.
1.2 At the same time, we do not think that achieving this goal actually requires that EBA issues guidelines which apply to credit institutions as well as payment- and e-money institutions. As EBA pointed out in the draft cost-benefit analysis / impact assessment, payment and e-money institutions are already subject to harmonized outsourcing rules under the Directive (EU) 2015/2366 (PSD2). In fact, payment services are in general already governed by rules such as the EBA Guidelines on IT-Security and Major Incident Reporting which already include common rules for the outsourcing of payment services. Moreover, these rules already contain specific requirements for contingency planning and risk management. Hence, any additional outsourcing requirements specified in the EBA Guidelines would have to take into account that payment and e-money institutions (and, in fact, credit institutions as far as payment services are concerned) are already subject to very detailed outsourcing provisions under PSD2.
1.3 Therefore, we are of the view that there is in fact no need to include payment and e-money institutions in the Outsourcing Guidelines because the outsourcing risk management measures are already governed by PSD2. Due to the scope of their license, payment and e-money institutions typically do not have outsourcing arrangements which are not already governed by the PSD2-framework. Hence, all relevant risks are already reflected in the PSD2-framework and it is not necessary to implement a more general outsourcing framework in addition to these rules.
Different Chapter for Different Types of Institutions
1.4 If EBA is nevertheless of the view that there is actually a need for a single document which governs credit institutions as well as payment and e-money institutions, we recommend that EBA at least divides the Outsourcing Guidelines into different chapters for the different types of institutions (e.g. credit institutions under CRDIV, payment institutions under PSD2, and e-money institutions under the Directive 2009/110/EC (EMD2)). A similar approach was taken for the mandatory information for licensing guidelines under PSD2 which includes different sections for different types of institutions. This approach ensures that the proportionality of the guidelines is better reflected as individual guidelines can be more specific with regard to different types of institutions.
1.5 This is particularly relevant as payment and e-money institutions are already subject to outsourcing requirements under PSD2 and the accompanying documents such as the EBA Guidelines on IT-Security and Major Incident Reporting. In order to ensure legal clarity, the EBA Guidelines should specify the exact requirements which in EBA's view have to be fulfilled in addition to the already existing PSD2-requirements. Otherwise, there is a risk that the framework between the PSD2 requirements and the general outsourcing requirements in the Outsourcing Guidelines may not be consistent. In any event, stating only the requirements which have to be applied in addition to the PSD2-requirements would make the implementation of the new outsourcing requirements more efficient as institutions and payment and e-money institutions would not have to individually prepare gap analyses.
1.6 Specifying the different requirements for different types of institutions is moreover important because the proportionality approach is often not properly applied in practice. We appreciate the flexibility of the proportionality approach. However, our experience shows that the proportionality approach is often overlooked in practice and a one size fits all" approach is applied. For instance, auditors which are primarily familiar with the requirements for credit institutions did not take into account the different requirements for payment institutions and e-money institutions. There are far less payment and e-money institutions than there are credit institutions.
1.7 In order to ensure that the proportionality approach is also applied in practice, the individual guidelines of the Outsourcing Guidelines should thus be separated into different chapters for different types of institutions.
Different Regulatory Framework for Payment and E-Money Institutions
1.8 In our view, a clear differentiation between credit institutions on the one hand and payment and e-money institutions on the other hand is also necessary to reflect the European legislators' decision to provide for a separate regulatory framework for payment and e-money institutions. Directive 2007/64/EC (PSD) and EMD2 were both passed by the EU to ensure that a coherent and innovative framework for payment services exists which is different from the existing framework for credit institutions. The stated goal of this harmonized framework for payment and e-money institutions was to establish a more proportionate regulatory framework for this type of financial institutions.
1.9 Recital 10 to PSD, specifically stated that the PSD-framework should be different from the existing framework for credit institutions.
"(10) However, in order to remove legal barriers to market entry, it is necessary to establish a single licence for all providers of payment services which are not connected to taking deposits or issuing electronic money. It is appropriate, therefore, to introduce a new category of payment service providers, ‘payment institutions’, by providing for the authorisation, subject to a set of strict and comprehensive conditions, of legal persons outside the existing categories to provide payment services throughout the Community. Thus, the same conditions would apply Community-wide to such services."
1.10 The same rationale was applied to EMD2. Recital 4 to EMD2 states:
"(4) With the objective of removing barriers to market entry and facilitating the taking up and pursuit of the business of electronic money issuance, the rules to which electronic money institutions are subject need to be reviewed so as to ensure a level playing field for all payment services providers."
1.11 In our view, that clearly shows that European legislators' provided for a regulatory framework for payment and e-money institutions which is materially different from the existing rules for credit institutions. It was the stated goal that the PSD-/PSD2- and EMD2-framework should be different from the framework for credit institutions to be more proportionate and to ensure that new, innovative market players can enter the payment market. In particular, payment and e-money institutions should not governed by the same rules as credit institutions as the overall risk associated with payment and e-money services is lower than the risk of deposit taking and credit granting as conducted by credit institutions.
1.12 The fact that "payments" in one of the key drivers of digitalization and the current fintech boom shows that this decision to introduce a specific regulatory framework for payment and e-money services was the right measure to increase innovation and competition on the European payments market.
1.13 Applying the rules for credit institutions also to payment and e-money institutions may lead to a situation where the benefits of a dedicated framework for payment and e-money institutions are lost in practice. This is particularly true if, as suggested in the Outsourcing Guidelines, rules for credit institutions are indirectly applied to payment and e-money institutions (e.g. as stated in no. 16 of the Outsourcing Guidelines with regard to EBA Guidelines on Internal Governance).
1.14 These rules were drafted with credit institutions and their specific risks and risk management requirements in mind which may not apply to payment and e-money institutions. If these rules were intended to apply to payment and e-money institutions in the first place, these rules would have been drafted in that way when they were first issued. This is particularly true for SREP under the Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP). SREP applies to the Directive 2013/36/EU (CRDIV) regulated entities but does not apply to payment and e-money institutions. Thus, the specific regulatory framework and the specific risk profile of dedicated payment service providers are not reflected in the SREP documentation. As a consequence, the SREP principles should not be applied to payment and e-money institutions in relation to outsourcing.
1.15 Finally, applying these additional guidelines on payment and e-money institutions will increase the overall implementation costs as payment and e-money institutions will have to familiarize themselves with these additional requirements which generally do not apply to them. This may also lead to additional implementation costs if measures required under these guidelines have to be implemented.
1.16 Therefore, we are of the view that a different set of rules for payment and e-money institutions is necessary to reflect the rationale of the PSD/PSD2- and EMD2-framework and ensure that the differentiation between CRDIV and PSD/PSD2 and EMD2 on a directive-level is also coherently applied in guidelines and regulatory practice.
Focus on PSD2-Requirements
1.17 In addition, we believe that strengthening the proportionality approach is also important on a more general regulatory policy level. We believe that a risk-based approach is the key to effective risk management and, in fact, regulatory supervision. Risk-based means that financial institutions and regulators have to identify and assess risks in order to be able to apply different risk-appropriate mitigating measures. Understanding and managing risks is an on-going process which requires considerable investment to be effective. The learning curve will usually justify these costs as institutions can apply better, more innovative and more cost-efficient risk management measures. However, if there is one-size-fits-all approach, institutions do not have the flexibility to benefit from understanding risks by applying risk-appropriate measures. As a consequence, financial institutions would be generally discentivized to invest in understanding risk which in turns weakens the overall efficiency of risk management across the industry.
1.18 The same outcome would result from a situation where the guidelines provide for the needed flexibility but a "one-size fits all" approach is nevertheless applied in practice.
1.19 Therefore, we recommend that the Outsourcing Guidelines should highlight the proportionality principle and should differentiate between the requirements for different types of institutions. In our view, this would be best achieved if the Outsourcing Guidelines contained different chapters for the different types of financial institutions.
Definition of Payment Institution and E-Money Institution
1.20 As concerns the definition section of the Outsourcing Guidelines, we are of the view that the definition should also include a definition of "credit institution", a definition of "payment institution" and a definition of "e-money institution".
1.21 In addition, we recommend that the EBA Outsourcing Guidelines differentiate between payment and e-money institutions as they are governed by different European Directives. Differentiating makes applying the Guidelines easier as readers do not have to refer to no. 8 of the Outsourcing Guidelines to understand the term "payment institutions" within the meaning of the guidelines which means payment and e-money institutions. In fact, this may even lead to misinterpretation of the Guidelines because persons applying and interpreting the Guidelines may not always refer to no. 8 of the Outsourcing Guidelines for the payment institutions definition because the term "payment institution" generally only refers to PSD2 and not to EMD2 regulated entities.
Definition of "Critical or important function"
1.22 Furthermore, we are of the view that the definition of "critical and important function" in no. 11 of the Draft Outsourcing Guidelines does not reflect the definitions in PSD2.
1.23 Article 19 (6) PSD2 includes a definition of "important (outsourced) function":
"For the purposes of the second subparagraph, an operational function shall be regarded as important if a defect or failure in its performance would materially impair the continuing compliance of a payment institution with the requirements of its authorisation requested pursuant to this Title, its other obligations under this Directive, its financial performance, or the soundness or the continuity of its payment services. Member States shall ensure that when payment institutions outsource important operational functions, the payment institutions meet the following conditions:
[…]"
1.24 In order to ensure coherence between PSD2 and the Outsourcing Guidelines, at least for payment and e-money institutions, the Outsourcing Guidelines should refer to the existing PSD2 definition of important function rather than define a separate category of "critical or important function".
Implementation and Transitional Period
1.25 According to the Draft Outsourcing Guidelines, the Outsourcing Guidelines should apply from 30 June 2018 to new outsourcing arrangements (cf. no. 12). Existing arrangements should be updated in accordance with the general review procedures of the institution but no later than 31 December 2020.
1.26 We appreciate that EBA provides for a transitional period for the implementation of the new outsourcing requirements. However, we are of the view that 31 December 2020 may be too early to have reached full compliance for all outsourcing arrangements.
1.27 The term of outsourcing agreements is often longer than two years. Amending these agreements will usually require the consent of both parties pursuant to the applicable contract law (e.g. under German contract law). Hence, negotiations under contract law between the parties will be necessary and outsourcing providers will be under no contractual obligation to agree to the amendments suggested by the financial institution. In any event, negotiating and amending the existing outsourcing agreements will take considerable time because (i) changes have to be negotiated with every outsourcing provider and (ii) changes may be material for some outsourcing arrangements, in particular non-material arrangements which were not subject to specific outsourcing rules when concluded. Past experience with the implementation of the PSD2-requirements for IT-security and the implementation of Regulation (EU) 2016/679 (GDPR) shows that the time and effort which has to be invested for regulatory implementation projects is considerable and easily underestimated. Therefore, we recommend extending the transitional period by requiring reasonable efforts for existing outsourcing arrangements instead of applying a strict deadline.
1.28 Implementing new outsourcing standards for existing arrangements will be particularly challenging for smaller financial institutions such as payment and e-money institutions, which do not have the resources to manage multiple regulatory implementation projects in parallel. Therefore, we are of the view that the transitional period should not state a definite deadline for full implementation of the new requirements but should instead refer to "appropriate efforts" to implement the new requirements for existing agreements. We are of the view that only an appropriate phase-in defined on an institutional level reflects the proportionality principle in regulatory law. Any definite deadline would disadvantage smaller financial institutions which do not have the resources to manage multiple major regulatory implementation projects in parallel.
1.29 This being said, we are also of the view that a longer implementation and phase-in period would be actually more efficient from an overall regulatory perspective. PSD2 has introduced a number of new requirements such as Strong Customer Authentication, common and secure communication for account information and payment initiation services, IT-security and operational risk management, and overall IT-governance. Although these requirements already entered into force, with the exception of the Delegated Regulation (EU) 2018/389 on Strong Customer Authentication and Common and Secure Communication Standards which will enter into force in September 2019, these new requirements still require resources as financial institutions and regulators are in the process of developing, improving, and evaluating measures, policies, and approaches. Requiring that financial institutions conduct the next major regulatory implementation project for outsourcing may lead to a situation where financial institutions can allocate fewer resources to the improvement and review of the IT-security and other PSD2-projects. This is particularly true as both outsourcing and PSD2 would concern IT-security aspects. Therefore, it may be more efficient to grant financial institutions, in particular payment and e-money institutions, more time to implement the Outsourcing Guidelines to ensure that financial institutions and regulators can focus on the implementation of PSD2 to develop best practice standards and improve IT-security for payments."
2.1 As concerns the Guidelines on proportionality and group-wide application in Title I, we share EBA's view that the importance of the proportionality principle should be prominently stated in the Outsourcing Guidelines.
2.2 However, we are of the view that the principle of proportionality is often not properly applied in practice as there is a tendency to implement the requirements on a check box" basis rather than an actual proportionality approach. From our experience, this leads to a situation where smaller institutions, in particular payment and e-money institutions, are required to fulfill standards for credit institutions which are not proportionate but are nevertheless expected, e.g. by auditors. One of the achievements of the PSD and EMD2-framework is that PSD and EMD2 have led to a specific framework for payment and e-money institutions. It was the stated goal of PSD and EMD2 to provide for a distinct framework for payment and e-money institutions and to not apply the same standards as for credit institutions. By separating the regulatory rules on a Directive level, it was ensured that the proportionality principle can actually be applied in practice.
2.3 This being said, we are of view that no reference to the EBA Guidelines on Internal Governance should be made for payment and e-money institutions as currently suggested in no. 16 of the Draft Outsourcing Guidelines. Payment and e-money institutions have not been within the scope of application for those Guidelines. Institutions in that guideline are defined as credit institutions and investment firms as described in Article 4 (1) no. 1 and no. 2, respectively, of Regulation (EU) 575/2013. Payment institutions and e-money institutions are subject to a different regulatory framework that was specifically introduced to the services provided by these institutes. In our view, it is not coherent to apply the EBA guidelines for those institutes to payment and e-money institutions. This is particularly true as this would lead to additional costs for payment and e-money institutions which would have to implement these guidelines, at least in part, although they are not within the scope of these guidelines. Therefore, we recommend deleting the reference to the EBA Guidelines on Internal Governance in no 16.
2.4 Instead, we recommend strengthening the proportionality principles by
(a) Following a more principle-based approach and
(b) Using different chapters for different types of financial institutions.
2.5 We understand that the Outsourcing Guidelines were drafted to be relatively specific. However, we are of the view that the stated requirements are sometimes too specific to be in line with the principle of proportionality. Therefore, there is a risk that the requirements are in fact not proportionate for smaller institutions. Please refer to our responses to Q3 and Q4 concerning the specific outsourcing requirements.
2.6 Instead of specifying individual requirements, we recommend focusing on a principle-based approach. A principle-based approach ensures that there is room to actually apply the principle of proportionality in practice. By stating general principles and goals rather than specifying individual requirements, the Outsourcing Guidelines would help to reflect the individual risk profile of a credit, payment, and e-money institution.
2.7 Furthermore, we recommend amending Title I to also reflect the proportionality principle in relation to the group-wide application of outsourcing arrangements. Firstly, in the light of proportionality, we recommend clarifying that the group-wide approach does not apply to payment and e-money institutions in the first place as they are not governed by CRDIV. Article 74 (2) CRDIV does not apply to payment and e-money institutions. PSD2 does not include a similar requirement for payment and e-money institutions.
2.8 Secondly, we suggest that the Draft Guidelines should specifically set-out that a payment or e-money institution which is part of a group is considered to be compliant with the overall outsourcing requirements if the payment or e-money institution complies with the PSD2 requirements. Under PSD2, all payment service providers have to comply with high operational and IT-security risk standards. This also covers outsourcing. This specific framework ensures risk-appropriate outsourcing arrangements.
2.9 Additionally, we recommend clarifying that only regulated entities should be subject to the group wide outsourcing standards. No. 18 of the Draft Guidelines currently refers to "subsidiaries" in general. This could be misinterpreted to mean that all subsidiaries, irrespective of their regulatory status, have to be included in the outsourcing policy. In this context, it should also be clarified that PSD2-regulated entities are considered to be compliant with the outsourcing standards if they meet the PSD2-standards on an individual basis."
3.1 We share EBA's view that the assessment whether or not third-party supply is outsourcing should be made on an institutional level. We do not think that it would be practicably feasible to define a general list of arrangements which will be considered to be outsourcing.
3.2 This being said, we think that it is helpful that no. 23 of the Draft Outsourcing Guidelines lists a number of cases which, typically, will not be considered to be outsourcing arrangements. However, we recommend clarifying that also licenses by payment schemes or indirect access to payment systems, payment and escrow accounts as well as insurance and guarantees (e.g. under PSD2-safeguarding rules) etc. which a payment or e-money institution may require to be able to operate the business in the first place are not outsourcing. We understand that these services are not outsourcing because they do not concern activities which are otherwise undertaken by the institution.
3.3 We would like to point out that, as already discussed in our response to Q1, the definition of outsourcing should clarify that the outsourcing rules only apply to the regulated activities of credit, payment and e-money institutions. In addition, the definition of critical or importance function" in no. 11 of the Draft Outsourcing Guidelines should be replaced by a reference to Article 19 (6) PSD2 which already defines "important function".
3.4 Furthermore, we recommend deleting no. 24 of the Draft Outsourcing Guidelines. The assessment of risks, in particular operational risks for all arrangements with third parties, is a general question of risk assessment. There are specific rules for operational and IT-security risk under PSD2. Hence, no. 24 should be redrafted to refer to the general risk management requirements. In our view, including specific requirements for other arrangements than outsourcing may not be coherent with the overall PSD2 requirements for payment and e-money institutions. By merely referring to applicable general risk management requirements instead, the Outsourcing Guidelines could ensure that it has been clarified that other third-party supply arrangements have to comply with the general standards of risk management and compliance. At the same time, there would be no risk that reference to specific requirements could lead to incoherence with other sets of rules such as general PSD2-requirements or GDPR.
3.5 It would be advisable to allow exceptions of the requirements in relation to outsourcing within the group due to a lower risk level.
3.6 Finally, we appreciate that EBA has included specific rules for third-country service providers which we understand to also reflect the potential impact of the UK leaving the EU. However, we think that less specific rules would give more flexibility to institutions. For instance, access and audit rights in contracts can ensure proper supervision even if there is no cooperation agreement between regulatory authorities. As the outcome of the Brexit negotiations is yet unclear, additional flexibility would increase the degree of legal certainty for institutions."
4.1 As a general remark, we recommend referring to Article 19 (6) PSD2 rather than to redefine the requirements stated in PSD2. For payment and e-money institutions Article 19 (6) PSD2 already contains a list of general outsourcing requirements. In order to ensure coherence for payment and e-money institutions, we recommend replacing no. 27 – 29 of the Draft Outsourcing Guidelines and referring to the specific requirements stated in Article 19 (6) PSD2.
4.2 Concerning the specific guidelines on the governance requirements, we are of the view that the requirement to have a designated outsourcing function as stated in no. 30 lit. c should not apply to payment and e-money institutions given the principle of proportionality. Many payment and e-money institutions are relatively small. In many cases, there will be no need to have a designated outsourcing function as the management of the institution is capable of managing the outsourced activities without a designated function.
4.3 We also recommend deleting no. 32 lit. d of the Draft Outsourcing Guidelines for payment and e-money institutions in the light of proportionality. Under PSD2, payment and e-money institutions are not required in all cases to have internal control functions separate from the management of the institution. In fact, some smaller institutions can be effectively managed without a dedicated internal audit function.
4.4 In addition, we are of the view that the requirement stated in no. 32 lit. g of the Draft Outsourcing Guidelines should not apply to payment and e-money institutions in accordance with the principle of proportionality. For smaller institutions it will not be economically feasible to ensure transfer or reintegration of critical and important functions in every instance. A hard requirement to ensure transfer or reintegration on a going concern basis would disadvantage smaller institutions which can only operate economically by outsourcing functions. For instance, if there are few competing service providers, it may not be possible to transfer an outsourced activity to another service provider. This is particularly true where functions are outsourced within a group because the business organization of an institution may be fully aligned with the group strategy and may be focused on leverage on group capabilities. In this scenario, it will hardly be possible to transfer or reintegrate a function under going concern conditions.
4.5 Finally, we recommend deleting no. 32 lit. h of the Draft Outsourcing Guidelines as handling of sensitive data is already governed by PSD2 and GDPR. Therefore, there is no need to restate these requirements for payment and e-money institutions. In fact, we think that there may be a risk that coherence is not ensured.
5.1 As regards conflicts of interest, we recommend replacing the requirement that agreements should be made at arm's length" with "appropriate" or "reasonable". Arm's length is not a legally defined term under the PSD2 regulatory framework. On the other hand, "appropriate" is a well-established term used in European regulatory law in accordance with the principle of proportionality.
5.2 Furthermore, we are of the view that PSD2, in particular the EBA Guidelines on IT-Security, already provides for business continuity rules. For this reason, there is no need to restate business continuity plan requirements for payment and e-money institutions. In fact, we think that deleting the business continuity rules for payment and e-money institutions would help to ensure coherence of the regulatory framework for payment and e-money institutions.
5.3 Concerning the internal audit function requirement, we recommend clarifying that there is no requirement to have an internal audit function as a payment or e-money institution as PSD2 does not stipulate a requirement to establish an internal audit function. Therefore, there should be no requirement to establish an internal audit function in the Guidelines as well to ensure coherence with PSD2 and adhere to the principle of proportionality."
6.1 As concerns the documentation requirements, we recommend less specific requirements. Instead, the Outsourcing Guidelines should state a requirement to document outsourcing arrangements in accordance with applicable law, e.g. PSD2.
6.2 From our experience, smaller institutions can effectively manage outsourcing activities without complying with dedicated documentation requirements as the size and complexity of operations and outsourced functions allow the management of the institution to effectively manage the arrangements without relying on a contract management system.
7.1 As already discussed in our response to Q1, we are of the view that the Outsourcing Guidelines should take into account that Article 19 (6) PSD2 defines important functions. In order to ensure consistence between PSD2 and the Outsourcing Guidelines, we recommend that the Outsourcing Guidelines do not state additional requirements for payment and e-money institutions. Instead, the Guidelines should refer to the definition in PSD2. Hence, we recommend deleting the list of criteria in no. 49, 50, and 51 and referring to the definition in PSD2 instead.
7.2 In particular, we recommend deleting no. 51 lit. b (i) of the Draft Outsourcing Guidelines which states that the assessment of the criticality and importance should take into account the short and long-term financial resilience and viability, including, if applicable, the institutions' assets, capital, costs, funding, liquidity, profits and losses. Deleting this requirement for payment and e-money institutions would ensure proportionality of the Outsourcing Guidelines. Payment and e-money institutions are subject to different minimum capital requirements and are not subject to the SREP-framework for CRDIV credit institutions. Therefore, no. 51 lit. b (i) of the Draft Outsourcing Guidelines should not apply to payment and e-money institutions. This outcome would be in line with the European legislators' decision to implement an own framework for payment and e-money institutions. In any event, it should be clarified that payment and e-money institutions are not subject to financial stress testing in relation to critical or important outsourcing arrangements.
8.1 We are of the view that GDPR requirements concerning data protection should not be restated in the Outsourcing Guidelines because protection of personal data is already covered by the European data protection framework. Hence, restating these requirements may lead to inconsistencies between the different frameworks. In any event, institutions would have to prepare a gap analysis between the Outsourcing Guidelines and any other data protection rules, in particular, but not limited to, GDPR.
8.2 As concerns no. 56 of the Draft Outsourcing Guidelines, we are of the view that the requirement concerning corporate social responsibility is too vague and should, therefore, be deleted. Obviously, financial institutions will have to manage their corporate social responsibility in order to avoid undue reputational risk. However, there is no general legal or regulatory requirement for companies in general or financial institutions to adhere to specific corporate social responsibility standards in Germany because there is no general corporate responsibility requirement in the German Stock Companies Act (Aktiengesetz) or Limited Liability Companies Act (GmbH-Gesetz). Furthermore, we understand that introducing such requirements would lead to a number of legal questions which, at least for Germany, are so far unsolved. It is our understanding that the Directive 2014/95/EU (Corporate Responsibility Directive), therefore, introduced non-financial reporting for corporate responsibility matters but did not provide for an obligation to implement corporate responsibility measures (e.g. liability of managing directors). Furthermore, the Corporate Responsibility Directive only applies to certain large companies (i.e. more than 500 employees). Hence, we are of the view that the Outsourcing Guidelines should not introduce indirect corporate social responsibility standards as there is no underlying legal framework.
8.3 In our view, this is also important from a proportionality perspective, as smaller institutions, in particular payment and e-money institutions, often will not have the resources to implement dedicated corporate social responsibility policies and to review and audit them.
9.1 We share EBA's view that the risk assessment is critical for the management of outsourcing as the risk assessment is the key to risk-based management of outsourcing arrangements. However, we do not think that scenario-based risk assessments are necessary for all outsourcing arrangements and for all institutions, in particular payment and e-money institutions. Under PSD2 and the EBA Guidelines on IT-Security, payment and e-money institutions are already under an obligation to use scenario-based contingency plans but there is no requirement to generally apply a scenario-based approach to risk-management. This being said, we are also of the view that adequate risk management is also possible without being scenario-based. This is particularly true if non-critical functions are outsourced. Hence, we recommend that the requirement to apply a scenario-based risk analysis for all outsourcing arrangements does not apply to payment and e-money institutions.
9.2 Moreover, we recommend apply a principle-based approach rather than defining specific requirements for the assessment in order to ensure an application of the Outsourcing Guidelines which is in line with the principle of proportionality.
9.3 Furthermore, the risk assessment should additionally include considerations on the wider political stability and security situation of the jurisdiction in question, including the law enforcement provisions according to no. 61 lit. d of the Draft Guidelines. We understand that this requirement was included, at least in part, to address recent developments such as the US CLOUD Act. We appreciate that EBA highlights these developments in the Draft Outsourcing Guidelines. However, we believe that these developments primarily concern data protection and are subject to supervision by the competent data protection authorities. In order to avoid any inconstancy between the application of the data protection rules by data protection authorities and the requirements in the Outsourcing Guidelines. We are of the view that there is no requirement that data protection aspects are regulated by the EBA Outsourcing Guidelines as all institutions will be subject to data protection law and will, thus, have to comply with the applicable general data protection provisions.
9.4 We recommend replacing no. 61 lit. e of the Draft Guidelines in relation to payment and e-money institutions with a reference to the IT-Security Guidelines as IT-security aspects are already governed by PSD2 and the IT-Security Guidelines.
10.1 As a general remark, we are of the view that the guidelines on the contractual phase should be less specific and more principle based to better reflect regulatory proportionality and comply with applicable national contract law.
10.2 This being said, we do not think that it is necessary to state specific requirements for all outsourcing agreement in no. 63 of the Draft Outsourcing Guidelines, including non-material outsourcing. Instead, the Outsourcing Guidelines could state requirements for material outsourcing but or should not do so for non-material outsourcing. For non-material outsourcing, the Outsourcing Guidelines should refer to the general requirement for governance and risk management arrangements which also apply to non-material outsourcing under CRDIV and PSD2. This approach would be more in line with the approach which some national competent authorities have taken in the past (e.g. the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht) in Germany in the Minimum Requirements for Risk Management (MaRisk) AT 9).
10.3 As concerns material outsourcing, we recommend a principle-based approach instead of specifying the content of individual clauses.
10.4 A principle-based approach in the Outsourcing Guidelines should be focused on the aspects required for management and supervision of the outsourced material function. In our view, the following topics should be covered for payment and e-money institutions:
(a) Description of specific services and, where relevant, performance indicators and other factors which help to quantify the service.
(b) Reasonable termination rights
(c) Reasonable migration provisions
(d) Compliance with PSD2-requirements (in particular IT-security)
(e) Control, access, information, and audit rights
(f) Requirement that sub-outsourcing is subject to the same rules as the main outsourcing contract.
10.5 In our view, a principle-based approach would better reflect the principle of proportionality. Furthermore, a principle-based approach is better suited to reflect requirements under the governing law of the outsourcing agreement (e.g. contract law, or insolvency law).
10.6 In any event, we recommend that the Outsourcing Guidelines contain no specific requirements in relation to insolvency law (cf. no. 64 lit. h and i of the Draft Guidelines). We understand that this is in fact a critical aspect of any outsourcing arrangement. However, we do not think that the Outsourcing Guidelines can provide sufficient legal clarity given the implications of national insolvency law. For instance, Section 119 of the German Insolvency Act (Insolvenzordnung) states that no agreement can be concluded which modifies the statutory consequences of an insolvency event. Although insolvency risk and the consequences of an insolvency event (e.g. pledges) may be mitigated by contractual measures, no deviation from statutory insolvency law will be possible. It is our understanding that there are still a number of open legal questions in relation to data and insolvency law, in particular, in relation to outsourcing agreements and digitalization projects. This being said, the Outsourcing Guidelines should only include a requirement to reasonably address the insolvency risk but should not require financial institutions to have specific clauses in place.
10.7 In fact, such requirement could lead to a false sense of security in the market. As the decision of the German Federal Court of Justice (Bundesgerichtshof; BGH) dated 09 June 2016 – IX ZR 314/14 – on netting clauses and insolvency law showed that parties cannot rely on regulatory law provisions in an insolvency law event. In this decision BGH ruled that netting clauses for derivatives, although highly desirable from a regulatory and risk management perspective, did not comply with German insolvency rules and were, thus, void. In order to reflect the general insolvency law requirements, we recommend that no specific insolvency law clauses are required by the Outsourcing Guidelines.
10.8 No. 76 of the Draft Outsourcing Guidelines refers to the EBA Guidelines on ICT Risk Assessment under SREP and requires security penetration testing. Payment and e-money institutions are not subject to the CRDIV-framework for SREP. Under PSD2, there is a comprehensive IT-security framework which payment and e-money institutions have to comply with. In particular, the EBA Guidelines on IT Security state that penetration testing is only required to the extent this is risk-adequate (cf. no. 7.4 of the EBA Guidelines on IT-Security). It is our view, that the requirements under the Outsourcing Guidelines should not exceed the requirements under PSD2 and the IT-Security Guidelines in order to ensure proportionality of the Outsourcing Guidelines.
10.9 As concerns no. 78 of the Draft Outsourcing Guidelines, we recommend that it is clarified that the obligation to fully cooperate with competent authorities only applies to the extent that the request made by the competent authority is lawful. The current wording does not include a reference to the lawfulness of the request. However, we think that such requirement should be included in the wording to reflect the general rule of law principle in European and national law.
10.10 Finally, we recommend that no. 81 of the Draft Guidelines is amended to state that financial institutions should include reasonable termination rights in their termination agreements but should not specify termination events.
10.11 We do not think that the clauses suggested in the Draft Outsourcing Guidelines can be implemented with the necessary degree of legal certainty. In Germany, terms and conditions, including in a B2B-context, have to meet relatively high fairness standards under German terms and conditions law. For instance, German courts generally require that in case of a breach of contract a termination for cause without a period of notice (außerordentliche Kündigung) is only possible after a reminder has been sent to the debtor and a reasonable period to rectify the breach of contract has lapsed without remedy; unless the individual circumstances of the breach of contract show that – taking into account the interests of both parties – immediate termination is appropriate. The termination right in no. 81 lit. a of the Outsourcing Guidelines would be very likely considered to be unenforceable by German courts.
10.12 Furthermore, there are very high transparency standards in German terms and conditions law and a very strict contra proferentem rule (cf. Section 305c (2) of the German Civil Code). As a consequence, there would be a very high risk that a clause such as required in no. 81 lit. d of the Draft Outsourcing Guidelines would be considered to be unenforceable by German courts as the termination could be triggered by any weakness of IT-security, including non-material weakness which can be easily remedied.
10.13 We understand that the current wording of no. 81 of the Draft Guidelines already reflects the fact that termination rights will be subject to the applicable national law and that the requirement to include the termination events is only in accordance with national law". Yet, we believe that there is nevertheless the risk of "false security" in relation to these termination events if institutions implement the clauses 1:1. In addition, institutions which do not implement the clauses would have to explain (e.g. to auditors, investors, etc.) why they did not implement the clauses even though it is relatively clear from a German law perspective that these clauses would not conform to German terms and condition standards. This is particularly relevant in case of group-wide standards where different national legal frameworks may have to be reflected.
10.14 Therefore, in our view, no. 81 of the Outsourcing Guidelines should require "appropriate termination rights" but should not specify individual clauses or termination events."
We recommend applying a principle-based approach instead of stating specific requirements for the exit strategy. In our view, this would better reflect the proportionality principle.
13.1 Payment and e-money institutions are already subject to regulatory reporting requirements for outsourcing. Pursuant to Article 19 (6) and (8) and Article 28 (1) and (4) PSD2, payment and e-money institutions are already under an obligation to notify their outsourcing arrangements to their competent home state regulator. Not only establishing new outsourcing arrangements but also changing existing outsourcing arrangement has to be notified to a regulator. Therefore, regulators are always completely informed about the status of the outsourced functions.
13.2 Therefore, we are of the view that no additional reporting obligations should be introduced from payment and e-money institutions. This is also important to ensure proportionality of the Outsourcing Guidelines as payment and e-money institutions are not subject to SREP for credit institutions under CRDIV.
15.1 Please see our response to Q13. We are of the view that no new reporting obligations should be introduced as payment and e-money institutions are already required to report their outsourcing arrangements to their regulators under PSD2.
15.2 This being said, we do not think that the Annex I reflects the proportionality principle and the PSD2 rules applicable to payment and e-money institutions. We understand that the list of activities in the Annex I is based on EBA Guidelines on ICT Risk Assessment under SREP which, however, do not apply to payment and e-money institutions.
15.3 In our view, the Annex I is also too detailed for payment and e-money institutions as payment and e-money institutions already make outsourcing notifications to their regulators. This being said, we think that there may be the risk that the collected data may lead to a situation where regulators receive too much information and do not actually have the resources to review the information. We, therefore, recommend deleting the requirement.
Scope of application
16.1 As discussed in our response to Q1, including payment and e-money institutions in the scope of the Outsourcing Guidelines is not necessary in our view as they are already fully governed under PSD2, in particular with regard to the IT-security framework. The European legislators' decision to apply a different framework to payment and e-money institutions should also be reflected in the Outsourcing Guidelines.
16.2 Therefore, the Outsourcing Guidelines should not apply to payment and e-money institutions.
16.3 This being said, if the decision is made to apply the Outsourcing Guidelines to payment and e-money institutions, the Outsourcing Guidelines should also apply to account information service providers which are only registered for this service. Under PSD2, these account information service providers have to provide information about their business organization, including their outsourcing arrangements when applying for a registration under PSD2. In addition, they are subject to the same IT-security requirements as other payment and e-money institutions. As a consequence, account information service providers should also be subject to the Outsourcing Guidelines to create a level playing field. Concerns regarding the proportionality can be addressed by strengthening the proportionality principle.
Transitional Period
16.4 In our response to Q1, we also discussed that the transitional period should be more flexible and, in any event, longer to ensure that payment and e-money institutions can implement the new outsourcing requirements. Existing outsourcing contracts cannot be unilaterally changed. The implementation of GDPR has shown that changing existing arrangements will take considerable time and effort. The transitional period should also take into account that payment and e-money institutions are still in the process of implementing PSD2, in particular the requirements for strong customer authentication and third party access to payment accounts. Hence, the transitional period should be longer.
Definition of Outsourcing
16.5 For payment and e-money institution, the Outsourcing Guidelines should be aligned with the outsourcing requirements in PSD2. In particular, the definition of outsourcing of important functions in Article 19 (6) PSD2 should be reflected. No additional definitions should be stated to ensure consistency with PSD2.
Specifying Individual Requirements
16.6 In our view, the Outsourcing Guidelines should not specify individual requirements but should be principle-based. A principle-based approach would ensure that the principle of proportionality can be reflected and applied in practice.
16.7 Furthermore, references to the EBA Guidelines on internal governance should be deleted as they do not apply to payment and e-money institutions which are subject to PSD2 rules. This being said, the proportionality approach would be also helpful to address the differentiation between CRDIV and PSD2 as financial institutions could apply the respective rules applicable to them.
Documentation Requirements and Submission of Documentation
16.8 Documentation requirements should be principle-based to ensure proportionality.
16.9 Furthermore, payment and e-money institutions are already subject to notification obligations under PSD2. Hence, no additional reporting obligations should be introduced for payment and e-money institutions (cf. our response to Q13 and Q15).
Guidelines on Risk Assessment
16.10 As EBA also states in Option B, Article 19 (6) PSD2 already provides for a definition of important outsourced functions. In order to ensure consistency, this definition should be applied to payment and e-money institutions and no additional defining criteria should be made. This is important for proportionality as payment and e-money institutions are typically smaller than credit institutions and have, thus, fewer resources to amend the existing policies.
Outsourcing of Regulated Services
16.11 Concerning the requirements for the outsourcing of regulated activities, we would like to point out that a principle- or outcome-based approach would have the advantage to be more flexible and to better reflect the outcome of the current Brexit negotiations.
Minimum Requirements for Outsourcing Contracts
16.12 As discussed in our response to Q10, we are of the view that the Outsourcing Guidelines should not specify individual clauses because the clauses would have to take into account the individual applicable law. Given the high standards for fairness for terms and conditions, we do not think that general guidelines can be effectively implemented by payment and e-money institutions in Germany. Hence, we believe that there is a high risk that specifying individual clauses may lead to greater legal uncertainty as institutions would have to balance the requirements of the Outsourcing Guidelines and the applicable law.
16.13 Therefore, it would be more efficient if the Outsourcing Guidelines stated results and principles but left the actual implementation to the contractual freedom of the parties.
Dr. Richard Reimer
B