Consultation on draft Guidelines on outsourcing
- Consultation
- 24 SEPTEMBER 2018
- EBA/CP/2018/11
The European Banking Authority (EBA) launched today a public consultation on its draft Guidelines on outsourcing. These Guidelines, which review the existing CEBS Guidelines on outsourcing published in 2006, aim at establishing a more harmonised framework for outsourcing arrangements of all financial institutions in the scope of the EBA’s action. The draft Guidelines provide a clear definition of outsourcing and specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important. In particular, the revised Guidelines cover credit institutions and investment firms subject to the Capital Requirements Directive (CRD), but also payment institutions subject to the revised Payment Services Directive (PSD2) and electronic money institutions subject to the e-money Directive. The consultation runs until 24 September 2018.
Over the recent years, there has been an increasing tendency by institutions to outsource activities in order to reduce costs and improve flexibility and efficiency. In the context of digitalisation and increasing importance of information technology (IT) and financial technologies (FinTech), financial institutions are adapting their business models, processes and systems to embrace such technologies. Outsourcing to cloud service providers gained rapidly importance in many industries. Overall, IT has become one of the most prevalent outsourced activities. Outsourcing is also relevant in the context of gaining or maintaining access to the EU financial market. In particular, third country institutions may set up subsidiaries or branches in the EU in order to get or maintain access to EU financial markets and infrastructures, while the parent institution would provide a material part of the business activities.
The revised Guidelines deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements. The Guidelines also clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities.
Against this background, the Guidelines specify that the responsibility of the institution’s management body can never be outsourced. Outsourcing must not lead to a situation where an institution becomes a so-called ‘empty shell’ that lacks the substance to remain authorised. Institutions must remain able to oversee all risks and to manage outsourcing arrangements. Institutions should be able to effectively control, challenge the quality and performance of outsourced processes, services and activities, and carry out their own risk assessment and ongoing monitoring.
The Guidelines set up a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers so that the ongoing provision of services and compliance with regulatory requirements is ensured. Institutions must ensure audit and access rights in written outsourcing agreements both for themselves and for competent authorities and are required to maintain a register of all outsourcing arrangements.
Consultation process
Comments to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 24 September 2018.
A public hearing will take place at the EBA premises on 4 September 2018 from 10:00 to 12:00 UK time. All contributions received will be published following the end of the consultation, unless requested otherwise.
Legal basis and next steps
These draft Guidelines have been developed according to Article 74 of Directive 2013/36/EU, which mandates the EBA to further harmonise institutions’ governance arrangements, processes and mechanisms across the EU, Directive 2015/2366/EU, Directive 2009/110/EC and Article 16 of Regulation (EU) No 1093/2010. The Recommendations on outsourcing to cloud service providers have been fully integrated in the EBA draft Guidelines on outsourcing and will be repealed when the Guidelines enter into force.
The EBA Guidelines will apply to competent authorities across the EU, as well as to institutions on a solo and consolidated basis, payment institutions and electronic money institutions.
Responses
The form is now closed.
Received responses to the EBA
- 1. BVI
- 2. European Banking Federation
- 3. Deutsche Börse Group
- 4. Temenos
- 5. The Royal Bank of Scotland
- 6. Euroclear S.A.
- 7. Deutsche Bank
- 8. EPSM - European Association of Payment Service Providers for Merchants
- 9. ESBG
- 10. European Confederation of Institutes of Internal Auditing (ECIIA)
- 11. City of London Law Society Regulatory Committee
- 12. Assogestioni
- 13. Annunziata & Conso
- 14. Standard Chartered Bank
- 15. National Bank of Romania - Regulation and Licensing Department
- 16. Bitkom
- 17. Interessengemeinschaft Kreditkarten (The IK is a competition neutral platform without legal capacity for entities, which act in the credit and debit card business in Germany (Issuer, Acquirer, Network Service Providers, Processing Entities, Licensors), registered in the EU-Transparency Register under Ident-no. 209142612442-39)
- 18. Nordic Financial Unions (NFU)
- 19. German Banking Industry Committee (GBIC)
- 20. CISPE aisbl
- 21. Opus
- 22. Združenje bank Slovenije
- 23. Modular FX Services Ltd
- 24. everis
- 25. European Financial Congress
- 26. ABBL, the Luxembourg Bankers' Association
- 27. European Fund and Asset Management Association (EFAMA)
- 28. AIMA
- 29. Risk Reward Limited
- 30. Centre des professions financières
- 31. State Street Corporation
- 32. Association for FInancial Markets in Europe
- 33. techUK
- 34. BBVA
- 35. Microsoft
- 36. Pinsent Masons
- 37. Asociación Española de Banca (AEB)
- 38. European Association of Co-operative Banks (EACB)
- 39. Banca Monte dei Paschi di Siena
- 40. Amundi
- 41. London Stock Exchange Group
- 42. EY
- 43. Austrian Economic Chamber, Division Bank and Insurance
- 44. European Payment Institutions Federation
- 45. Association of Foreign Banks in Germany (Verband der Auslandsbanken in Deutschland)
- 46. Eurofinas
- 47. SWIFT
- 48. Bundesverband der Zahlungsinstitute e.V.
- 49. Bank of New York Mellon
Documents
Annex (Register template for Gls on outsourcing)
(51.89 KB - Excel Spreadsheet) Last update 22 June 2018
Consultation Paper on draft Guidelines on outsourcing arrangements (EBA-CP-2018-11)
(507.27 KB - PDF) Last update 22 June 2018
BSG response to EBA Draft Guidelines on outsourcing (EBA CP 2018 11)_24 Sep 2018
(464.9 KB - PDF) Last update 25 September 2018