1. Is it correct to conclude that the cooperation requirements under paragraph 63 of the Guidelines on outsourcing arrangements should be complied with in regard to EU establishments only, considering the distribution of responsibilities between competent supervisors set out in relevant EU law?
2. If a service provider is part of a third-country group but is located in an EU Member State as a separate legal entity, should it be considered outside of the scope of paragraph63 of the GLs?
The Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), at paragraph 63, provide that, to outsource banking activities or payment services to a service provider located in a third country, credit institutions should check whether there is a cooperation agreement between the competent authority responsible for their supervision and the third-country supervisory authority responsible for the service provider.
1. In addition, with regard to the application scope of the Guidelines, among the other addressees, it is indicated that EU credit institutions should comply on a solo, sub-consolidated and consolidated basis. Although competent for the supervision of the EU parent entity (ultimately ensuring that internal governance and risk management processes are applied consistently across the group), EU supervisors are not directly responsible for the supervision of third-country entities, such as subsidiaries. Hence, in view of the obligation introduced under paragraph 63 on the existence of appropriate cooperation agreements with third-country supervisors, it is unclear if it is correct to conclude that the said cooperation requirements should be complied with in regard to EU establishments only, considering the distribution of responsibilities between competent supervisors set out in relevant EU law.
2. With a view to avoiding regulatory arbitrage and ensuring the effective supervision of outsourced banking activities , the Guidelines introduce specific supervisory conditions to the outsourcing of such activities to service providers located in a third country, as opposed to outsourcing to service providers located in a Member State (at paragraph 62, for instance). There may be cases, however, where the relevant service provider is located in an EU Member State as a separate legal entity while being part of a third-country group.
As regards the scope of application, paragraph 9 of the EBA Guidelines on outsourcing arrangements specifies that institutions should comply with the EBA guidelines on a solo basis, sub-consolidated basis, and consolidated basis, in line with the provisions of Article 109, paragraph 2, of Directive 2013/36/EU (CRD). According to Article 109 of CRD, institutions need to ensure that policies are implemented on a consolidated basis. Consequently, group policies should also apply to subsidiaries that are not subject to the CRD individually, including institutions located in third countries.
The guidelines cannot deviate from Article 109 CRD, which prescribes how requirements should be applied on a prudential consolidated basis, including in third countries. As a result, where subsidiaries of EU institutions in a third country outsource functions to service providers in third countries to an extent that would require authorisation or registration: i. these service providers should be authorised or registered to provide that banking activity or payment service in the third country and supervised by a supervisory authority in the third country; and ii. adequate cooperation agreements with the supervisory authority of the service provider should be in place to ensure effective supervision on a consolidated basis.
A specific clarification on this issue was also provided in the Final report on EBA Guidelines on outsourcing arrangements, in the summary of EBA’s analysis to responses of the consultation (please refer to page 68, paragraph 3, and pages 73, 76, and 79 of the Final report).
Therefore, paragraph 63 should apply in this context. In accordance with the spirit of the guidelines, the provisions of paragraph 63 shall also apply in the case where a service provider sub-outsources that banking activity or payment service to a service provider located in a third country.
There is no reference to the location of the group the service provider belongs to in the guidelines (see e.g paragraph 43, letter d. on differentiation to be made in the outsourcing policy, paragraph 68, letter c on the risk assessment of outsourcing arrangements, paragraph 73 on due diligence, paragraph 86 on access rights). The outsourcing arrangements should set out the rights and obligations of the institutions, on the one hand, and the service provider, on the other hand.
The distinction according to whether the service provider is located in the EU or in a third country is to be understood against the background of the need to establish whether specific cooperation arrangements may be needed between an EU competent authority and the supervisory authority of the service provider to allow an efficient supervision of outsourcing arrangements that relate to authorized or registered activities.
In this regard, paragraphs 62 and 63 of the guidelines specify that institutions should abide by specific conditions that differ depending on whether the service provider is located in the EU or in a third country. Indeed, additional requirements apply if the service provider is located in a third country.
A service provider which is part of a third-country group but is located in an EU Member State as a separate legal entity falls into the scope of paragraph 62 (and not 63) of the EBA guidelines. In this context, no consideration should be given to the location of the group the service provider is part of.