Response to consultation on draft Guidelines on outsourcing
Go back
• Para 8 of the draft guidelines provides that for the purposes of the guidelines ‘any reference to “payment institutions”, includes “electronic money institutions”…’. However, the terms are still used separately in some paragraphs (i.e., para 10, definitions, para 12 and para 13) and electronic money institutions are referred to as “e-money institutions” in para 18 and footnote 15. We believe it would be clearer to either use “institution” throughout or refer to separately to institutions, payment institutions and electronic money institutions. Please note that we have used the term institution throughout this response.
• Para 11, definitions:
• Outsourcing uses the Markets in Financial Instruments II (MIFID II) definition i.e. an arrangement whereby a service provider performs a process, a service or an activity that would otherwise be undertaken by the institution itself. We understand why the EBA has chosen consistency with MiFID II, however, the very broad definition may catch all services provided to an institution under a contract with a third parties.
Para 23 of the guidelines, however, excludes from the definition those services that are not normally performed by the institution, for example legal representation in front of the court. We believe that this text should be included within or linked to the definition of outsourcing. Furthermore, to avoid diluting the focus of the guidelines, we believe that the list of exclusions should include other professional services commonly obtained from third parties (for example, bookkeeping, tax advice and tax compliance services, statutory reporting/accounting, custody audits and payroll services).
We note that the definition of outsourcing in the guidelines (but not MiFID II), also refers to ‘… or parts thereof…’. If a service provider provides an institution with back office resources (such as accounting, payroll, treasury management etc.) to help address a shortage of personnel or skills for a specified timeframe under the institutions’ responsibility, it would be helpful to clarify whether this would fall within the definition of outsourcing or whether there is a degree of control, exercisable by the institution, that would exclude such a service from the definition.
• Critical or important function - particularly given the broad definition of outsourcing discussed above, in our view further guidance is needed to amplify the definition of “critical or important functions”. As drafted currently, we believe there is a lack of clarity and examples that are both relevant to institutions and recognise different degrees of scale and complexity. We recognise that there should always be a grey area in which institutions exercise judgment. However, if the definition is unclear institutions are likely to err on the side of caution and treat more ‘other functions’ as critical or important functions, which would dilute the instructions’ focus and, hence, the intended outcome of the guidelines. Clarity is also vital for multi-disciplinary services providers, who need to be able to draw a line between different types of services provided.
We note that Article 30(2) of the MiFID Commission Delegated Regulation (EU) 2017/565, provides that a number of functions shall not be considered as critical or important i.e.
“(a) the provision to the firm of advisory services, and other services which do not form part of the investment business of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel
(b) the purchase of standardised services, including market information services and the provision of price feeds.”
In our view, it would be consistent to include a similar provision in guidelines, linked to the definition of critical and important, with additional, non-exhaustive, examples. We also think it would be helpful to clarify what is meant by the reference to “internal control functions” in the definition and which of these are deemed as critical.
• Sub-outsourcing is defined as a situation where a service provider under an outsourcing arrangement further transfers a process, a service or an activity (or parts thereof) to another service provider. It would be helpful to clarify that sub-outsourcing only relates to a process/service/activity that is specific to the institution and not to parties engaged by the service provider to support its own internal ancillary processes (such as compliance with a legal/regulatory obligation, quality reviews, conflict checking or IT and administrative support services). For example, if the service provider has an existing relationship with an infrastructure vendor, which was established prior to the relationship with the institution and without regard to the institutions’ requirements, we believe that this should be excluded from the definition of sub-outsourcing. An example of this would be an external mail provider engaged by the service provider to facilitate the sending of all its internal and external e-mail communications or an external helpdesk provider not specifically engaged for the institution),
More generally, while we agree than an institution should remain responsible for reviewing and monitoring the performance of the overall outsourced service, we believe that it is for the service provider to ensure that its subcontractors allow the service provider to meet its contractual obligations to the outsourcing institution. We recommend that the EBA clarifies in the guidelines that it is sufficient for an institution to review a service provider’s third-party oversight processes. In addition, we would suggest that the EBA should state explicitly that the guidance only applies to subcontractors connected to the service providers’ provision of relevant services to the institution.
Furthermore, we believe that this is an area where industry-led standards and best practice could play a substantial role in creating certainty as to legal and regulatory requirements, thereby removing frictions/impasse in contractual negotiations.
• Cloud services and types of cloud (e.g. “public cloud”) are defined terms. Whilst we recognise and welcome the integration of the EBA’s recommendations on outsourcing to cloud service providers, we believe that the guidelines should take a more technologically neutral approach to be capable of including new or emerging IT services.
• Para 15: We welcome the inclusion of the inclusion of the principle of proportionality in the guidelines. However, notwithstanding the reference in para 24, as currently drafted, many of the provisions in the draft guidelines are very detailed and prescriptive and written as absolutes. We believe that such provisions should be prefaced by recognition that application of the provisions should be proportionate to the nature, scale and complexity of an institution’s activities.
• Para 23 clarifies that the “acquisition of services”… that are not normally performed by the institutions or payment institutions are not considered outsourcing.” As discussed above, we believe that this should be incorporated in the definition of outsourcing such that the definition focuses on services related to regulated activities or risk management. Additionally, we do not think that the example of a professional service, “advice of an architect”, is helpful for an institution. Instead, and as also noted above, more clarity around assurance and advisory services would seek to ensure there is no ambiguity on the part recipients (e.g. statutory reporting, bookkeeping, tax advice and tax compliance services, custody audits and payroll services).
• Para 25 provides that , institutions should ensure that banking activities or payment services that require authorization or registration by an NCA in the Member State are only outsourced to a service provider that is authorized or otherwise allowed to carry out those services or activities in accordance with the national legal framework. It would be helpful to clarify what steps an institutions should reasonably take to establish and/or verify whether a service provider in a different Member State is required to be authorised or registered in that Member State and, if so, whether it fulfils the requirements.
In our experience, problems (especially with regard to data protection requirements) often occur if a service provider is located in another Member State or third country. It is important that the requirements for the cooperation between NCA are in line with data protection requirements in the other Member States or third country (in some cases, agreements for an exchange between NCA are already in place, while in certain countries this is currently not the case).
• Para 34(e): we are aware of discussions in some EU markets on the level of detail for an exit strategy. We believe that it would be helpful to clarity in the guidelines on the measures an institution should have in place to prepare for a possible exit (e.g. should an agreement with alternative providers be already in place). It is also important to reiterate the principle of proportionality i.e., the level of detail in an institution’s exit strategies and termination processes should be proportionate to the criticality and importance of the outsourcing arrangement.
• Section 5 and other sections of the guidelines referring to conflicts of interest would benefit from greater clarity as to what constitutes a conflict of interest and where there are particular expectations as to their management. The current language seems to focus largely on the risk of conflicts of interest between entities within the financial institution. It is silent on the range of conflicts that might need managing between the institution, the outsource provider and other parties involved in the provision of services. We would anticipate that a wide range of different interpretations and approaches could be adopted by institutions, which may lead to confusion and inconsistent application of the requirements. We suggest that guidelines are linked to the EBA Guidelines on internal governance (specifically, Section 11 on Conflict of interest policy at institutional level section) with additional guidance being provided on conflicts in an outsourcing context, to help institutions implement consistent and more effective processes to manage potential conflicts of interest.
To support institutions to outsource services to the most appropriate provider, we would also suggest that the guidelines clarify that whilst some conflicts of interest may be unmanageable, appropriate safeguards may mitigate many situations. For example, separation of teams, facilities and infrastructure by service providers and by having appropriate arrangements to identify potential conflicts during the term of the contract.
• Section 6: We believe that the guidelines should clarify that it would be reasonable to rely on service providers’ well-organised and well thought through business continuity plans (BCPs) without having to require bespoke BCPs for their services. In the case of a service provider with multiple contracts, if individual instructions were required to have personalised specific BCP plans there would be a risk of operational inefficiencies and ultimate confusion, particularly if the plans related to the same systems and controls as the service provider but in different forms. It will also be difficult for the financial institutions to manage. This multiple contracts consideration should be taken into account in the guidelines.
The draft guidelines clarify that the EBA guidelines on internal governance on conflicts of interest and the requirements for a BCP should also be considered with regard to outsourcing activities.
• Para 41 provides that institutions should implement arrangements to maintain the continuity of their business in the event that the quality of the critical or important function deteriorates. The plans should also take into account the potential impact of the insolvency or other failure of the service provider. As noted previously, in our view it is important to clarify the level of detail expected from these type of arrangements. Is it necessary for an institution to have a contract with an alternative service provider to be on hold for critical and important outsourcing arrangements? If that is the case, should these arrangements be established for all critical and important outsourcing activities, or only if the risks are extraordinary high?
• Section 7: Whilst we believe the concept of para 44, point (d) is right, in practice the “risk appetite” of a service provider will not be the same as an institution, in part because this is driven by strategy but is informed by risk management. We believe that the key point is that the service provider’s risk management and control procedures, in relation to the outsourced services, are appropriate. In general, we found this para very detailed and prescriptive, whereas a higher-level statement of principles with detailed examples could be more helpful.
• Para 42 provides that the audit plan and programme should, in particular, cover the outsourcing arrangements of critical or important functions and should now be approved by the audit committee, when such a committee has been established. As the draft guidelines on the internal audit function are more specific than some national requirements in Member States, we believe that transitional provisions should be in place.
• Para 51: As discussed previously, “critical or important function” is defined in the Definitions, and amplified in footnote 11, but not cross referenced to assessment in accordance with Section 9.1. We believe that there should be a single clear definition that links to the considerations in para 51.
We believe that para 51 also includes duplication and could be made clear and more outcomes focussed. For example, in point (d) what is the “potential impact” that is being considered?
As a general comment, we found the whole of section 9 more detailed and repetitive than other extant outsourcing guidelines such as Guidance on Managing Outsourcing Risk from the Federal Reserve Bank in the US and the Guidance on Third-Party Relationships from the Office of the Comptroller of the Currency.
• Para 56 includes ethical and human rights issues and we welcome the inclusion of these important considerations. However, given the broad range of service providers whose services will fall under the guidelines, it is important that institutions have clarity around what the “acts in a socially responsible manner” judgement should include in practice and how far its due diligence should extend. For example, should due diligence extend to service providers other clients and the industries in which they operate? We suggest that the approach in the guidelines is clarified and consistent with the Non-Financial Reporting Directive.
• We believe that this section, in particular, could differentiate between outsourcing critical and important functions – particularly larger, more complex outsourcing arrangements / services and activities requiring authorisation - and other outsourcing.
• Para 64: While resolution authorities have the power to temporarily suspend termination rights of any party to a contact with an institution under resolution (Article 71 of Directive 2014/59/EU), we would note that a conflict could arise if continuance of the contract was in breach of obligations on the services provider e.g. independence requirements.
In general, we believe that this section is overly prescriptive given the very broad definition of outsourcing discussed above, which would include services that could be low value, low relevance or short term. As noted above, we believe that the definition of outsourcing should focus on services relevant to the provision of regulated activities or risk management.
• Para 64(c):
Both the institution and service provider have the existing obligation to interpret, comply, identify and implement changes in, all laws that regulate its own activities. As drafted currently, the guidelines could be taken to imply that the service provider is required to comply with applicable law and regulation that applies to the institution. We believe that this is an unintended interpretation and the guidelines should clarify that the obligation to comply with all relevant law and regulation falls upon the institution and compliance by the service provider is a matter of contract.
• Para 66: Drawing upon the immediately above, we re-emphasise that, for sub-contractor obligations, a distinction and more nuanced approach is needed around the legal and regulatory requirements on the institution that apply to the sub-contractor, under contract, to a service provider and any sub-contractor as a result of the performance of critical or important functions.
• Para 72: from a statutory audit perspective, the provisions on audit rights are clear and reinforce the right of access for the external auditor.
• Para 72(a) however, provides very wide access rights, including to undefined “other persons”, and does not provide that they be reasonably exercised in connection with outsourced services only and without impinging on the rights of a service providers’ other clients. Where a service provider has multiple clients, it would be disproportionate to grant access rights that impinge on the confidentiality of other clients, which the service provider will be contractually obligated to protect, or the commercial sensitivities of the service provider themselves. For example, by providing a direct competitor with “complete access to all relevant business premises...including…financial information…”. We believe there should be appropriate limitations to access rights that recognise the services provided may be part of wider operations that are subject to confidentiality or commercial sensitivity (i.e. the scope of any client audit should be restricted to the services in scope and the infrastructure/systems utilised to deliver those services).
• Para 72(b): Again we believe that there is a commercial sensitivity risk by giving “unrestricted rights of inspection and auditing” to potential competitors. In our view, a service provider should have the right to object reasonably to an inspection, on the basis of conflicts or competition. Para 74: We agree where the service provider can offer independent Service Organization Control (SOC) reports and ISO 27001, or other similar certification, there should not be a need to perform a full audit inspection.
• Para 75: It is important that the approach taken to inspecting outsourced service providers delivers the level of comfort that meets the EBA’s expectations whilst also being the most efficient and effective for the various stakeholders concerned.
There are well known international standards in place for pooled audits (ISAE3402) with local variations (such as SSAE16 and SSAE18 in the US and AAF01/06 in the UK) which are useful where a service provider serves a specific industry or provides a specific service offering. However, the current challenge with pooled audits is that the scope tends to be set by the service provider rather than the institutions or other users. We believe that more engagement from institutions is needed to seek to ensure appropriate coverage of all the areas over which the users require comfort (as opposed to the areas that service providers select).
We believe it would be helpful for the EBA, and NCAs, to clarify the ability of institutions to use pooled audit reports and any expectations regarding scope. In our experience, where NCAs are silent on whether the use of pooled audit reports is acceptable, it tends to lead to multiple and uncoordinated methods being taken by institutions to seek comfort over the same service providers, which are less efficient for all participants and may actually increase the cost and operational risk to the end customer.
In our view, it is important that all stakeholders are encouraged to engage actively in the pooled audit process i.e. the report should not be a box ticking exercise, which is not critically evaluated when received by the users. One positive development is the creation of industry alliances / utilities - some are owned by third parties but at least one, with which EY is engaged, is an industry consortium of leading instructions, which addresses scope and efficiency issues by coordinating the assessment of service provides for the benefit of all users.
• Para 79: We suggest adding text to provide that if the performance of audits or the use of certain audit techniques, such as pooled audits, may create a risk for another client’s environment (e.g. in public cloud) or professional confidentiality obligations towards other clients, alternative ways to provide a similar level of assurance required by the institution or the payment institution should be agreed on, (for example, a SOC (Control) audit).
• Para 80: Where external auditors carry out the audit of the service provider, the question of relevant knowledge and skills should be considered at the Request For Proposal (appointment stage) stage, rather than once appointed as auditors.
• Para 82(a): We would note that there may be circumstances whenproviding an outsourced service over a transition period could be in breach of independence requirements on the service providers. An unintended consequence of mandating a transition period, absent exceptional circumstances that includes conflicts, could be that some service providers who have their own regulatory obligations may be unable to agree to provide services under such a contract.
• Para 83: In our view, additional clarity is needed on what “monitoring” should entail in practice and how it may impact a service provider. We recommend that the EBA seeks further input from the industry and, in particular, service providers. This has a bearing on access, information and audit rights and associated considerations previously highlighted.
• Para 103 & 104: We agree with concerns raised by some institutions that additional clarity is need on the steps an NCA would be expected to take both to inform their calculation of concentration risk and how they would address concerns regarding concentration risk at a sector level. Requiring firms to exit from existing outsourcing contracts, or not sign contracts with new providers at the end of tender processes, could create risk for both institutions and the market.
• Annex 1: It would be helpful to clarify whether institutions are obliged to use the template and provide the information requested by the template, or whether the template serves as an example only.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
Yes, subject to the specific comments below on scope and definitions:• Para 8 of the draft guidelines provides that for the purposes of the guidelines ‘any reference to “payment institutions”, includes “electronic money institutions”…’. However, the terms are still used separately in some paragraphs (i.e., para 10, definitions, para 12 and para 13) and electronic money institutions are referred to as “e-money institutions” in para 18 and footnote 15. We believe it would be clearer to either use “institution” throughout or refer to separately to institutions, payment institutions and electronic money institutions. Please note that we have used the term institution throughout this response.
• Para 11, definitions:
• Outsourcing uses the Markets in Financial Instruments II (MIFID II) definition i.e. an arrangement whereby a service provider performs a process, a service or an activity that would otherwise be undertaken by the institution itself. We understand why the EBA has chosen consistency with MiFID II, however, the very broad definition may catch all services provided to an institution under a contract with a third parties.
Para 23 of the guidelines, however, excludes from the definition those services that are not normally performed by the institution, for example legal representation in front of the court. We believe that this text should be included within or linked to the definition of outsourcing. Furthermore, to avoid diluting the focus of the guidelines, we believe that the list of exclusions should include other professional services commonly obtained from third parties (for example, bookkeeping, tax advice and tax compliance services, statutory reporting/accounting, custody audits and payroll services).
We note that the definition of outsourcing in the guidelines (but not MiFID II), also refers to ‘… or parts thereof…’. If a service provider provides an institution with back office resources (such as accounting, payroll, treasury management etc.) to help address a shortage of personnel or skills for a specified timeframe under the institutions’ responsibility, it would be helpful to clarify whether this would fall within the definition of outsourcing or whether there is a degree of control, exercisable by the institution, that would exclude such a service from the definition.
• Critical or important function - particularly given the broad definition of outsourcing discussed above, in our view further guidance is needed to amplify the definition of “critical or important functions”. As drafted currently, we believe there is a lack of clarity and examples that are both relevant to institutions and recognise different degrees of scale and complexity. We recognise that there should always be a grey area in which institutions exercise judgment. However, if the definition is unclear institutions are likely to err on the side of caution and treat more ‘other functions’ as critical or important functions, which would dilute the instructions’ focus and, hence, the intended outcome of the guidelines. Clarity is also vital for multi-disciplinary services providers, who need to be able to draw a line between different types of services provided.
We note that Article 30(2) of the MiFID Commission Delegated Regulation (EU) 2017/565, provides that a number of functions shall not be considered as critical or important i.e.
“(a) the provision to the firm of advisory services, and other services which do not form part of the investment business of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel
(b) the purchase of standardised services, including market information services and the provision of price feeds.”
In our view, it would be consistent to include a similar provision in guidelines, linked to the definition of critical and important, with additional, non-exhaustive, examples. We also think it would be helpful to clarify what is meant by the reference to “internal control functions” in the definition and which of these are deemed as critical.
• Sub-outsourcing is defined as a situation where a service provider under an outsourcing arrangement further transfers a process, a service or an activity (or parts thereof) to another service provider. It would be helpful to clarify that sub-outsourcing only relates to a process/service/activity that is specific to the institution and not to parties engaged by the service provider to support its own internal ancillary processes (such as compliance with a legal/regulatory obligation, quality reviews, conflict checking or IT and administrative support services). For example, if the service provider has an existing relationship with an infrastructure vendor, which was established prior to the relationship with the institution and without regard to the institutions’ requirements, we believe that this should be excluded from the definition of sub-outsourcing. An example of this would be an external mail provider engaged by the service provider to facilitate the sending of all its internal and external e-mail communications or an external helpdesk provider not specifically engaged for the institution),
More generally, while we agree than an institution should remain responsible for reviewing and monitoring the performance of the overall outsourced service, we believe that it is for the service provider to ensure that its subcontractors allow the service provider to meet its contractual obligations to the outsourcing institution. We recommend that the EBA clarifies in the guidelines that it is sufficient for an institution to review a service provider’s third-party oversight processes. In addition, we would suggest that the EBA should state explicitly that the guidance only applies to subcontractors connected to the service providers’ provision of relevant services to the institution.
Furthermore, we believe that this is an area where industry-led standards and best practice could play a substantial role in creating certainty as to legal and regulatory requirements, thereby removing frictions/impasse in contractual negotiations.
• Cloud services and types of cloud (e.g. “public cloud”) are defined terms. Whilst we recognise and welcome the integration of the EBA’s recommendations on outsourcing to cloud service providers, we believe that the guidelines should take a more technologically neutral approach to be capable of including new or emerging IT services.
Q2: Are the guidelines regarding Title I appropriate and sufficiently clear?
Yes, subject to the specific comment below:• Para 15: We welcome the inclusion of the inclusion of the principle of proportionality in the guidelines. However, notwithstanding the reference in para 24, as currently drafted, many of the provisions in the draft guidelines are very detailed and prescriptive and written as absolutes. We believe that such provisions should be prefaced by recognition that application of the provisions should be proportionate to the nature, scale and complexity of an institution’s activities.
Q3: Are the guidelines in Title II and, in particular, the safeguards ensuring that competent authorities are able to effectively supervise activities and services of institutions and payment institutions that require authorisation or registration (i.e. the activities listed in Annex I of Directive 2013/36/EU and the payment services listed in Annex I of Directive (EU) 2366/2015) appropriate and sufficiently clear or should additional safeguards be introduced?
Yes, subject to the specific comments below:• Para 23 clarifies that the “acquisition of services”… that are not normally performed by the institutions or payment institutions are not considered outsourcing.” As discussed above, we believe that this should be incorporated in the definition of outsourcing such that the definition focuses on services related to regulated activities or risk management. Additionally, we do not think that the example of a professional service, “advice of an architect”, is helpful for an institution. Instead, and as also noted above, more clarity around assurance and advisory services would seek to ensure there is no ambiguity on the part recipients (e.g. statutory reporting, bookkeeping, tax advice and tax compliance services, custody audits and payroll services).
• Para 25 provides that , institutions should ensure that banking activities or payment services that require authorization or registration by an NCA in the Member State are only outsourced to a service provider that is authorized or otherwise allowed to carry out those services or activities in accordance with the national legal framework. It would be helpful to clarify what steps an institutions should reasonably take to establish and/or verify whether a service provider in a different Member State is required to be authorised or registered in that Member State and, if so, whether it fulfils the requirements.
In our experience, problems (especially with regard to data protection requirements) often occur if a service provider is located in another Member State or third country. It is important that the requirements for the cooperation between NCA are in line with data protection requirements in the other Member States or third country (in some cases, agreements for an exchange between NCA are already in place, while in certain countries this is currently not the case).
Q4: Are the guidelines in Section 4 regarding the outsourcing policy appropriate and sufficiently clear?
Yes, subject to the following, specific comment:• Para 34(e): we are aware of discussions in some EU markets on the level of detail for an exit strategy. We believe that it would be helpful to clarity in the guidelines on the measures an institution should have in place to prepare for a possible exit (e.g. should an agreement with alternative providers be already in place). It is also important to reiterate the principle of proportionality i.e., the level of detail in an institution’s exit strategies and termination processes should be proportionate to the criticality and importance of the outsourcing arrangement.
Q5: Are the guidelines in Sections 5-7 of Title III appropriate and sufficiently clear?
Yes, subject to the specific comments below:• Section 5 and other sections of the guidelines referring to conflicts of interest would benefit from greater clarity as to what constitutes a conflict of interest and where there are particular expectations as to their management. The current language seems to focus largely on the risk of conflicts of interest between entities within the financial institution. It is silent on the range of conflicts that might need managing between the institution, the outsource provider and other parties involved in the provision of services. We would anticipate that a wide range of different interpretations and approaches could be adopted by institutions, which may lead to confusion and inconsistent application of the requirements. We suggest that guidelines are linked to the EBA Guidelines on internal governance (specifically, Section 11 on Conflict of interest policy at institutional level section) with additional guidance being provided on conflicts in an outsourcing context, to help institutions implement consistent and more effective processes to manage potential conflicts of interest.
To support institutions to outsource services to the most appropriate provider, we would also suggest that the guidelines clarify that whilst some conflicts of interest may be unmanageable, appropriate safeguards may mitigate many situations. For example, separation of teams, facilities and infrastructure by service providers and by having appropriate arrangements to identify potential conflicts during the term of the contract.
• Section 6: We believe that the guidelines should clarify that it would be reasonable to rely on service providers’ well-organised and well thought through business continuity plans (BCPs) without having to require bespoke BCPs for their services. In the case of a service provider with multiple contracts, if individual instructions were required to have personalised specific BCP plans there would be a risk of operational inefficiencies and ultimate confusion, particularly if the plans related to the same systems and controls as the service provider but in different forms. It will also be difficult for the financial institutions to manage. This multiple contracts consideration should be taken into account in the guidelines.
The draft guidelines clarify that the EBA guidelines on internal governance on conflicts of interest and the requirements for a BCP should also be considered with regard to outsourcing activities.
• Para 41 provides that institutions should implement arrangements to maintain the continuity of their business in the event that the quality of the critical or important function deteriorates. The plans should also take into account the potential impact of the insolvency or other failure of the service provider. As noted previously, in our view it is important to clarify the level of detail expected from these type of arrangements. Is it necessary for an institution to have a contract with an alternative service provider to be on hold for critical and important outsourcing arrangements? If that is the case, should these arrangements be established for all critical and important outsourcing activities, or only if the risks are extraordinary high?
• Section 7: Whilst we believe the concept of para 44, point (d) is right, in practice the “risk appetite” of a service provider will not be the same as an institution, in part because this is driven by strategy but is informed by risk management. We believe that the key point is that the service provider’s risk management and control procedures, in relation to the outsourced services, are appropriate. In general, we found this para very detailed and prescriptive, whereas a higher-level statement of principles with detailed examples could be more helpful.
• Para 42 provides that the audit plan and programme should, in particular, cover the outsourcing arrangements of critical or important functions and should now be approved by the audit committee, when such a committee has been established. As the draft guidelines on the internal audit function are more specific than some national requirements in Member States, we believe that transitional provisions should be in place.
Q6: Are the guidelines in Sections 8 regarding the documentation requirements appropriate and sufficiently clear?
Yes, we believe that the guidelines in Sections 8 are appropriate and sufficiently clear.Q7: Are the guidelines in Sections 9.1 regarding the assessment of criticality or importance of functions appropriate and sufficiently clear?
Yes, subject to the specific comments below:• Para 51: As discussed previously, “critical or important function” is defined in the Definitions, and amplified in footnote 11, but not cross referenced to assessment in accordance with Section 9.1. We believe that there should be a single clear definition that links to the considerations in para 51.
We believe that para 51 also includes duplication and could be made clear and more outcomes focussed. For example, in point (d) what is the “potential impact” that is being considered?
As a general comment, we found the whole of section 9 more detailed and repetitive than other extant outsourcing guidelines such as Guidance on Managing Outsourcing Risk from the Federal Reserve Bank in the US and the Guidance on Third-Party Relationships from the Office of the Comptroller of the Currency.
Q8: Are the guidelines in Section 9.2 regarding the due diligence process appropriate and sufficiently clear?
Yes, subject to the specific comment below:• Para 56 includes ethical and human rights issues and we welcome the inclusion of these important considerations. However, given the broad range of service providers whose services will fall under the guidelines, it is important that institutions have clarity around what the “acts in a socially responsible manner” judgement should include in practice and how far its due diligence should extend. For example, should due diligence extend to service providers other clients and the industries in which they operate? We suggest that the approach in the guidelines is clarified and consistent with the Non-Financial Reporting Directive.
Q9: Are the guidelines in Section 9.3 regarding the risk assessment appropriate and sufficiently clear?
Yes, subject to the specific comment below:• We believe that this section, in particular, could differentiate between outsourcing critical and important functions – particularly larger, more complex outsourcing arrangements / services and activities requiring authorisation - and other outsourcing.
Q10: Are the guidelines in Section 10 regarding the contractual phase appropriate and sufficiently clear; do the proposals relating to the exercise of access and audit rights give rise to any potential significant legal or practical challenges for institutions and payment institutions?
Yes, subject to the specific comments below:• Para 64: While resolution authorities have the power to temporarily suspend termination rights of any party to a contact with an institution under resolution (Article 71 of Directive 2014/59/EU), we would note that a conflict could arise if continuance of the contract was in breach of obligations on the services provider e.g. independence requirements.
In general, we believe that this section is overly prescriptive given the very broad definition of outsourcing discussed above, which would include services that could be low value, low relevance or short term. As noted above, we believe that the definition of outsourcing should focus on services relevant to the provision of regulated activities or risk management.
• Para 64(c):
Both the institution and service provider have the existing obligation to interpret, comply, identify and implement changes in, all laws that regulate its own activities. As drafted currently, the guidelines could be taken to imply that the service provider is required to comply with applicable law and regulation that applies to the institution. We believe that this is an unintended interpretation and the guidelines should clarify that the obligation to comply with all relevant law and regulation falls upon the institution and compliance by the service provider is a matter of contract.
• Para 66: Drawing upon the immediately above, we re-emphasise that, for sub-contractor obligations, a distinction and more nuanced approach is needed around the legal and regulatory requirements on the institution that apply to the sub-contractor, under contract, to a service provider and any sub-contractor as a result of the performance of critical or important functions.
• Para 72: from a statutory audit perspective, the provisions on audit rights are clear and reinforce the right of access for the external auditor.
• Para 72(a) however, provides very wide access rights, including to undefined “other persons”, and does not provide that they be reasonably exercised in connection with outsourced services only and without impinging on the rights of a service providers’ other clients. Where a service provider has multiple clients, it would be disproportionate to grant access rights that impinge on the confidentiality of other clients, which the service provider will be contractually obligated to protect, or the commercial sensitivities of the service provider themselves. For example, by providing a direct competitor with “complete access to all relevant business premises...including…financial information…”. We believe there should be appropriate limitations to access rights that recognise the services provided may be part of wider operations that are subject to confidentiality or commercial sensitivity (i.e. the scope of any client audit should be restricted to the services in scope and the infrastructure/systems utilised to deliver those services).
• Para 72(b): Again we believe that there is a commercial sensitivity risk by giving “unrestricted rights of inspection and auditing” to potential competitors. In our view, a service provider should have the right to object reasonably to an inspection, on the basis of conflicts or competition. Para 74: We agree where the service provider can offer independent Service Organization Control (SOC) reports and ISO 27001, or other similar certification, there should not be a need to perform a full audit inspection.
• Para 75: It is important that the approach taken to inspecting outsourced service providers delivers the level of comfort that meets the EBA’s expectations whilst also being the most efficient and effective for the various stakeholders concerned.
There are well known international standards in place for pooled audits (ISAE3402) with local variations (such as SSAE16 and SSAE18 in the US and AAF01/06 in the UK) which are useful where a service provider serves a specific industry or provides a specific service offering. However, the current challenge with pooled audits is that the scope tends to be set by the service provider rather than the institutions or other users. We believe that more engagement from institutions is needed to seek to ensure appropriate coverage of all the areas over which the users require comfort (as opposed to the areas that service providers select).
We believe it would be helpful for the EBA, and NCAs, to clarify the ability of institutions to use pooled audit reports and any expectations regarding scope. In our experience, where NCAs are silent on whether the use of pooled audit reports is acceptable, it tends to lead to multiple and uncoordinated methods being taken by institutions to seek comfort over the same service providers, which are less efficient for all participants and may actually increase the cost and operational risk to the end customer.
In our view, it is important that all stakeholders are encouraged to engage actively in the pooled audit process i.e. the report should not be a box ticking exercise, which is not critically evaluated when received by the users. One positive development is the creation of industry alliances / utilities - some are owned by third parties but at least one, with which EY is engaged, is an industry consortium of leading instructions, which addresses scope and efficiency issues by coordinating the assessment of service provides for the benefit of all users.
• Para 79: We suggest adding text to provide that if the performance of audits or the use of certain audit techniques, such as pooled audits, may create a risk for another client’s environment (e.g. in public cloud) or professional confidentiality obligations towards other clients, alternative ways to provide a similar level of assurance required by the institution or the payment institution should be agreed on, (for example, a SOC (Control) audit).
• Para 80: Where external auditors carry out the audit of the service provider, the question of relevant knowledge and skills should be considered at the Request For Proposal (appointment stage) stage, rather than once appointed as auditors.
• Para 82(a): We would note that there may be circumstances whenproviding an outsourced service over a transition period could be in breach of independence requirements on the service providers. An unintended consequence of mandating a transition period, absent exceptional circumstances that includes conflicts, could be that some service providers who have their own regulatory obligations may be unable to agree to provide services under such a contract.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?
Yes, subject to the specific comments below:• Para 83: In our view, additional clarity is needed on what “monitoring” should entail in practice and how it may impact a service provider. We recommend that the EBA seeks further input from the industry and, in particular, service providers. This has a bearing on access, information and audit rights and associated considerations previously highlighted.
Q12: Are the guidelines in sections 12 regarding exit strategies appropriate and sufficiently clear?
YesQ13: Are the guidelines in Section 13 appropriate and sufficiently clear, Iin particular, are there any ways of limiting the information in the register which institutions and payment institutions are required to provide to competent authorities to make it more proportionate and, relevant? With a view to bring sufficient proportionality, the EBA will consider the supervisory relevance and value of a register covering all outsourcing arrangements within each SREP cycle or at least every 3 years in regard of the operational and administrative burden.
N/AQ14: Are the guidelines for competent authorities in Title V appropriate and sufficiently clear?
Yes, subject to the specific comments below:• Para 103 & 104: We agree with concerns raised by some institutions that additional clarity is need on the steps an NCA would be expected to take both to inform their calculation of concentration risk and how they would address concerns regarding concentration risk at a sector level. Requiring firms to exit from existing outsourcing contracts, or not sign contracts with new providers at the end of tender processes, could create risk for both institutions and the market.
Q15: Is the template in Annex I appropriate and sufficiently clear?
We have one specific comment at this time on Annex I:• Annex 1: It would be helpful to clarify whether institutions are obliged to use the template and provide the information requested by the template, or whether the template serves as an example only.