EBA and outsourcing arrangements. PSD2, CRDIV and MiFID2 in light of EBA Guidelines.

World of finance is changing rapidly as new types of innovation emerge. What was attractive and interesting in XX century now might look outdated and rigid. Therefore, many incumbent institutions have to “engage” more agile external parties (e.g. IT providers or so-called FinTechs) to remain competitive and “fresh” in digital times. Such “marriages” are necessary as many incumbents own ICT infrastructures that are not adopted to today’s needs as they were built 10 (or even more) years ago. Technology companies are – usually – more flexible and therefore may offer more customized approach (easier to implement). Banking (or financial services in general) business is, however, not easy as incumbents have to be compliant with various regulations and requirements. Lack of action may, however, result in financial shocks, risks and significant drops in balance sheets. Therefore, a more balanced approach have to be applied by regulators to boost financial services sector and support all parties. European Banking Authority brings incumbents a one step further as the new Guidelines on Outsourcing Arrangements (Guidelines) were adopted 2 months ago. Let’s take a quick look on key findings of the Guidelines.

A “One Bank” approach and role of the management bodies

So far we had different outsourcing regimes for Payment Services, Investment Firms activity and “core” Banking stemming not only from relevant regulations (CRDIV, PSD2 and MiFID2) but also different guidelines. New Guidelines have changed this approach as the regulator proposed that “institutions can apply a single framework on outsourcing for all their banking, investment and payment activities and services”. Therefore, the Guidelines propose a more unified definition of critical or important functions crucial for the assessment of necessity of specific outsourcing arrangements. Other requirements may be also applied irrespective to the scope of activity (with some reservations to e.g. investment).

In addition, as a consequence of such shift in thinking and “doing” the internal bodies (e.g. management board) of institutions should be better prepared to fully oversee the outsourced activities. The EBA indicated also that without a good supervision of outsourced activities performed by executive bodies an institution may be exposed on a high risk of non-compliance. Therefore, it is important to ensure that governance framework (including accountability) is sufficiently developed and detailed. Risk management is also very important.

Cloud-based services and arrangements

The European Banking Authority is aware that more flexible approach to outsourcing based on the cloud computing is needed as the amount of data is increasing significantly. Big data is not only a trend but “must have” and a way to pick up a tempo and offer made-to-measure products to wider range of clients. To better “utilize” such vast amount of data banks and other financial institutions should have a possibility to use external infrastructures such as cloud computing. Ah, don’t forget about potential savings which cloud could generate.

Therefore, the European Banking Authority does not restrain (and not encourage directly) institutions from using cloud service providers (including from third countries), however, some additional conditions have to be fulfilled before entering into the agreement.

What is important? Regulatory (compliance) check. Institutions have to be sure that personal data (including secrecy) are adequately protected and kept confidential. Such approach should be also reflected in the Business Continuity Process and operational and security procedures and processes. Exit Plan should be also in place.

Before entering into such relationship it is crucial to perform a compliance check (including whether it is possible for a home regulator of the institution to request additional data from cloud provider or even to perform on-site inspection – probably not going to happen). The institution should be also sure that appropriate traceability mechanisms aimed at keeping records of technical and business operations are in place. EBA highlighted also a need to adequately draft outsourcing and sub-outsourcing agreements.

What is outsourcing and what is not?

For sake of clarity the EBA has proposed a non-exhaustive list of activities that should not be considered as outsourcing. These activities are:

a function that is legally required to be performed by a service provider, e.g. statutory audit;
market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
global network infrastructures (e.g. Visa, MasterCard);
clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members;
global financial messaging infrastructures that are subject to oversight by relevant authorities;
correspondent banking services; and
the acquisition of services that would otherwise not be undertaken by the institution or payment institution.

Nevertheless, an institution should always carefully asses each agreement to be sure that a specific activity does not fall into a definition of outsourcing.

Outsourcing and the role of Competent Authorities

The role of Competent Authorities remains strong. CAs should oversee the performance of outsourcing agreements and risk management and react swiftly to any potential issues. To better address this demand the EBA proposed a list of requirements for service providers from other Member States and third countries which would like to perform outsourcing banking activities. The EBA issued also specific guidelines addressed to the Competent Authorities.

What else?

Guidelines are quite long and comprehensive. The EBA included a detailed description of the outsourcing approval process (with tips on the content of outsourcing agreements). Such description is very handy.

The EBA highlighted also a role of outsourcing policy as it is an important document for both institutions and service providers (indirectly). It should not only be a brief description of the process but also an indicator for various types of outsourcing activities. It should also define the accountability of all parties involved in the process.

Other provisions of the Guidelines relate e.g. to risk management, audit rights and security measures.

We will see in the future whether the effort made by the EBA was enough to boost financial sector and create a more agile and flexible ecosystem for incumbents.

Flash News

Europejski Urząd Nadzoru Bankowego o platformach w sektorze finansowym. Idzie nowe, a chyba nie wszyscy są gotowi

Etyka i uprzedzenie, czyli algorytmy korporacji przewozowych w praktyce

Zmiany do Rozporządzenia 2015/847 w sprawie transferu środków są znaczące. Szczególnie dla fanów kryptoaktywów

Open Banking “pod” PSD2 nadal sprawia trudności. EBA publikuje kolejne wyjaśnienia

Projekt ustawy o zmianie niektórych ustaw w związku z zapewnieniem rozwoju rynku finansowego oraz ochrony inwestorów na tym rynku

Wytyczne BaFin w sprawie sztucznej inteligencji dla sektora finansowego. Dobry przykład, dobre praktyki

Z kim pójdziesz na randkę? Czy algorytm zadecyduje za Ciebie?

To instytucje finansowe i dostawcy RegTech muszą “popracować nad sobą”, czyli raport EBA w sprawie rozwiązań RegTech. Są i rekomendacje

Emitent kryptoaktywów jest administratorem danych. Europejski Inspektor Ochrony Danych o projekcie w sprawie kryptoaktów (MICA)

EBA bierze się za obniżenie kosztów nadzorczych. Duży nacisk na technologię RegTech oraz SupTech