In September of 2019, the Final Report of European Banking Authority Draft Guidelines put in new outsourcing guidelines for all credit, investment firms, payment, and electronic money institutions. These guidelines replace the previous guidelines issued by the Committee of European Banking Supervisors in 2006. The change occurred because the previous CEBS guidelines only applied to credit institutions. Also, the EBA Guidelines incorporate its 2017 recommendation on outsourcing to cloud service providers.
Here are the issues all credit, investment firms, payment, and electronic money institutions should be aware of regarding the updated guidelines.
Outsourcing is an arrangement between a third-party financial institution, such as a Payment Institution or an Electronic Money Institution, and a service provider. This arrangement involves a process, activity, or service provided by a regulated third-party financial entity or an intermediary. The EBA Guidelines differentiate between critical and non-critical contractual arrangements. It places more stringent requirements on the risk profile of critical arrangements with PIs and EMIs than non-critical arrangements.
For example, a service provider using the services of a third-party PI or EMI is a critical arrangement. The service provider and third-party financial institution must follow strict EBA Guidelines and regulations. However, correspondent banking services, financial market information services, and other traditional banking and investment activities fall outside the definition of EBA Guidelines on outsourcing.
Outsourcing Standards for Critical Functions
All external and internal outsource functions fall under the EBA Guidelines. The EBA Guidelines identify critical tasks that impact PIs and EMIs risk profile and internal control policies. These outsourcing standards for critical functions include recognizing any defects that interfere with the third-party financial institution’s compliance with the EBA Guidelines. PIs and EMIs must also provide efficient and reliable banking and payment services.
Outsourcing Policy and Register
PIs and EMIs must have a written outsourcing policy that defines their operating principles, business responsibilities, and outsourcing processes concerning the outsourcing agreements. In addition, PIs and EMIs must implement their outsourcing policies, regularly review and update them when necessary. The EBA Guidelines list the minimum outsourcing requirements that PIs and EMIs must have for their governance framework on outsourcing.
Plus, these third-party institutions must maintain an up-to-date register on all outsourcing arrangements. This documentation must differentiate between critical outsourcing functions and other outsourcing arrangements.
Minimum Requirements for Outsourcing Agreements
According to the EBA Guidelines, all outsourcing agreements must express the rights and obligations of the third-party financial institution and the service provider. Some of these rights and obligations include:
- A description of outsourcing functions
- A start and end date to the agreement
- The financial obligations of both parties
- The service provider’s reporting obligations to the third-party financial institution
- The location of where outsourcing data will be stored and processed
- The availability, accessibility, privacy, and safety of relevant data
All financial institutions subject to the EBA Guidelines must review their outsourcing functions and amend their agreements for compliance with outsourcing regulations if necessary. The deadline to complete this process was December 31, 2021. They must contact the governing authority and explain the steps they will take to complete the review if they cannot complete it by this time.
The EBA Guidelines outline the criteria to evaluate critical outsourced financial activities, processes, and functions. It replaces the CEBS Outsourcing Guidelines, and the new EBA Guidelines provide broader oversight than the CEBS Outsourcing Guidelines. As a result, outsourcing arrangements with third parties and cloud service providers will face additional risk assessment requirements.
How Can EMBank Help?
European Merchant Bank (EMBank) offers accessible financial products for fintech companies and local/regional SMEs across various industries. Established in Lithuania and licensed by the European Central Bank, EMBank provides a Banking as a Service offering, combined with Safeguarding Account, Business Account, and Accumulative Account types as well as payment options through SEPA, Swift, and Target2.
Please keep in mind that the above information has been prepared or assembled by the EMBank and is intended for informational purposes only. Some of the information may be dated and may not reflect the most current legal developments.
Please send an email to [email protected] to arrange a telephone call.