27 September 2019 – need2know
The Guidelines on Outsourcing (EBA/GL/2019/02) issued by the European Banking Authority (EBA) on 25 February 2019 enter into force on 30 September 2019. In addition to credit institutions – to which the CEBS guidelines on outsourcing previously already applied – investment firms, payment institutions and e-money institutions are also addressed by the guidelines. The recommendations for outsourcing to cloud providers (EBA/REC/2017/03) have been integrated. The Austrian Financial Market Authority – FMA – has issued a positive compliance declaration to the EBA pursuant to Art. 16 para. 3 EBA-VO.
The new regulations apply to all new contracts as of 30.09.2019. Institutes should review all existing outsourcing agreements for compliance with the revised guidelines by 31.12.2021 and update the documentation. If this review of outsourcing agreements for critical or important functions cannot be completed by 31 December 2021, institutions should inform the competent authority.
The EBA Guidelines apply to all outsourcings, whereby the term “outsourcing” is defined as an agreement between an institution and a service provider under which the service provider performs a process, service or activity that the institution would otherwise undertake itself. It is relevant to differentiate between “critical or important functions”, for which higher requirements apply in particular to inspection and monitoring obligations, and “other functions”.
Concrete outsourcings should take place on the basis of an internal outsourcing guideline, which should be reviewed and updated regularly. The institutions covered are obliged to set up an outsourcing function or appoint a manager who is directly responsible to the management body, who in particular exercises monitoring and control functions and carries out risk assessments.
For outsourcing contracts with cloud providers, the supplementary provisions of the EBA Guidelines shall apply. These relate in particular to data security issues but also to extended obligations concerning register information.
The provisions of the EBA Guidelines go far beyond the existing legal provisions on outsourcing for credit institutions in § 25 Austrian Banking Act (BWG) and for payment institutions and electronic money institutions in § 21 ZaDiG 2018 (Austrian Payment Services Act). The principle of proportionality must be taken into account when determining the concrete need for adjustment – as it is generally the case when complying with the EBA guidelines. This means that the individual risk profile, the type and business model of the institution as well as the scope and complexity of its activities must be taken into account to such an extent that the objectives of the regulatory requirements can be effectively achieved.
The need for action at the institutions addressed relates in particular to two key elements:
- Content review and, if necessary, adjustment of existing outsourcing agreements: The EBA Guidelines contain detailed requirements for the contractual arrangement (including mandatory minimum contents) of outsourcing agreements.
- Recording of all outsourcing agreements in a separate register: All outsourcing contracts must be recorded in a separate register. The EBA Guidelines define the minimum content. This register shall be disclosed to the competent authority upon request.
Authors: Holger Steinborn, Daniel Reiter
Questions? Please contact: