Heads up: EBA guidelines on outsourcing enter into force on 30 September 2019

27 September 2019 – need2know

The Guidelines on Outsourcing (EBA/GL/2019/02) issued by the European Banking Authority (EBA) on 25 February 2019 enter into force on 30 September 2019. In addition to credit institutions – to which the CEBS guidelines on outsourcing previously already applied – investment firms, payment institutions and e-money institutions are also addressed by the guidelines. The recommendations for outsourcing to cloud providers (EBA/REC/2017/03) have been integrated. The Austrian Financial Market Authority – FMA – has issued a positive compliance declaration to the EBA pursuant to Art. 16 para. 3 EBA-VO.

The new regulations apply to all new contracts as of 30.09.2019. Institutes should review all existing outsourcing agreements for compliance with the revised guidelines by 31.12.2021 and update the documentation. If this review of outsourcing agreements for critical or important functions cannot be completed by 31 December 2021, institutions should inform the competent authority.

The EBA Guidelines apply to all outsourcings, whereby the term “outsourcing” is defined as an agreement between an institution and a service provider under which the service provider performs a process, service or activity that the institution would otherwise undertake itself. It is relevant to differentiate between “critical or important functions”, for which higher requirements apply in particular to inspection and monitoring obligations, and “other functions”.

Concrete outsourcings should take place on the basis of an internal outsourcing guideline, which should be reviewed and updated regularly. The institutions covered are obliged to set up an outsourcing function or appoint a manager who is directly responsible to the management body, who in particular exercises monitoring and control functions and carries out risk assessments.

For outsourcing contracts with cloud providers, the supplementary provisions of the EBA Guidelines shall apply. These relate in particular to data security issues but also to extended obligations concerning register information.

The provisions of the EBA Guidelines go far beyond the existing legal provisions on outsourcing for credit institutions in § 25 Austrian Banking Act (BWG) and for payment institutions and electronic money institutions in § 21 ZaDiG 2018 (Austrian Payment Services Act). The principle of proportionality must be taken into account when determining the concrete need for adjustment – as it is generally the case when complying with the EBA guidelines. This means that the individual risk profile, the type and business model of the institution as well as the scope and complexity of its activities must be taken into account to such an extent that the objectives of the regulatory requirements can be effectively achieved.

The need for action at the institutions addressed relates in particular to two key elements:

  • Content review and, if necessary, adjustment of existing outsourcing agreements: The EBA Guidelines contain detailed requirements for the contractual arrangement (including mandatory minimum contents) of outsourcing agreements.
  • Recording of all outsourcing agreements in a separate register: All outsourcing contracts must be recorded in a separate register.  The EBA Guidelines define the minimum content. This register shall be disclosed to the competent authority upon request.

 

Authors: Holger Steinborn, Daniel Reiter

Questions? Please contact:

Christoph Nauer 
Elke Napokoj
Holger Steinborn
Kornelia Wittmann
Daniel Reiter
Roland Juill

Practice Groups:

Capital Markets, Banking & Finance

If you would like to receive future issues of need2know follow us on LinkedIn or please send an email to subscribe@bpv-huegel.com.

Our use of cookies

We use necessary and functionality cookies to make our site work. We only use analytics cookies to improve our website if you enable them. By using this tool for individual settings of the cookies, we will send a cookie to your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookies Policy.

Necessary Cookies Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect the website functions.

Functionality Cookies

Functionality cookies allow users to customise how a website looks for them: they can remember usernames, language preferences and regions. We use functionality cookies for storing your user preferences and remembering if you have been to the site before so that messages intended for first-time users are not displayed to you. These cookies do not collect information about you that could be used for marketing purposes and do not remember where you have been on the Internet.

You may disable these cookies with the button, but you should be aware that any preferences will be lost and you will have to make them again on your next visit. It is also possible that the website will not work properly or you will lose some functionality.

Analytics cookies (including US providers)

"Web analytics cookies" collect aggregated information about user behaviour to improve our website. We would like to use such cookies from Google Analytics to improve our website by collecting and evaluating information about the use of our website. The provider of Google Analytics is Google LLC, which is based in the USA. The USA is not certified by the European Court of Justice as having an adequate level of data protection. In particular, there is a risk that your data may be accessed by US authorities for control and monitoring purposes and that no effective legal remedies are available against this. By activating the button under "Web analytics cookies (including from US providers)", you agree that we may set these cookies and that you also agree to the transfer of data to the USA. You can revoke your consent at any time via the cookie settings on our website.