European Banking Authority Outsourcing Guidelines: Time to Act


EBA-logo-300x188From September 30, 2019, new guidelines on outsourcing arrangements (Guidelines) issued by the European Banking Authority (EBA) will apply to all outsourcing arrangements entered into, reviewed or amended on or after this date. The Guidelines aim to establish a more harmonized framework for all financial institutions that are within the scope of the EBA’s mandate, including credit institutions, investment firms and payment institutions. All financial institutions must also update all existing outsourcing arrangements in line with the Guidelines by December 31, 2021.

The Guidelines will have an impact that is much wider than just European markets. As large scale outsourcing deals typically benefit global operations, even where deals are being led out of the United States they will need to take account of the Guidelines if European businesses are to be service recipients.

Financial institutions should act now to address the key considerations of the Guidelines:

  • Definition and Identification: Financial institutions will have to assess whether their arrangements fall under the EBA’s definition of outsourcing. If they do, for each arrangement a decision will need to be made as to whether that particular process or activity being outsourced is “critical or important” to how the organization functions (meaning that any disruption in performance of the outsourced function were to “materially impair” the financial institution’s financials, the running of its business or its regulatory standing). There are more stringent controls required for functions that are “critical or important”.
  • Register and Regulator Notification: Financial institutions will have to maintain an updated register of information on all outsourcing arrangements. Whilst the register is only required to be made available to a regulator upon request, the Guidelines encourage financial institutions to notify regulators more frequently than they have ever done in the past about any changes in their circumstances with respect to outsourcing.
  • Governance and Policies: The Guidelines require considerable governance from financial institutions, making it clear that firms may never outsource the oversight of critical or important functions and must retain the necessary skills to do this in house. Financial institutions must, within an appropriate timescale, retain the ability to transfer any critical or important outsourced function to alternative service providers, back in-house, or discontinue the business activities that depend on it. A senior member of staff accountable to the board must also be designated for managing outsourcing risks.

There is a lot to understand within the Guidelines, with many new or expanded requirements that must be complied with. Firms should act now and begin reviewing existing arrangements against the Guidelines as soon as possible. Some changes will take significant time and effort to implement and accurately document, and the impact on oversight and governance frameworks should not be underestimated.