The EBA’s draft guidelines on outsourcing will impact cloud outsourcing and institutions’ deployment of FinTech.

On 4 September 2018, a wide audience of interested individuals gathered at Canary Wharf for a public hearing (Public Consultation) to listen to what the European Banking Authority (EBA) had to say in relation to its long-awaited Draft Guidelines on Outsourcing (Draft Guidelines). The Draft Guidelines, which review the existing CEBS Guidelines on Outsourcing published in 2006 (CEBS Guidelines), are the EBA’s opportunity to refresh its recommendations on outsourcing to align more closely with the technical, political, and operational landscape banks face today. The attendees at the Public Consultation raised a number of questions which have, no doubt, given the EBA considerable food for thought. This blog post identifies and explores the key themes of the day. Beyond the key themes identified below, the Public Consultation included discussions of the issues of internal audit, reporting and registration, and supervisory oversight.

Scope

The extension of scope of the Draft Guidelines, as compared to the scope of the CEBS Guidelines, was a particular area of focus during the Public Consultation.

The Draft Guidelines describe their subject matter as “specify[ing] the internal governance arrangements that institutions … should implement when they outsource functions and in particular with regard to the outsourcing of critical and important functions” (paragraph 5 of the Draft Guidelines). The term “critical and important functions” is consistent with the wording used in MiFID II and includes functions which, if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations. In this regard, the Draft Guidelines align with the CEBS Guidelines which described the requirements for “material outsourcing,” a term defined in a similar manner. However, while the CEBS Guidelines noted that “there should be no restrictions on the outsourcing of non-material activities of an outsourcing institution” (Guideline 5), the Draft Guidelines extend to all outsourcing, unless expressly stated otherwise. Many attendees at the Public Consultation noted that this scope was unduly onerous and would become administratively burdensome for firms to manage.

Notably, the broadening of the addressees of the Draft Guidelines (In-scope Entities), to include payment institutions (subject to the revised Payment Services Directive (PSD2)) and electronic money institutions (subject to the e-money Directive), was not discussed in detail at the Public Consultation. However, an attendee raised a question as to the applicability of the Draft Guidelines to industry utilities. The EBA confirmed they had not yet considered this point and advised that they would reflect and clarify the position in the final guidelines.

Brexit

Interestingly, the “B-word” was not mentioned once. This omission may not be surprising as the EBA has, of course, issued opinions which specifically address the impact of the UK’s withdrawal from the European Union (one in October 2017, and another in June 2018) (EBA’s Brexit Opinion Papers); however, the omission of the topic from the Public Consultation is notable because some of the questions attendees raised appeared centred around Brexit considerations, and some of the additional guidance around outsourcing to third country providers appears to have been included as a direct response to Brexit.

The Draft Guidelines state that intra-group arrangements, as well as third-party outsourcings, must comply with the Draft Guidelines. At the Public Consultation, the EBA confirmed that intra-group arrangements should be subject to the same degree of rigour and risk assessment as third-party arrangements, but noted that this scope was not new and was already a requirement pursuant to Article 109 of Capital Requirements Directive (CRD) IV. As many In-scope Entities set about moving key operations out of the UK and to other EU member states, intra-group outsourcing arrangements will become increasingly critical. At a minimum, while a group’s non-UK establishments build and grow their own operations, they likely will rely upon the UK entity as an outsourced service provider. In-scope Entities should therefore review the terms of their intra-group agreements and think about their current operational measures and controls to manage intra-group arrangements. In keeping with the EBA’s Brexit Opinion Papers, the Draft Guidelines stress that the outsourcing firm not be an “empty shell”, but have sufficient resources, and a robust operational and governance framework, to effectively carry out its management and oversight responsibilities (see paragraph 31 of Draft Guidelines).

The EBA also emphasised the need for a cooperation agreement between relevant competent authorities if the outsourcing service provider is located in a third country (see paragraph 26 of the Draft Guidelines). This raises the obvious question about the need for such an agreement between EU regulators and the FCA post-Brexit; unfortunately, the EBA advised that the status of any work regarding cooperation agreements fell outside of the remit of the Public Consultation.

Technology and Digitalisation

When the Draft Guidelines were published for consultation in June 2018, the EBA noted that “IT has become one of the most prevalent outsourced activities”. The EBA has reinforced this message on a number of occasions, including the publication of the EBA’s final recommendations on outsourcing to cloud service providers (Cloud Recommendations) in 2017 and itslaunch of the EBA FinTech Roadmap in March 2018. As a result, both cloud and FinTech featured heavily on the agenda at the Public Consultation.

Cloud

The Cloud Recommendations, published on 20 December 2017, became effective as of 1 July 2018. These recommendations, addressed to credit institutions, investment firms, and competent authorities (Cloud Recommendations Addressees), examine the key considerations for a relevant institution that outsources services to a cloud environment. The Cloud Recommendations were published ahead of the full revision of the CEBS Guidelines, due to demand for timely guidance in this area.

The Draft Guidelines aim to integrate the Cloud Recommendations, and the Cloud Recommendations will be repealed when the final outsourcing guidelines take effect.Therefore, In-Scope Entities will need to consult only one set of guidelines for outsourcing (both cloud and non-cloud). Interestingly the Draft Guidelines do not address the fact that integrating guidelines means that payment institutions and electronic money institutions will, from the effective date of the Draft Guidelines, be subject to the cloud considerations even though such institutions are not currently in scope of the Cloud Recommendations Addressees.

Certain competent authorities, such as BaFin in Germany, have already confirmed that they will postpone local implementation of the Cloud Recommendations until such time as the recommendations are integrated into the new outsourcing guidelines and, at that time, will comply with the fixed timeline for such guidelines (see The Recommendations Compliance Table). At the other end of the spectrum, the Financial Conduct Authority (FCA), by way of a few brief sentences in its July Newsletter, announced that “banks, building societies, designated investment firms and IFPRU investment firms” (i.e. the Cloud Recommendations Addressees) should, from 1 July 2018, refer only to the Cloud Recommendations and not to the FCA’s domestic guidance on outsourcing to the cloud (FG16/5). This announcement by the FCA (albeit made to very little fanfare) was generally welcomed by both UK financial institutions and cloud providers as the announcement relieves them of the burden of complying with two sets of guidance which, though similar, included nuanced differences. Also notably, this FCA announcement was most likely a political nod to European regulators that UK financial services firms are expected to remain compliant with the leading European guidance on outsourcing to the cloud. Going forward, it will be interesting to see how the FCA responds to the introduction of the outsourcing guidelines (and, as a result, repeal of the Cloud Recommendations) which are scheduled to come into effect after the UK has left the EU.

At the Public Consultation, concern was raised about the Draft Guidelines’ approach to concentration risk. Paragraph 59 of the Draft Guidelines looks at both “intra-firm concentration” and “sector concentration” when assessing the risk profile of an outsourcing arrangement. If a competent authority considers concentration risk to be too great, then it may order the cessation of such an arrangement. This approach was challenged at the Public Consultation on the grounds it could lead to operational risk, in particular in connection with cloud outsourcing arrangements. Responding to these concerns Bernd Rummel of the EBA noted that the competent authorities would be in regular dialogue with In-scope Entities and would not exercise such a right without consultation. That said, the potential systemic risk implications of the use of cloud arrangements is an area of focus for banking regulators and should be monitored going forward.

FinTech

On 15 March 2018, the EBA published its FinTech Roadmap setting forth the EBA’s priorities for 2018/2019. The roadmap takes account of feedback on the EBA’s 2017 discussion paper on FinTech and the EBA’s expanded mandate from the European Commission following its publication of the European Commission’s FinTech action plan. The FinTech Roadmap explores many of the issues that institutions embracing FinTech need to consider, including consumer protection, cybersecurity, and AML/ CFT. The FinTech Roadmap mentioned the impact of the Draft Guidelines only fleetingly as one of the “Other Issues”.

However, in light of the broad reach of the Draft Guidelines, In-Scope Entities leveraging third parties to enhance their FinTech offerings will need to take account of the Draft Guidelines (once they take effect) when engaging with FinTech providers. This requires In-Scope Entities to balance the drive to be innovative and market-leading (which appears to be encouraged by the EBA in the FinTech Roadmap) with the need to implement robust contractual arrangements and operational processes to manage risk (as required by the Draft Guidelines). Achieving this balance is all the more challenging because many FinTech providers simply may not have the resources and/or experience to meet the contractual obligations, such as robust governance processes, audit rights and exit strategies, placed on them by institutions seeking to meet the EBA’s requirements. Notwithstanding, it seems unlikely that the EBA will make any concessions in the final guidelines for FinTech providers. In-Scope Entities, therefore, need to start thinking, ahead of the implementation date, about how best to reconcile the desire to engage with start-ups and innovation hubs within a reasonably rigid framework of rules and requirements for third-party contracting.

Next Steps

The Public Consultation consisted of industry bodies, bank representatives, law firms, service providers and industry utilities in deep discussion and questioning the EBA for two hours. It is fair to say that the EBA now has a considerable amount of homework. The deadline for written comments on the Draft Guidelines is 24 September 2018 and thereafter, the EBA will publish the final set of guidelines which will replace both the CEBS Guidelines and the Cloud Recommendations. In the Draft Guidelines, the expected timeline for implementation of the new guidelines is 30 June 2019 and the grace period for updating existing outsourcing arrangements in line with the new guidelines is 31 December 2020. This is a relatively short period of time considering not only the scope of the new guidelines, but also the breadth of change In-scope Entities face in the coming 12 months. One attendee at the Public Consultation requested that the EBA extend the timeline for implementation, but whether the EBA will heed this or any of the recommendations made at the Public Consultation, remains to be seen.

In the meantime, In-scope Entities are advised to take account of the Draft Guidelines in their outsourcing plans and start preparing for the internal changes required if the Draft Guidelines change only minimally before coming into effect.