The European Banking Authority has published revised Guidelines on outsourcing arrangements. The guidelines are intended to update and replace outsourcing guidelines issued in 2006 (by the EBA's predecessor, the Committee of European Banking Supervisors) on outsourcing by credit institutions. The EBA Guidelines have a wider scope, applying to all financial institutions that are within the scope of the EBA's mandate, namely credit institutions and investment firms subject to the Capital Requirements Directive, as well as payment institutions and electronic money institutions. The investment firms within scope, provided that the new Investment Firm Regulation and Directive and related changes to CRD and the Capital Requirements Regulation have entered into force, will only be the largest investment firms (Class 1 Investment Firms). The Guidelines also integrate the recommendation on outsourcing to cloud service providers that was published by the EBA in December 2017. Both the 2006 guidelines and the December 2017 recommendations will be repealed when these new Guidelines enter into force.

The Guidelines provide a single consolidated framework on outsourcing arrangements. More specifically, the Guidelines set out a definition of outsourcing in line with delegated legislation under the revised MiFID II. They cover: (i) proportionality and group application; (ii) the nature of outsourcing arrangements; (iii) the applicable governance framework; (iv) the outsourcing process; and (v) guidelines for national regulators assessing outsourcing arrangements. The Guidelines establish an obligation for firms to maintain a register of all outsourcing arrangements at institution and group level, where applicable. A separate Annex provides an illustrative template that could be used for complying with this requirement. Firms will be required, under transitional provisions, to document existing outsourcing arrangements, other than for outsourcing arrangements to cloud service providers, following the first renewal date of each existing outsourcing arrangement, but by no later than December 31, 2021.

The Guidelines clarify the following: (i) the ongoing responsibility of the management body for the institution and its activities (whether outsourced or not); (ii) the differentiation between critical and important third party outsourcing arrangements and other arrangements; and (iii) the obligation on national regulators to supervise outsourcing arrangements (including identifying and monitoring of related risks).

Where firms outsource banking activities or payment services (to the extent that those activities or services require registration or authorization in their Member State), to a service provider in the same or another Member State, the firm must ensure that the service provider is either authorized or registered to carry out those functions or otherwise able to do so under the domestic laws of the Member State. Stricter criteria will apply to firms seeking to outsource banking activities or payment services (to the extent that those activities or services would require registration or authorization in their Member State) to a third-country entity. These criteria are: (i) that the service provider must be authorized or registered to provide that banking activity or payment service in the third country and is subject to supervision in the third country; and (ii) that the firm's national regulator and of that of the third-country entity have entered into a cooperation arrangement that meets certain requirements that will ensure that the firm's regulator can obtain information from the service provider and, where there is a breach of regulatory requirements, information from the third-country regulator. These requirements are particularly relevant in the context of Brexit because the U.K. will become a third country when it leaves the EU. The EBA made clear in its Opinions on Brexit of October 12, 2017 and June 25, 2018, that financial institutions should not set up an "empty shell" in an EU member state. The Guidelines specifically provide that the management body of any financial institution should have the capacity to monitor and deal with risks in its third-country service providers. This means that the management body must have a sufficient number of members (who have sufficient expertise and spend sufficient time) as is appropriate to monitor the risks associated with the size, structure and complexity of the activities the financial institution engages in.

The Guidelines should be read in conjunction with the EBA guidelines on internal governance, the EBA guidelines on common procedures and methodologies for the supervisory review and evaluation process and the EBA guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process. For payment institutions, the Guidelines should be read in conjunction with the EBA guidelines on the information to be provided for the authorization of payment institutions under the revised Payment Services Directive, the EBA guidelines on security measures for operational and security risks under PSD2 and the EBA guidelines on major incident reporting under PSD2.

The Guidelines will apply across the EU from September 30, 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date. The Guidelines require firms in scope to review and amend their outsourcing arrangements to ensure that those arrangements comply with the Guidelines. The review of outsourcing arrangements of critical or important functions must be completed by December 31, 2021, failing which firms must provide their national regulator with information on steps being taken to ensure completion of the review or any arrangements being made to exit non-compliant outsourcing arrangements.

View the EBA Guidelines on outsourcing.