European Savings and Retail Banking Group
Rue Marie-Thérèse, 11 - B-1000 Brussels
ESBG Transparency Register ID 8765978796-80
Published: 27 September 2018
>> See .pdf version
Consistent guidelines are useful for creating a level playing field, not least because the existing 2006 CEBS guidelines were implemented in different ways by the EU Member States. Nevertheless, both the institutions and the supervisors should retain some leeway so as to take due account of the principle of proportionality and the specificities of the national banking sectors. Especially as the scope of these guidelines is restricted to credit institutions and investment firms, and not to the service provided, they could severely limit the innovation capacity of the European financial institutions. This is especially important as according to the EBA 2017 Discussion Paper on the EBA's approach to financial technology (FinTech) 31% of Fintech companies are not subject to a regulatory regime under EU or national law.
Unfortunately, we notice that that the volume of regulation of the present Draft Guidelines has risen considerably compared with the existing CEBS guidelines. As a result, from a general perspective ESBG feels that the outsourcing requirements are too detailed and too strict. Therefore, we believe that they need to be more direct and clear. We wish to point out that more regulation is not necessarily better regulation, and therefore urge for the streamlining of the proposals. In particular, we believe that it is necessary to make more suitable distinctions regarding the definition of outsourcing. To enable a better definition, the EBA should inter alia provide a non-exhaustive list of activities that are not considered to be outsourcing within the meaning of the guidelines.
As a general principle, we wish to note that the requirements set out in the Draft EBA Guidelines on outsourcing do not sufficiently distinguish between requirements applying only to critical and important functions and those applicable to non-critical/non-important functions. Additionally, permanent task sharing within groups and among entities belonging to an institutional protection scheme (IPS) should be appropriately taken into consideration. Facilitations should likewise be granted to supervised multi-client service providers.
Moreover, the control requirements on internal corporate solutions are disproportionally increased. It should be sufficient with a group-wide management of outsourcing as intra-firm solutions, otherwise financial institutions will be less prone to use shared services centres and cloud solutions due to increased costs and administrative burdens. It would be more appropriate to set such guidelines on the cloud providers rather the institutions using their services.
Outsourcing to specialised service providers also always brings advantages such as risk reduction, quality improvements or sharing in innovations. Using them may not be effectively prohibited because of excessive regulation and an unreasonably high effort for the institutions. Therefore, we believe that outsourcing should be incorporated into the EBA Fintech work stream to be tested in a sandbox environment before implemented to assess potential caveats.
Q1: Are the guidelines regarding the subject matter, scope, including the application of the guidelines to electronic money institutions and payment institutions, definitions and implementation appropriate and sufficiently clear?
The absence of a notion of duration makes the definition too broad. ESBG thinks that the criterion "on an ongoing and permanent basis" should be added to the definition of outsourcing as follows (additions highlighted):
“Definitions: Outsourcing means an arrangement on an ongoing and permanent basis of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the institution, the payment institutions or the electronic money institution itself".
At least, one-off or occasional arrangements with service providers should be excluded.
Paragraph 5 confirms that the outsourcing of “functions" in general and “critical or important functions" in particular are the subject matter of these Guidelines. In paragraph 11, the latter term is defined as “any outsourcing of a function which is considered as critical or important including any operational tasks performed by the internal control functions".
At first sight, it appears to us that both the scope and the definitions proposed are too vague and that they may lead to divergent and uneven implementations; either at company or national level. Therefore, we consider the regulation should include an example of a critical or an important function in the following way or similar:
“Critical or important functions can be such as services whose incorrect provision for a period exceeding 3 days interrupts or distorts the capacity of the entity to meet the obligations of its business or may lead to a sensible operational, economical or reputational impact for the entity, their clients or stakeholders according to the institution's risk appetite"
In addition, in order to help harmonize the supervision of outsourcing arrangements, it is necessary that the Guidelines adequately limit the scope of the functions whose outsourcing falls under the scope of the Guidelines. The considerations including “any arrangements" and “that would otherwise be undertaken by the institution", can be interpret that all third-party arrangements can be considered outsourcing, except for the very few exemptions mentioned in paragraph 23 (“The acquisition of services (e.g. advice of an architect regarding the premises, legal representation in front of the court and administrative bodies, servicing of company cars, catering), goods (e.g. purchase of office supplies, or furniture) or utilities (e.g. electricity, gas, water, telephone line) that are not normally performed by the institutions or payment institutions").
Therefore, it is necessary that the EBA includes an annex to the Guidelines, including a non-exhaustive but more detailed list of examples that shall not be considered outsourcing. For instance, we propose adding the following cases: (i) consulting or advisory services, (ii) acquisition of projects for developing new software (we understand that the maintenance of the software is to be included); (iii) execution of advertising campaigns (media, advertising, promotional products…); (iv) management (not acquisition or purchase) of facilities (rebuilding works, management of immovable property, offices, maintenance works…); and (v) personnel administration.
Furthermore, paragraph 12 sets an “indicative date" of application: 30 June 2019. Our concern is that ESBG members will not have enough time to properly set up the global governance dedicated to the all types of outsourcing as required by the Guidelines. We thus suggest extending the date of application at least for six months for this specific topic.
ESBG believes that the requirement to ensure compliance of the existing stock of outsourcing contracts with the content of the guidelines within 18 months from the date of application of the guidelines (31 December 2020 – the transitional deadline in paragraph 13), would weaken not only the ongoing outsourcing activities but also the relationship of institutions with existing service providers.
Indeed, the existing stock of contracts of outsourcing of a given ESBG member might have a termination date or renewal date after the Transitional Deadline (typical duration is 3-5 years). Therefore, such a requirement would put in difficulty the institutions which, in view of the compliance with the rules of contracts and contractual law, will have to renegotiate quickly without being able to impose the new provisions on the providers. There will therefore be a risk of non-renewal or contractual termination of the outsourced service as soon as the service provider refuses to accept the new conditions which were not provided at the time of the call for tender and are binding to the parties. The only choice for institutions, in the event of failure of renegotiations with a provider, will be to take the risk of ending business continuity. Moreover, in the case of a contractual breach, this may be considered as resulting from a fault of the institution in the absence of a legal basis (even more if the breach takes place before the end of the contract or renewal date). Therefore, ESBG believes that the alignment of the existing outsourcing contracts with the requirements of the Guidelines would represent an infringement of the legal certainty since it imposes on the contractual parties obligations which at the time of concluding the contracts were unknown and not legally binding. We therefore suggest to completely remove this requirement in the final version of the Guidelines.
We would like to make sure that, as we understood, there is no specific deadline for the stock of long term contracts other than their termination date or renewal date. Therefore, it would be very useful if paragraph 13 would make this clear as to avoid confusion. Finally, in order to avoid confusion, it would be appropriate to replace the word “documentation" with the word “register" in paragraph 13. Furthermore, we would also propose an additional transition period for one additional year. This would, in our view, meet the objectives of securing outsourcing operations, preferably by modifying paragraph 13 in the way described below.
13. Institutions, payment institutions and electronic money institutions should complete the documentation the Register of all existing outsourcing arrangements, other than outsourcing arrangements to cloud services providers, in line with these guidelines following the first renewal date of each existing outsourcing arrangement, but not later than by 31 December 2020 1.""
ESBG welcomes the definition of sub-outsourcing. However, we notice that the guidelines do not always treat it in a coherent way. We therefore suggest that the guidelines should specify that the different obligations related to subcontracting should only apply to critical or important services.
We notice that there seems to be only marginal preferential treatment of outsourcing within groups or within financial networks related to an institutional protection scheme (IPS). Requirements (management, control) are thus not relaxed but remain the same as those applied to outsourcing activities outside the group. By doing so, basically no recognition is made of the degree of integration reached within many banking groups, where centralized functions at group level act as a service provider for the other entities within the same group.
We therefore propose that the spirit of the EBA Guidelines from 2006 is retained in Title 1, point 2. This specified that intra group outsourcing should be allowed for lighter controls. You can find the proposed text below.
“Intragroup outsourcing and outsourcing according to Guideline 4.1(i) can be material. Outsourcing institutions should be aware that supervisory authorities may take specific circumstances into consideration, such as the extent to which the outsourcing institution controls the service provider or has the ability to influence its actions, and the extent to which the service provider is included in the consolidated supervision of the group, when assessing the risks associated with an intragroup outsourcing arrangement and the treatment to apply to such arrangements."
“The policy should recognise that the management of non-material and intra-group outsourcing should be proportionate to the risks presented by these arrangements."
In this context, we would also suggest that some requirements are exempted or proportionally applied to intra group outsourcing arrangements as well as to outsourcing among entities of a financial network related to an IPS. Specific examples are: section 9.2 due diligence, paragraphs 59 and 86 on concentration risks and section 12 on exit strategies.
We appreciate the application of the principle of proportionality to this issue, but we do feel that it has to be applied in a way that does not hinder the level playing field among the different types of entities competing in the same market. If all activities that a credit institution performs are affected by these Guidelines, there is no reason to exclude account aggregators or credit intermediaries from the application of these guidelines; as, on the contrary, more lenient regulatory requirements would confer exempted companies a competitive advantage. In case these guidelines are not extended to apply to those institutions, any third party arrangement related to aggregation services or credit intermediation made by credit, payment and e-money institutions should not be considered outsourcing.
In relation to paragraphs 19 and 20, ESBG welcomes the fact that some facilitations shall be available for outsourcing within groups and institutional protection schemes (IPS). We believe that this is generally justified because such groups and groupings are focused on long-term cooperation and a rational division of tasks and responsibilities. As stated above, the requirements in the outsourcing guidelines should be broken down further and supplemented.
The governance and ownership structures in an IPS can be different to those of a consolidated group within the meaning of Article 11ff. of the CRR (Regulation (EU) 575/2013). Based on paragraph 35c) of the Draft Guidelines, we are requesting that, for an IPS, all outsourcing to other entities affiliated with the corresponding financial network should be covered (as well as outsourcing arrangements between the member institutions).
With regard to IPSs, we suggest to include a reference to Article 113(7) of Regulation (EU) 575/2013 and to ensure consistency with the IPS definition mentioned therein.
The EBA Draft Guidelines on Outsourcing provide a set of rules which will remove the current advantages of intra group outsourcing and treat it basically from a risk perspective in the same way as external outsourcing. In our view, this needs to be avoided. As long as the reporting and impact assessments are fulfilled, the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. More precisely, paragraph 20 a should be adjusted in order to reflect the proposed changes:
“a. where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised (e.g. as part of a master agreement for the outsourcing arrangements), those institutions and payment institutions should ensure that there is independent monitoring of the service provider and an appropriate oversight by each institution or payment institution, including by receivesing from the centralised monitoring function reports covering the institution's or payment institution's outsourcings. Those institutions and payment institutions should also ensure that their management body will be duly informed of relevant changes being planned regarding the centralised service providers in order for them to assess the impact of these changes and ensure compliance with all regulatory requirements; as long as the reporting and impact assessments are fulfilled the institutions are not required to retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements;
With regard to the wording of paragraph 20b (“where those institutions and payment institutions (…) rely on a central pre-outsourcing assessment (…)") we believe that it needs to be aligned with the wording in Title IV Section 9 where a pre-outsourcing analysis is mentioned. We therefore recommend replacing the term “pre-outsourcing assessment" with “pre-outsourcing analysis".
“b. where those institutions and payment institutions within the group, institutions affiliated to a central body or part of an institutional protection scheme rely on a central pre-outsourcing assessment analysis of the outsourcing arrangements as referred to in Section 9, each institution and payment institution should receive the respective assessment analysis and ensure it takes into consideration its specific structure and risks within their decision making. “
For outsourcing activities within groups the Draft Guidelines foresee several conditions to ease the requirements especially on the level of a single entity belonging to a central body, groups or members of an institutional protection scheme (IPS). It allows that by establishing uniform arrangements and centralized operational tasks.
We acknowledge the systematics of the conditions within paragraph 21 of the Draft Guidelines as comparable to a waiver, whereas Article 10 CRR demands a high level of integration and control mechanisms of institutions affiliated to a central body. However, we question the understanding of other (sometimes similarly and/or) highly integrated groups, with centrally executed control and enforcement mechanisms. The major differences between these groups are the organisational structure and the capital participation. To give an example, an IPS has to prove that there is no current or foreseen material practical or legal impediment to the prompt transfer of own funds or repayment of liabilities from the counterparty to the institution and that the institutional protection scheme disposes of suitable and uniformly stipulated systems for the monitoring and classification of risk, which gives a complete overview of the risk situations of all the individual members and the institutional protection scheme as a whole, with corresponding possibilities to take influence.
We therefore suggest that the EBA reconsiders the approach for the chapter “Outsourcing within group application and institutional protection scheme" (paras 17-21 of the Draft Guidelines) and enabling IPSs a similar centrally organized outsourcing regime as groups where waivers have been granted. We would like to reiterate the fact that some IPSs face a situation of certain ownerships like foundations without a proprietor (e.g. in Austria), that want to cooperate and act as one group but have no other opportunity than to arrange themselves by an IPS-structure, that tries to achieve group-effects but cannot become a (usual) group such as by equity participation.
Regarding paragraph 22, ESBG feels that the wording of the second sentence goes too far. According to this dictum, any form of cooperation amongst licensed entities would have to be qualified as “outsourcing". However, there are, for example, functions of central clearing houses in payments or securities settlement that can definitely not be performed by individual institutions and should thus not be considered to be outsourcing within the meaning of the guidelines. We suspect that the intention behind this requirement is in particular to ensure that there cannot be any reference to capacity or expertise that an institution currently does not possess. This could be better expressed as follows:
“it is not relevant whether or not … or it would be able to perform it by itself on the basis of current resources and capabilities."
Moving on to paragraph 24, ESBG opposes a requirement to perform a risk assessment in accordance with section 9.3 of the Draft Guidelines for all of an institution's contractual relationships. The analyses and assessments required there are likely to be excessive for almost all other contractual relationships, and this is not something that can be remedied by a general reference to the principle of proportionality. The requirement for other contractual relationships should be limited to their inclusion in the management of operational risk and ensuring compliance with the legal provisions to be observed by the institution.
The intention of paragraph 26 is to put in place agreements between the competent authorities of EU Member States and the competent authorities of non-EU countries concerning regulated banking activities or payment services with a view to securing the outsourcing of these activities located outside the EU is in the interest of the institutions. In practice, we believe that it should be ensured that the negotiated agreements will be both protective and effective for the institutions.
However, ESBG believes that the guidelines should specify that the requirements of paragraph 26 only apply in case of complete outsourcing of authorised activities and do not concern e.g. the outsourcing of cloud services outside EU (which is often the case in practice). We would like to point out that these provisions were not in the EBA's Recommendations on outsourcing to cloud service providers dated December 20 2017.
We believe that in an intra group setting, where outsourcing is provided and steered centrally, in order to avoid repeating processes it is sufficient that the lead institution is responsible for making sure that proper management and oversight of outsourcing arrangements are retained. Other institutions of the group would of course validate the management and oversight of the outsourced arrangements. We therefore propose to change paragraph 29 as follows:
“29. Outsourcing should not lower the suitability requirements applied to the members of an institution or payment's institution's management body, persons responsible for the management of the payment institution and its key functions holders. Institutions and payment institutions should retain adequate competence and sufficient skilled resources to ensure appropriate management and oversight of outsourcing arrangements. Where the operational monitoring of outsourcing arrangements within the same group or institutional protection scheme is being centralised, it shall be sufficient that those institutions and payment institutions should ensure independent monitoring and appropriate oversight."
ESBG thinks that the guidelines requirement to form new functions dedicated to outsourcing or to designate Key Function Holders would generate very significant costs and implementation time which is not necessary in all cases. Moreover, ESBG members consider that their internal control functions are already competent to verify the accuracy of the implementation process of outsourcing arrangements. We are of the opinion that institutions s should be given freedom of choice on the means.
We therefore propose the following changes to paragraph 30.c.
“ taking into account Section I of these Guidelines, should establish an outsourcing function or designate a senior staff member (e.g. Key Function Holders) who is directly accountable to the management body or at least ensure a clear division of task and responsibilities for the monitoring of outsourcing arrangement".
Concerning paragraph 34, we are of the view that some of the requirements are too detailed for such a policy document adopted by the management body. For instance, the exit strategies and termination processes of paragraph 34 are too specific and different depending on the type of services that could be too detailed for such a policy. We consider that those aspects should be in lower corporate level documents or included as an annex.
In relation to intra group outsourcing, currently many banking groups are composed of multiple and diverse subsidiaries, which make extensive use of intra group outsourcing. However, strategic decisions at group level do not always work under arm's length contracts. Those strategic decisions take into account every consequence for both the main entity and its subsidiaries, with no single part having to assume dire consequences.
Therefore, it needs to be understood that even though banks need to assess the risks of conflicts of interest, especially in cases of intra group outsourcing, as stated in paragraph 38, banks should not be required to take any additional measures in order to appropriately balance conflicts of interest. We believe that the issue should be left to auto-regulation through, for example, internal codes of conduct and policies on conflicts of interest.
In relation to the internal audit function, particularly paragraph 42, we consider that the revision of outsourced activities should be set at an institution level and should be performed under a risk based approach plan, based on the internal control framework and mechanisms of the entity following the EBA's Guidelines on Internal Governance. Therefore, the revision of the outsourced activities can be undertaken either by the second line of defence, specialized functions (IT, legal, compliance, etc.), outsourced specialist (third party certifications, external auditors, etc.) or a combination of these.
Paragraphs 74 and 75 allow third-party certifications and reports and pooled audits to be used complementary to audits of the institution's internal audit function. These options should also be mentioned in section 7. In addition, many service providers themselves have an internal audit function that meets national and international professional standards. In this case too, it should be clarified that their audit activities and outcomes may be used.
In particular, when the service provider is a supervised institution or works for a large number of clients, inappropriate multiple audits should be avoided. These would not generate any appreciable additional benefits, but rather operational burden and higher costs.
In relation to paragraph 47.c (v) about scheduled audits, we believe that the outsourcing register should not require duplicative information. Audit schedules are part of the documentation of the internal audit function. ESBG suggests deleting this point.
We believe that there are too many criteria for assessing the critical or important nature of a service to be taken into account. This includes criteria, which we find to be more relevant to risk assessment.
We therefore propose that for clarity purposes paragraphs 49 and 50 are moved from Section 9.1 Assessment of the criticality or importance" to section 2. "Subject matter, scope and definitions" which concerns the definition of the concept critical and important".
We also believe that paragraph 51 should be moved into the section on risk assessment (9.3 Risk Assessments of outsourcing arrangements) because we think that the criteria listed do not fall under the evaluation of the critical or important nature but the assessment of the risk borne by the service (business continuity and data among others). For example, paragraph 51(e) currently contemplates that “when assessing whether or not an outsourcing arrangement is critical or important, i.e. it concerns a critical or important function, institutions and payment institutions should take into account: […] (e) other outsourcing arrangements, in accordance with Section 9.3, the institution's and payment institution's aggregated exposure to the same service provider or the cumulative impact of outsourcing arrangements in the same business area". Outsourced activities should be considered critical or not independently of who the service provider is. It is true that the provider needs to be accounted as a risk factor on the outsourcing agreement, but the criticality of most activities should not, as a general rule, depend upon the identity of the service provider. Paragraph 59a requires taking into account concentration risks, which should be sufficient in this respect.
ESBG is of the opinion that the obligation to conduct due diligence on a service provider should be limited to the outsourcing of “critical or important functions" in line with the response to Q2. This is also necessary in light of the fact that such a classification is likely to happen in many cases because of the criteria given in section 9.1.
Paragraph 56 constitutes, compared with paragraph 94 of EBA's governance guidelines, an unreasonable expansion and cannot actually be implemented in this extent. ESBG therefore urges for the modifying of this paragraph in the following manner: “Institutions and payment institutions should take into account whether appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct"
Paragraph 57 constitutes a reference to all third parties monitoring when it states that "Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, manage, monitor and report all risks they are or might be exposed to relating to arrangements with third parties, regardless of whether or not those arrangements are considered outsourcing arrangements". ESBG is of the opinion that such a requirement does not lie within the scope of the outsourcing guidelines. Paragraph 57 therefore should be deleted. At a minimum, we would ask the EBA to clarify that combined risk assessments of similar non-outsourcing arrangements are admissible and that institutions may entirely exclude arrangements of minor extent.
In the case of some service providers (for instance the examples covered by paragraph 60), it is almost impossible to obtain all the information requested by the Draft Guidelines on sub-contractors of these service providers (sub-outsourcing). For some outsourced services, subcontractors are numerous and it is difficult for institutions to go down the chain. We would like to draw your attention to the fact that one way to comply would be to contractually oblige the provider to ensure the compliance of its subcontractor and to provide the financial institution with the necessary documents. This way would fulfil the Guidelines' requirements that the financial institution keeps all of the responsibilities toward the customers.
Applying the requirements outlined in paragraph 63 for non-critical and non-important outsourcing arrangements would be too ambitious and not practice-oriented (e.g. agreement on comprehensive information, audit and access rights). We recommend consistently focusing Section 10 on “critical or important" outsourcing.
ESBG would furthermore suggest the following actions to facilitate access to cloud solutions and the development of the cloud in the banking industry:
Additionally, in relation to the obligations of paragraph 66 we consider that they should be undertaken by the provider on behalf of its subcontractor. Therefore, the provider would have by contract the obligation to require to the subcontractor to comply with the requirements of that paragraph.
Q11: Are the guidelines in Section 11 regarding the oversight on outsourcing arrangements appropriate and sufficiently clear?