EBA Guidelines on outsourcing arrangements for payment services and e-money firms

The EBA Guidelines came into effect on 30 September 2019. There is a transitional provision for outsourcings entered into before that date, which delays the… Read more

The EBA Guidelines came into effect on 30 September 2019. There is a transitional provision for outsourcings entered into before that date, which delays the application of the Guidelines to the earlier of the first renewal date and 31 December 2021. Fresh guidance on outsourcing in the financial services sector tends to be a rarity: the Guidelines update the Committee of European Banking Supervisors’ (CEBS) guidelines on outsourcing issued in 2006, which applied exclusively to credit institutions. The CEBS Guidelines and the EBA’s recommendation on outsourcing to cloud service providers of 2017 were repealed at the same time. In practice, in-scope firms now have a single set of regulatory guidelines to consider for both cloud and non-cloud outsourcings.

Scope

The Guidelines extend to payment and electronic money institutions as well as credit institutions and MiFID investment firms.

This means that many fintech companies, including payment services and e-money firms, will be subject to regulatory guidelines on outsourcing for the first time. This was by design – the EBA resisted calls in its consultation to apply the Guidelines in a proportionate way to smaller fintech businesses (including payment services and emoney firms), which is an acknowledgment that fintech businesses have become more mainstream. Nevertheless, some fintech firms remain outside scope, for instance account information service providers and InsurTech businesses that are authorised pursuant to the Insurance Distribution Directive ((EU) 2016/97) (IDD).

Outsourcing and critical or important functions

The Guidelines define “outsourcing” as, “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

The reference to functions that would otherwise be undertaken by the institution should not be taken at face value. There are many functions that a firm may never perform itself, but the Guidelines confirm that it is sufficient that a function would normally fall within the scope of functions that would or could realistically be performed by in-scope firms even if the institution has not performed this function in the past itself.

The Guidelines do at least carve out certain types of function from falling within the scope of outsourcing, including functions that are legally required to be performed by a service provider (for example, statutory audit), market information services (such as, Bloomberg, Moody’s, S&P, and Fitch) and global network infrastructures (for example, Visa and MasterCard).

The Guidelines define “critical or important functions” based upon MiFID II provisions and Commission Delegated Regulation (EU) 2017/565 (MiFID Organisational Regulation), which include functions in relation to which, “if a defect or failure were to occur, would materially impair the continuing compliance of the firm’s activities and obligations”.

Where an outsourcing is critical or important, naturally more requirements are triggered under the Guidelines.

For payment services firms in particular (whether acting as the customer or the supplier), it is important to note that the Guidelines attach significance to whether the outsourcing is directly connected to the provision of banking  or payment services, which would point towards treating the outsourcing as critical or important.

The provision of a payment service now commonly involves various different parties (for example, a card issuer, a payment gateway, a card transaction processor, a card scheme and so on). The Guidelines explain that when an inscope firm intends to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority of the supplier, this should also be considered outsourcing of a critical or important function.

Various consequences flow from an outsourcing being critical or important under the Guidelines, including:

• Outsourcing policy (discussed in more detail below) – this should differentiate between critical or important functions and other outsourcings.
• Business continuity plans (BCPs) – firms should have in place, maintain and periodically test appropriate BCPs in relation to outsourcings of critical or important functions.
• Due diligence on service providers – firms should ensure that the supplier has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (for example, human, IT, and financial), the organisational structure and, if applicable, the required regulatory authorisations and registrations to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the outsourcing.

The reference to the business reputation of the supplier is interesting as it might seem to suggest that firms should outsource only to suppliers with a proven track record. While that might be a fair starting point, I would not interpret this as a prohibition on outsourcing to early-stage businesses so long as the results of due diligence are otherwise satisfactory.

The Outsourcing policy

Although the concept of the outsourcing policy is not entirely new, the Guidelines require in-scope firms to implement a written outsourcing policy defining the principles, responsibilities, and processes relevant to each phase of the outsourcing lifecycle.

Many payment services and e-money firms will need to document and formalise existing processes that are not clearly set out in a single outsourcing policy.

The outsourcing policy should document firms’ internal risk management processes and define procedures for, among other matters:

• Notification of and response to changes from a service provider under an agreement.
• Renewal processes.
• Ongoing monitoring and assessment of supplier’s performance.

The processes set out in the outsourcing policy will set the framework for interfacing with suppliers. In effect, the processes contained in a firm’s outsourcing policy must be reflected in, or flowed down to, its outsourcing agreements.

We are seeing firms tackle this issue by issuing outsourcing addendums to their suppliers that are intended to form part of the outsourcing agreement, so that processes are reflected in their outsourcing agreements in accordance with their outsourcing policy.

The outsourcing register

The outsourcing register is a major new obligation, particularly for many payment services and e-money firms who may not have applied much formality to their outsourcing arrangements historically.

The Guidelines require firms to maintain an updated register of information on all outsourcing arrangements. This is proving to be quite a significant burden for firms who have not maintained detailed records in relation to outsourcings previously. Given that the regulators can require firms to produce a copy of their outsourcing register on demand, in practice this means that firms effectively need to maintain a live outsourcing register.

The information to be contained in the outsourcing register is detailed and includes, for example:

• A reference number for each outsourcing.
• Start date and as applicable the next contract renewal date, the end date and/or notice periods for the
  parties.
• A brief description of the outsourced function, including specific reference to data.

For critical or important functions, the outsourcing register should contain additional information including:

• Date of the most recent risk assessment and a brief summary of the main results.
• The individual or decision-making body in the institution that approved the outsourcing.
• The governing law of the outsourcing agreement.

Firms should include specific reference to the process for completing and updating the outsourcing register in the outsourcing policy.

Isn’t this just guidance?

The Guidelines state that national competent authorities (for example, the FCA and PRA) and financial institutions (the catch-all term for firms subject to the Guidelines) must make every effort to comply with the Guidelines. Although this falls short of an absolute obligation on firms to comply, the fact that the regulators are expected to effectively supervise firms’ outsourcing arrangements means that firms have little choice but to comply. In practice, we are not generally seeing in-scope firms or service providers trying to avoid complying with the Guidelines. I see the Guidelines as adding some granular detail to the high-level requirements of chapter 8 of the FCA’s Senior Management Arrangements Systems and Controls sourcebook (SYSC 8), the MiFID Organisational Regulation and so on, and they raise the bar in terms of the rigour that payment services and e-money firms need to apply to their outsourcings.

This was first published in Practical Law Financial Services as part of Jacob Ghanty’s payment services and e-money column: November 2019

• Share this blog

• Twitter
• Facebook
• Linkedin