| UK & Europe | Articles
Only a fifth of firms understand their outsourcing obligations according to our poll on adoption of the EBA guidelines. The guidelines – which apply to investment, payment and e-money firms as well as banks – came into force last year and the FCA will expect them to be reflected in your outsourcing framework.
In our recent briefing on outsourcing, we ran a poll to find out how many of the attendees had considered the European Banking Authority Guidelines on Outsourcing Arrangements in the context of their own arrangements. The results showed that 79% of respondents reported that they either weren’t aware of the guidelines or that they were aware of them but hadn’t taken account of them in their arrangements. This reflects much of what we see on a day-to-day basis, focusing the spotlight on the need for wider awareness of the guidelines and their content and consistent adoption of the guidelines.
The guidelines cover various aspects of outsourcing arrangements, from assessing whether an arrangement is actually outsourcing, the governance framework around the relevant arrangements and the actual process of outsourcing. The guidelines were published in February 2019 and came into force in the UK on 30 September of the same year, with the FCA stating that “in-scope firms must make every effort to comply with the guidelines”.
Incorporating EBA guidelines in your outsourcing framework
So why are so many firms either unaware of the guidelines or failing to implement them fully? Part of the issue may be that firms simply aren’t aware of the application of the guidelines – wrongly assuming that because they’re published by the European Banking Authority, they may just apply to banks. That’s not the case, the guidelines in fact apply to investment firms, payment services institutions and e-money institutions as well as credit institutions.
So now you’re aware of the guidelines, what do you need to do? The guidelines touch on every aspect of an outsourcing arrangement and as such, you’ll need to review the guidelines and consider how you should review your arrangements. You should give consideration to areas including due diligence, risk assessment, business continuity management and conflicts management. Alongside this, you will also need to make sure you have an outsourcing policy that’s aligned to the guidelines.
A good outsourcing policy should cover the main phases of the lifecycle of outsourcing arrangements right from the set up of a new arrangement through the entire process, to the termination of an arrangement. The policy should cover the following as a minimum:
- The responsibilities of the management body including their involvement in making decisions on outsourcing of critical or important functions. Bear in mind that the management body is fully responsible and accountable for the firm’s strategy and its ongoing compliance as well as conflicts and risk management.
- The role all relevant areas of the business play in the outsourcing arrangements, whether in terms of day-to-day contact with the third party or providing oversight and carrying out internal control functions.
- How new outsourcing arrangements are planned including:
– The definition of business requirements
– The identification of cases where critical or important functions are being outsourced
– Risk identification, assessment and management, including processes for assessing the impact of outsourcing arrangements on operational risk. The policy should include the use of scenario analyses and cost benefit analyses.
– Due diligence on the service provider on an initial and ongoing basis, giving consideration to the third party’s reputation, abilities, expertise, resources, corporate structure and regulated status. You should think about data considerations including the location of data and whether that brings any additional risks and the data security standards that the third party operates to.
– The identification and management of conflicts of interest, which is particularly important if you’re outsourcing or offshoring a process to another entity within the same group of companies.
– Consideration of business continuity planning arrangements at the third party and how well they fit with the same within your firm. You should also include detail of how your own BCP could be invoked if the third party service deteriorates to an unacceptable standard.
– The approval process for new outsourcing arrangements
- How outsourcing arrangements are monitored and managed on an ongoing basis including performance assessment, compliance and audit reviews, notification of changes to the arrangement and renewal processes.
- Exit strategies and termination processes – for every critical or important function, there should be a documented exit plan (assuming an exit is possible), taking account of possible service interruptions and unexpected termination scenarios.
Ultimately, the policy should provide a governance framework for all outsourcing arrangements you have in place and it should demonstrate how you manage risks that the outsourcing arrangements might bring. We often see firms with outsourcing policies with content that’s driven solely by the FCA’s Senior Management Arrangements, Systems and Controls sourcebook which have a far narrower view than the EBA guidelines. If this sounds like you, then now is the time to review your policy and make sure it’s up to scratch.