Getting Ahead of the EBA’s Guidelines on Outsourcing Arrangements
Requirements surrounding outsourcing in the EU are about to get tougher. Last month, the European Banking Authority (EBA) held a public hearing on its new draft guidelines on outsourcing arrangements. Financial leaders shared their thoughts, including concerns about their ability to effectively manage outsourcing relationships under the guideline’s expanded scope.
The directive establishes a single framework for managing outsourcing relationships and requires detailed oversight of all of a financial institution’s service providers. It also represents a substantial expansion of the 2006 CEBS guidelines, which the new directive will replace.
The consultation period for the draft guidelines concluded on September 24, with the regulation set to go into effect on June 30, 2019. The tight turnaround doesn’t give financial institutions much time to audit their current processes and implement the EBA’s management framework, especially for those working with 100s to 1,000s of providers across the organization. The sooner financial institutions can get started, the better off they will be, both for compliance purposes and for the overall reduction of risk.
Key Requirements of the EBA Guidelines on Outsourcing Arrangements
Compliance with the EBA’s revised guidelines will require an organized, efficient process to assess risks associated with a company’s new and existing service providers. What will that look like in practice? Here’s an overview of several of the guideline’s core requirements.
Establish a framework for outsourcing
The EBA’s outsourcing framework lists out multiple areas that financial institutions will be held responsible for when it comes to working with service providers. The guidelines require:
- Effective day to day management
- Effective oversight of management process
- Sound outsourcing policy and outsourcing processes
- Effective and efficient internal control framework
- That risks are identified, assessed, monitored, managed, reported and, as appropriate, mitigated
- Maintaining appropriate exit plans
- That regulators are able to supervise outsourced arrangements
Document all service providers
Do you know who your company is doing business with? By 2019, complete, thorough documentation of service providers and sub-service providers, commonly known as 4th or Nth parties, will be a must. Putting strong data management practices into effect now will help financial institutions be prepared to meet the expected requirements.
Documentation requirements include a unique reference number for each service provider, a description of the outsourcing arrangement, name and registered address, country of registration and LEI and registration number, countries where the service will be performed and whether personal data will be processed.
Further, documentation will require an assessment of whether a service provider is critical or important, the reasons why it is considered as such and the date of the last provider assessment.
Conduct pre-outsourcing analyses
Before bringing on new service providers, there are three areas financial institutions need to focus on:
- Assessment of criticality or importance
- Due diligence
- Risk assessments
A big piece of the EBA’s new guidelines is the assessment of criticality. Will a disruption at a service provider negatively influence compliance, financial and operational resilience or the services offered to customers? Outsourcing arrangements connected to core business functions should always be considered critical or important.
Financial institutions have a good handle on conducting due diligence and risk assessments, but it will be important to review current process to make sure they align with the requirements formalized by the EBA.
Establish access, information and audit rights
The EBA’s guidelines aim to ensure there are measures in place to evaluate a service provider’s compliance. Financial institutions are on the hook to make sure service providers cooperate with authorities and allow access to business premises, including networks and data, and unrestricted rights of inspection. To meet this requirement, financial institutions will need to include this expectation in contracts for any outsourcing relationships.
Embracing RegTech for EBA Compliance
Outsourcing is now commonplace. The emergence of service providers has allowed financial institutions to offer customers more services, expand internal capacity and embrace digital transformation. For all its benefits, outsourcing is also a large source of risk.
The aim of the EBA’s draft guidelines is to make sure that organizations are only outsourcing to reliable service providers and ones that can maintain compliance with regulatory requirements. Having such a framework in place is good for business, increasing resiliency and mitigating financial, reputational and information security risks.
However, with so many outsourced partnerships across an organization, keeping track of them all, maintaining accurate data, conducting due diligence and monitoring for risk to meet EBA requirements will strain many organizations.
Leading financial institutions have married innovative technologies and regulation to address regulatory requirements to manage outsourcing relationships. Automation technology provides a highly-effective way to streamline onboarding, conduct thorough due diligence and monitor service providers against a set of controls. These tools enable companies to take a risk-based approach to monitoring service providers, based on the assessment of their criticality required by the EBA. By centralizing information, automation tools also make it simple to maintain documentation of service providers that is readily available to present to regulators.
In the end, monitoring service providers is about more than compliance. It’s about protecting an organization from a flood of risks, building healthy outsourcing relationships and propelling companies to new growth.
Learn more about how you can manage outsourcing relationships in line with the EBA guidelines with Opus’s technology solution, Hiperos 3PM.