The European Banking Authority (EBA) Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the requirements of the Guidelines cannot otherwise be met. The Committee of European Banking Supervisors (CEBS) guidelines on outsourcing of 14 December 2006 and the EBA recommendations on outsourcing to cloud service providers (EBA/REC/2017/03 – EBA Recommendations on Outsourcing to Cloud Service Providers) will be repealed with effect from 30 September 2019. The aim of the Guidelines is to establish a more harmonised framework for financial institutions, namely credit institutions and investment firms subject to the Capital Requirements Directive (CRD), as well as payment and electronic money institutions. In brief, the final guidelines inter alia:
- provide a clear definition of what is considered outsourcing;
- clarify the use of the term ‘critical or important functions’;
- specify the criteria to assess whether or not an outsourced activity, service, process or function (or part of it) is critical or important;
- deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements;
- clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities;
- specify that the responsibility of the institution’s management body can never be outsourced; and
- set up a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers.