EBA Guidelines on Outsourcing Arrangements: the 4 Areas You Need to Look at to Become Compliant

by Arnaud Malardé

EBA Guidelines on Outsourcing: A Guide to EBA Compliance

The revised European Banking Authority or EBA Guidelines on Outsourcing  came into effect on September 30th of 2019. They update former guidelines on the subject from 2006 and specifications on cloud services outsourcing from 2017.

They apply to a broader audience than the previous rules: now including not only banks but also credit institutions, investment firms, electronic money institutions and payment providers, all of whom must abide by these guidelines.

Also, the guidelines offer a broader definition of outsourcing and bring a special focus on “critical activities”:

• Outsourced: an authorized entity’s use of a third party to perform activities that which would normally be undertaken by the authorized entity
• Critical: activities of such importance that any weakness or failure could have a significant effect on the authorized entity’s ability to meet its regulatory responsibilities and/or to continue in business

In practice, it means that any service provided by a third-party that supports core banking activities falls into these guidelines. Most IT and cloud services do. On the contrary, services like cleaning, catering, lawyers or consulting do not belong to this category. 

It really is a call to action for European banks to secure their outsourcing processes and equip themselves with the right tools to be compliant with the EBA guidelines on outsourcing. Failing to do so would imply severe consequences: 

• Top management dismissal
• Banking activity limitations
• Suspension of banking authorization 

On the other hand, complying with these guidelines ensures a better risk position and therefore a competitive advantage in the industry. This advantage spans further than the sole European banking market. In fact, the Federal Reserve Board (FRB) has somewhat similar outsourcing guidelines  for the US market in 2013.

Let us have a detailed look at the obligations that financial institutions are facing and how they can be compliant with these guidelines.

General principals

According to the EBA guidelines , outsourcing an activity shall never:

• Transfer bank’s senior management responsibility of running core management functions (e.g, risk strategy & oversight of business operations)
• Impair supervisory bodies’ control
• Impair risk management obligations
• Concern deposit or lending activities

EBA Requirements for outsourced activities

Financial institutions must check all these boxes if they want to be compliant with the EBA guidelineson outsourcing:

• Sufficient oversight resources. On this aspect, the EBA introduces the concept of proportionality. The resources (people, but also tools and processes) dedicated to managing outsourcing arrangements must be in proportion to the individual risk profile of the financial institution and the scale and range of its activities. In addition, the complexity of the outsourced functions is also something to be considered.
• Strict control and governance framework (even when activities are offshored) with a detailed outsourcing policy 
• Clear understanding of outsourcing limits and exposure 
• Detailed third party risk management (including concentration risk & subcontractors’ risk)
• Exit strategy for any outsourcing arrangement
• Contingency plans (alternate supplier or re-internalization plan)

If resources allocation lies in the hands of a financial institution’s management, a comprehensive source to pay platform such as Ivalua can help with all other requirements. Let us have a more comprehensive look at some of these.

1. Control and governance framework

The EBA  guidelines on outsourcing stipulate that a bank must create, approve and regularly update a detailed outsourcing policy. Also, it is responsible for its enforcement.

This requirement can be addressed using Ivalua. First, as a repository of policy documents, specifying expiry dates and offering the notifications need for an update when relevant. Furthermore, it can be the vehicle to enforce policies across the complete Source-to-Pay process. Critical outsourced activities can go through specific approval workflows (e.g., including compliance teams or ensuring that dedicated clauses are signed off by suppliers).

2.Clear understanding of outsourcing limits and exposure 

Financial institutions must identify clearly within their current agreements those which concern outsourcing activities, determine if they are critical and performed from a third country (i.e, a country which does not recognize the EBA authority). They must provide exhaustive information about critical outsourcing contracts.

To support this imperative need, Ivalua offers an Outsourced Agreements Register. This is where all outsourcing arrangements can be stored with a unique identifier. They can be qualified according to the type of outsourcing (Outsourced, Subcontracted or Intra-Group), its criticality (Critical, Non-Critical) and its offshoring dimension (Yes/No). Depending on the type of agreement we are considering, some dedicated fields will be triggered to populate more specific information. For example, in the case of a critical activity being outsourced, the following evidence may be required: dates of last and next contract audit, identified alternate supplier, substitutability and re-integration assessment plan.

This register offers a clear view of the outsourcing exposure. The data from this register can be reported on to satisfy any auditing or supervisory request, either on a regular basis or on demand. 

3.Outsourcing lifecycle management

Financial institutions must prove they have an efficient outsourcing lifecycle management process. They must be in control of every step of this lifecycle from start to end. This means that they must conduct several checks before entering into any new outsourcing arrangement or before renewing an existing one:

• Analyze the criticality of the outsourced activity
• Ensure supervisory conditions are met
• Perform a supplier due diligence
• Assess potential risk (including potential conflicts of interest)

However, this lifecycle does not end with the supplier selection as subsequent steps are of vital importance too:

• Ensure a sound contractual framework
• Assess supplier performance according to contract expectations
• Appropriately manage the end of the outsourcing arrangement
• Continuously assess risk

With Ivalua, you can manage the entire lifecycle of an outsourcing arrangement from selecting the supplier to contracting, evaluating its performance in accordance with the contract and implementing exit strategies if need be. 

Sourcing events for outsourcing activities would embed a criticality assessment questionnaire to be filled in by internal stakeholders. If it appears that a project concerns a critical activity, some additional steps would be required. For instance, suppliers would have to agree to certain clauses before having access to the request for proposal. These clauses would be mentioned in the final contract as well. The supplier obligation to let supervisory authorities have a complete access to data related to the service is an example of such a clause.

To guarantee all precautions have been taken before entering into a critical outsourcing agreement, an approval workflow will be triggered prior to awarding the service to any potential supplier. This workflow will incorporate an Internal Audit or Compliance Team review/approval before going forward with the selected supplier.

To make sure the rest of the process goes as smoothly, our solution offers dedicated contractual capabilities, performance and exit strategy management.

4.Third Party Risk Management

Financial institutions must strictly and permanently assess, manage and mitigate their third-party risk, including subcontractor exposure (i.e, fourth-party risk). Special attention must be paid to critical outsourced activities and risk due diligence must be performed even before entering into any agreement.

Ivalua Risk Center supports financial institutions to be compliant with their risk management obligations. It allows them to establish a comprehensive supplier risk mapping with a direct view into the subcontractors and their risk level. This dynamic risk picture aggregates internal and external risk data sources from your preferred providers (e.g, Dun&Bradstreet, Ecovadis). People in charge may receive contextual alerts in case of a rising risk exposure and take proper mitigation plans within the tool.

Ivalua solution is already supporting the compliance strategy of several top European banks.