The revised FINMA circular 2018/3 “Outsourcing – Banks” has now been in effect for nearly a year. Experience has shown that institutions are having a hard time particularly with the risk-oriented monitoring of their outsourcing providers (including any sub-contractors these may have hired).
While most have advanced quite far with the formal documentation requirements in their policies, inventories and risk analyses, there is still a way to go when it comes to implementing a robust outsourcing governance and ICS framework. However, before this can be addressed properly, a new challenge is already looming on the horizon for Swiss banks, which will become more pressing over the next few months. This will especially affect Swiss banks who receive services from or render services to subsidiaries or branch offices domiciled and regulated in the EU. It will also affect Swiss banks that receive services from financial institutions domiciled and regulated in the EU that are not affiliated with each other.
EBA Outsourcing Guidelines
In view of the all pervasiveness of digitalization and the increasing significance of FinTech companies as well as Cloud service providers, the European Banking Authority (EBA) decided to revise the rather principle-based CEBS Guidelines on Outsourcing dating back to 2006 comprehensively. The result is the harmonized European framework published on 25 February 2019. It includes detailed requirements regarding outsourcing relationships for CRR credit institutions and investment firms, as well as payment institutions and e-money institutions subject to the PSD2 o the E-Money Directive, respectively. The recommendations on the outsourcing of Cloud service providers published in 2018 were mostly integrated into the EBA Guidelines.
The requirements of the EBA Outsourcing Guidelines are very similar to those of FINMA circular 2018/3 “Outsourcing – Banks and Insurers” (FINMA’s outsourcing circular). However, while FINMA has decided to go specifically with a principle-based approach and pointedly highlighted that the responsibility to actually implement these principles lies entirely with the institutions, the EBA Outsourcing Guidelines has issued detailed requirements in a 30-page-long document.
The EBA uses the term “outsourcing” much looser than FINMA and sees outsourcing in any contract between two parties, one being an institution affected by the new guidelines and the other being a service provider carrying out a (sub-)process, a service or a function on behalf of the institution. EBA also excluded certain services from the scope of the guidelines as a matter of principle. Depending on their size, organizational structure, type, scope and complexity, institutions may apply the principle of proportionality for outsourced activities,. Just like the FINMA’s outsourcing circular, outsourcing relationships with group-internal companies have the same status as those with third parties. However, EBA recognizes (just as does FINMA) that the level of control is higher with outsourcing relationships that remain within the group, which may be considered accordingly in the risk assessment. The guidelines also foresee that Internal Audit should use a risk-oriented approach for an independent review of outsourced activities, whereby EBA provides minimal focal points.
Institutions should in particular identify, evaluate, monitor, manage, report and possibly mitigate operational risks emanating from third-party relationships, regardless of whether these are outsourcing relationships or not.
A robust outsourcing governance framework should include the following elements:
- effective day-to-day management by senior management;
- effective oversight by the management body;
- sound outsourcing policy and sound outsourcing processes;
- An effective and efficient internal control framework, including outsourced functions;
- Risks associated with the outsourcing of critical or important functions are identified, assessed, monitored, managed, reported and, as appropriate, mitigated;
- appropriate plans for the exit from outsourcing arrangements of critical or important functions;
- Effective supervising by the relevant authorities, including the functions that have been outsourced;
When outsourcing critical or important functions that are required to fulfill CRR, CRD IV, PSD 2 or E-Money Directive requirements, additional terms or minimum criteria apply. The EBA requirements concerning pre-outsourcing analysis, due diligence, registration, policies and contractual aspects far outstrip FINMA’s outsourcing circular in their formal granularity.
The new guidelines will enter into force on 30 September 2019, and must be implemented immediately for outsourcing relationships which are entered into after this date. There is a transitional phase for existing outsourcing relationships lasting until 31 December 2020, with an exception for Cloud outsourcing relationships. This means that Swiss banks have by far less time to bring up to speed their existing outsourcing relationships than the ones governed by FINMA’s outsourcing circular. Institutions concerned should therefore review their existing outsourcing relationships and undertake their adjustments in a coordinated fashion. If the outsourcing relationships for critical or important functions cannot be reviewed by 31 December 2020, the “relevant authorities” must be informed with recommended actions.
Despite the fact that this is an EU regulation, Swiss banks with EU connections may very well be affected.
Swiss banks may be affected by EBA guidelines if they can answer the following questions affirmatively:
- Do you have a subsidiary or branch office subject to the EBA guidelines in the EU (MiFID II undertakings, credit institutions, etc.) and do you receive from or render to these any services?
- Do you receive services from a financial service provider in the EU subject to the EBA guidelines?
- Do you have sub-contracting relationships in the EU?
We recommend that Swiss institutions subject to the EBA guidelines make a gap analysis in order to determine to what degree the requirements already fulfilled under FINMA’s outsourcing circular also fulfill EBA guidelines requirements, and which (if any) extra measures they need to take. Considering that FINMA’s outsourcing circular foresees a transitional period up to 1 April 2023 for existing outsourcing relationships that do not require any significant changes and that many institutions have not finished implementing the new governance and ICS framework, the new EU requirements should be relatively easy to integrate into already existing projects. Notwithstanding, institutions with numerous outsourcing relationships should carefully harmonize the 5-year transitional plan offered in FINMA’s outsourcing circular to become fully compliant with the shorter transition period of the EBA guidelines.
Our services and further information: