Contracting under the EBA Guidelines on Outsourcing Arrangements
A best practice for financial institutions
Outsourcing of IT functions plays a fundamental role in the shift towards digitization in a constantly changing financial market. However, outsourcing also means losing control while being fully responsible for the outsourced functions at the same time. To balance the attendant risks and chances, the ‘EBA Guidelines on outsourcing arrangements’ provide a legal framework that financial institutions must comply with when negotiating outsourcing agreements.
The EBA Guidelines on outsourcing arrangements of September 30 2019
The legal framework set out in the ‘EBA Guidelines on outsourcing arrangements’ (the Guidelines) concerns credit, payment and e-money institutions as well as investment firms (the financial institutions). Based on the article “Contracting Under the EBA Guidelines on Outsourcing Arrangements” published in the April issue of Computer Law Review International (CRi 2020, 50), Dr. Till Contzen outlines in the following the Guidelines’ requirements when it comes to entering into outsourcing agreements.
The Guidelines govern the outsourcing of critical or important functions. Those are arrangements under which a service provider repeatedly or continuously performs a function (or parts thereof) that would normally be performed by the financial institution itself. The Guidelines are directly binding only on the supervisory authorities in the EEA, which in principle adopt the Guidelines as their own administrative practice and, where necessary, must publish whether and to what extent they do not adopt them. In addition to the Guidelines, the administrative practice under national law in connection with outsourcing, e.g. section 25b of the German Banking Act (KWG) and AT 9 of the MaRisk, applies.
To minimize the risks of outsourcing, the underlying outsourcing agreement must regulate the parties’ relationship, their rights and obligations. In particular, it should address the following key issues in detail:
- Description of the outsourced function and financial obligations
Any ambiguities in the essential terms of the outsourcing agreement can lead to various setbacks, such as inadequate service provision by the provider, unreasonable charges or unsuitable service levels and penalties.
- Service locations
Changes to the service locations can drastically impact service quality, lead to security risks, drive up costs and even lead to non-compliance and fines.
Sub-outsourcing can introduce loss of control, as it pushes the function even further away from the client’s sphere of control.
- Security and Business Contingency Plans
Failure to thoroughly examine and set out security and business contingency measures can backfire. Financial institutions must meet high security standards and any discrepancy on the part of the service provider can expose the financial institution to claims for damages, fines and even more severe consequences.
- Reporting, monitoring and auditing rights
Reporting obligations as well as monitoring and auditing rights are the financial institution’s and competent authority’s (regulatory demanded) instruments of choice to keep as much control over the outsourced function as possible. Not specifying these instruments leaves the financial institution with almost no potential influence on the outsourced function.
- Termination and exit
The various termination rights set out in the Guidelines operate as a means to gain influence over the outsourced function, provided the rights are addressed properly. Inaccurate exit strategies can lead to chaos instead of an ordered exit process, which in turn increases the risk of not being able to ensure business continuity.
These topics are often subject to intense discussions in negotiations and usually bear great risks if left unaddressed. Yet our experiences show that the importance of considering relevant statutes and (contractually) addressing them is often underestimated.
Financial institutions are well advised to prioritize compliance with the Guidelines (and other regulatory requirements) when entering into outsourcing arrangements. The best approach is a modular and clear set of contractual rules that can be integrated into any type of agreement.
The full article on this topic by Dr. Till Contzen (CRi 2020, 50) provides a more in depth analysis of the risks and suggest solutions to ensure compliance with the EBA Guidelines on outsourcing arrangements.