Is this announcement relevant to FS institutions?

The shortest and simplest answer is a big yes. Financial Services is the EMEA’s largest outsourcing industry, generating a total contract value of £4.8 billion in 2017-2018[1]. This not only includes a wide range of traditional services such as IT Outsourcing (ITO) and Business Process Outsourcing (BPO) but also other core business services (e.g. debt recovery, anti-fraud, payment methods, real estate and cloud hosting).

The increasing appetite to outsource due to a range of drivers (as outlined in the Deloitte Global Outsourcing Survey 2018) implies that FS institutions potentially have to deal with a higher operational risk exposure, especially where critical and important functions are outsourced. Also, GDPR and cloud computing introduce new regulatory challenges with the risk of disruption in the business.

In response to this changing and challenging environment, the European Banking Authority (EBA) has published, on 25 February 2019, the revised guidelines on outsourcing arrangements[2], incorporating the outsourcing to cloud guidelines, previously published in 2017. New or amended outsourcing arrangements must be complied with by 30 September 2019 while compliance for existing arrangements is required by the end of 2021.

 The EBA has expanded upon existing regulation

The EBA regulatory text is more detailed and prescriptive than some other outsourcing regulations, including the UK’s SYSC8 Outsourcing rules, but the core themes are common across key regulatory jurisdictions globally. The general trend amongst global FS institutions is to define global outsourcing standards based on the key common themes and requirements in primary operating jurisdictions, and manage specific regional variations locally.

Notably, the EBA guidance builds on a trend towards greater convergence in requirements for intra-group and third party outsourcing. In many organisations, intra-group service management is significantly less established than the equivalent capability for third party outsourcing. While many FS institutions may already be compliant with the EBA’s outsourcing guidelines for third party outsourcing, the enhanced requirements for intra-group services may pose a greater challenge. Institutions must consider the effectiveness of their intra-group service management structures and capabilities, and explore synergies across their outsourcing capability.

Given the short timelines for compliance, FS institutions should ideally conduct a rapid assessment of existing outsourcing capabilities, frameworks and processes to identify and address gaps.

When assessing the impact, the EBA’s view of criticality and proportionality are key considerations. The guidance makes the distinction between critical and non-critical services[3] and the requirement for proportional application of the rules, taking into account institution’s size, structure and the nature of its activities.

The key themes can be summarised using the Deloitte capability model for managing outsourcing relationships: 

The opportunity beyond mere compliance

Commonly, when an FS institution needs to comply with a new regulatory requirement, it is generally perceived as an additional cost with no clear return for the business. In this case, however, compliance with the EBA guidelines on outsourcing represents a fantastic opportunity to improve the operation and robustness of the business.

By reviewing the sourcing strategy, institutions may find opportunities to create a competitive advantage (see a previous post on how FS companies can create a competitive advantage through a good sourcing strategy) so the requirement for a review to meet the regulation could prove timely. At the same time, by reinforcing the outsourcing policies (e.g. by including intra-group service providers) and improving the existing governance, FS institutions will significantly reduce their exposure to operational risk.

As stated before, EBA guidelines will come into force on September 30 this year - therefore there is no time to lose. Institutions should perform at least the following activities sooner rather than later:

  • Assess sourcing strategy
  • Review the current classification of critical and important services
  • Develop their intra-group service management arrangements
  • Adapt and renegotiate existing contracts with vendors
  • Reinforce the outsourcing policy
  • Design and agree an audit plan
  • Aggregate and revaluate the combined third party and intra-group operational risk
  • Consolidate the organisation of outsourced service management - monitoring the performance, continuity and exit plans

Sounds easy, does it not? Do not miss the boat!

-----------------------------------------------------------

[1] Arvato outsourcing index 2017-18.

[2] EBA guidelines on outsourcing arrangements.

[3] Definitions and guidance for assessing criticality of services outlined in EBA Guidance on Outsourcing Arrangements (EBA/GL/2019/02), Section 4: Critical or important functions.