European Banking Authority Proposes Updated Guidelines on Outsourcing by Financial Institutions
06/22/2018The European Banking Authority has launched a consultation on draft Guidelines on outsourcing arrangements. The proposed Guidelines are intended to update and replace the outsourcing guidelines issued in 2006 (by the EBA's predecessor, the Committee of European Banking Supervisors) that applied to outsourcing by credit institutions. The proposed Guidelines will have a wider scope, applying to all financial institutions that are within the scope of the EBA's mandate, namely credit institutions and investment firms subject to the Capital Requirements Directive, payment institutions and electronic money institutions. The proposed Guidelines also integrate the recommendation on outsourcing to cloud service providers that was published by the EBA in December 2017.
The proposed Guidelines set out a definition of outsourcing in line with delegated legislation under the revised Markets in Financial Instruments Directive. They cover: (i) proportionality and group application; (ii) the nature of outsourcing arrangements; (iii) the applicable governance framework; (iv) the outsourcing process; and (v) guidelines on outsourcing addressed to competent authorities. A separate Annex provides an illustrative template that could be used for complying with the requirement in the proposed Guidelines to maintain a register of all outsourcing arrangements at institution and group level where applicable.
The proposed Guidelines should be read in conjunction with the EBA guidelines on internal governance, the EBA guidelines on common procedures and methodologies for the supervisory review and evaluation process and the EBA guidelines on ICT risk assessment under the Supervisory Review and Evaluation Process. For payment institutions, the proposed Guidelines should be read in conjunction with the EBA guidelines on the information to be provided for the authorisation of payment institutions under the revised Payment Services Directive, the EBA guidelines on security measures for operational and security risks under PSD2 and the EBA guidelines on major incident reporting under PSD2.
The EBA will hold a public hearing on the proposed Guidelines on September 4, 2018. Comments on the consultation are invited by September 24, 2018. The EBA will then finalize the draft Guidelines and the CEBS guidelines will be repealed once the new Guidelines take effect.
View the consultation paper.
View the Annex.
View the online response form.
View the registration page for the public hearing.
View the Recommendation on outsourcing to cloud service providers.
Return to main website.