New Rules for Outsourcing by Banks, Payment Institutions and other institutions | Payment Services Law Blog | GÖRG Blog

New Rules for Outsourcing by Banks, Payment Institutions and other institutions

The European Banking Authority’s consultation on new Draft Guidelines

The European Banking Authority (EBA) published a draft of the EBA Guidelines on Outsourcing and launched a public consultation with regard to this draft on 22 June 2018. The consultation period closed on 24 September 2018. The new Guidelines will supersede the CEBS Guidelines on outsourcing from 2006 and are planned to enter into force on 30 June 2019.

In Germany, the KWG, ZAG, MaRisk and BAIT contain most of the regulation with regard to outsourcing. The EBA Guidelines on Outsourcing will add further provisions.

What’s new?

  1. Outsourcing Policy – The management body of institutions should approve and maintain a comprehensive written outsourcing policy and ensure its implementation. The draft contains new detailed requirements (compared to MaRisk).
  2. Pre-Outsourcing Analysis – Before entering into an outsourcing agreement, institutions should carry out an in depth pre-outsourcing analysis; the EBA Guidelines provide detailed new guidance with regard to this analysis.
  3. Outsourcing Register – Institutions should maintain a register with all outsourcing arrangements, distinguishing the outsourcing of critical or important functions and other outsourcing arrangements. The requirements with regard to the outsourcing register are very detailed (compared to the standards set by MaRisk). An outsourcing register template is provided on EBA’s website.
  4. Outsourcing within Groups – The EBA Guidelines provide in-depth regulation with regard to outsourcing within a group and conflicts of interest; parent companies are held accountable to a higher degree with regard to their subsidiaries.
  5. Outsourcing Agreements - The requirements in the EBA Guidelines on Outsourcing with regard to mandatory provisions in outsourcing agreements are detailed and extensive.
  6. Information to Regulator – Pursuant to the EBA Guidelines institutions should adequately inform competent authorities in a timely manner of planned outsourcing of critical or important functions, before they intend to enter into an outsourcing agreement.
  7. Exit Plans – Institutions should have a clearly defined exit strategy for all outsourcing of critical or important functions. Exit plans should be developed, documented and sufficiently tested.

What’s next?

Implementation of Guidelines

The EBA Guidelines on Outsourcing are expected to be finalised in spring 2019 and enter into force on 30 June 2019.The competent national authorities have to inform EBA whether they will implement the EBA Guideline within two months after the guideline has been issued. If a competent authority does not intend to comply, it must inform EBA of this and state the reasons for non-compliance (“comply or explain” principle). BaFin (as competent national authority) usually implements EBA Guidelines (i.e. incorporation in practices).

Compliance with Guidelines

Institutions will have to adjust their services, processes and outsourcing agreements to several new regulations in the EBA Guidelines in due time.

  • Assuming that the guidelines are implemented on 30 June 2019, all outsourcing agreements entered into on or after 30 June 2019 should comply with these guidelines.
  • Existing outsourcing agreements should be amended accordingly on the first review or renewal date.

Institutions have to prepare diligently and assess how necessary adjustments can be made, before the EBA Guidelines on Outsourcing come into effect.

  • xing
  • linkedin
  • twitter
Categories

,