EBA provides criteria for 'pooled audits' in CEBS update

The checklist is contained in draft new guidance (62-page / 519KB PDF) the EBA has prepared on outsourcing. The guidance, once finalised, will update the existing Committee of European Banking Supervisors (CEBS) guidelines on outsourcing that have been in place since 2006. Plans to update of the CEBS guidance were previously outlined by the EBA.

The draft new guidance represents an attempt to align statements with a number of specific provisions of relevant EU law and other related guidance. This is a different approach to that taken in the 2006 guidelines and the cloud recommendations of December 2017. It is a positive development in moving towards greater clarity and simplification.

The guidelines when finalised will apply to credit institutions and investment firms subject to the Capital Requirements Directive, payment institutions and electronic money issuers.

What the proposed new guidance covers

The draft new CEBS guidance covers a wide range of issues that the EBA expects financial institutions to address when outsourcing some of their functions.

That includes institutions' governance of outsourcing arrangements, requirements relating to the contents of written outsourcing policies, management of conflicts of interest and the requirement to document outsourcing arrangements in an outsourcing register.

The draft guidance also addresses requirements around having business continuity plans in place, notification of the outsourcing of critical or important functions to regulators, due diligence on prospective suppliers and what should be included in outsourcing contracts, including in respect of data security and providing for audit and access rights, as well as arrangements around termination, exit and oversight.

The guidelines, when finalised, are intended to apply to outsourcing arrangements entered into on or after 30 June 2019, although the EBA has said that this is an indicative date only at this stage. Transitional arrangements will also apply to outsourcing arrangements that are currently in place or are agreed to before that date. That means that financial institutions will need to review their existing outsourcing arrangements and have – other than cloud outsourcings which need to be reviewed earlier –up until 31 December 2020 to comply with the guidelines, by which time the documentation of the existing arrangements will need to be up-to-date.

Pooled audits

When engaged in critical or important cloud outsourcing, banks must ensure they, or their auditors, as well as regulators, have rights to physically access the premises of service providers, such as cloud providers. The rules are designed to ensure that high levels of supervision, access to data, access to relevant personnel and to service provider premises are maintained in outsourcing environments.

In its previous guidance on outsourcing to the cloud, the EBA backed the use of 'pooled audits' by financial institutions. Pooled audits let multiple financial institutions arrange audits of their service providers' premises to take place at the same time and/or through the same third party auditors to help reduce the cost of those audits for both institutions and providers.

Now the EBA has set out conditions for financial institutions to meet when arranging pooled audits.

According to the EBA, financial institutions should only make use of pooled audits where they:

• ensure that the scope of the certification or audit report covers the key systems and controls identified by the institution and payment institution (i.e. processes, applications, infrastructure, data centres, etc.) and relevant regulatory requirements;
• thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the report is not obsolete and that the certifications are issued and the audits are performed against widely-recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place;
• ensure that key systems and controls are covered in future versions of the certification or audit report;
• are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, re-performance/verification of the evidence in the underlying audit file);
• have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls and retain the right to perform individual audits at their discretion. The number and frequency of requests for scope modification is not defined but is said to be limited to what is reasonable and legitimate from a risk management perspective.

Opportunity to influence

Given that the EBA's cloud recommendations are only six months old and do not apply until 1 July this year it may surprise some to read that the EBA has sought to further clarify its position on issues such as identifying when an outsourcing relates to a critical or important function, the conditions of chain or sub-outsourcing and the extent to which pooled auditing arrangements and third party certifications can be relied on.

The consultation period, open until 24 September, gives a further opportunity for outsourcing providers, financial institutions and member state regulators to highlight to the EBA the many and varied practical issues which have arisen since the finalisation of the cloud recommendations and which require more precise specificity than that which is set out in the current draft.

Luke Scanlon is an expert in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.com.