Out-Law Analysis 4 min. read
05 Aug 2020, 9:28 am
There are options for those banks and other financial institutions subject to the European Banking Authority (EBA) outsourcing guidelines to meet their regulatory obligations in a way that is palatable to large technology providers, including those acting as sub-contractors, which often hold powerful bargaining positions in contractual negotiations.
Long and complex chains of sub-outsourcing can reduce institutions' ability to oversee their outsourcing arrangements and the ability of competent authorities to effectively supervise those institutions.
To address these risks, the EBA developed guidelines on outsourcing that set out a number of controls in respect of sub-outsourcing, particularly in respect of monitoring and oversight. One of the most challenging sub-contracting requirements to navigate in practice is guideline 79(b), which requires institutions, when outsourcing a critical or important function, to ensure that the service provider's sub-contractors grant to it and its regulators the same contractual rights of access and audit as those granted by the service provider.
The guidelines on access and audit rights are extensive. In particular, guideline 87(a) requires institutions and their regulators to have full and unrestricted rights of inspection, audit and access to their service provider's business premises, full range of devices, systems, networks and data used to provide the outsourced function. Under guideline 79(b), these extensive audit rights must also be procured from the service provider's sub-contractors.
The first point to be considered is when the audit rights are procured.
For example, if a variation agreement is being signed with a service provider to remediate an existing outsourcing agreement then is the service provider required to confirm on the date of signing that it has procured the audit rights? If so, it will not be able to sign the addendum until it has confirmed with all relevant sub-contractors that the audit rights will be provided to the institution. Depending on the number of sub-contractors involved this process can take some time as it will involve negotiations with each sub-contractor, including potential commercial discussions arising from the cost implications of the audit rights.
One option in this scenario might be for the institution to consider signing the addendum and including a forward looking obligation for the service provider to procure the audit rights. If so, remedies for failure to procure will need to be considered and the time period will need to be considered in the context of the longstop date for compliance with the EBA's outsourcing guidelines of the end of 2021.
Once the "when" has been considered the next major issue is the "how". Where a traditional power balance applies and the service provider has the upper hand in terms of negotiating position with its sub-contractors, then it may be a reasonably straightforward task for the main service provider to procure the same audit rights as it provides to the institution. However, where this traditional power balance does not apply, then it can be difficult for the service provider to commit to procuring the same audit rights.
For instance, this may be the case where: the service provider is a re-seller of part of the services; the sub-contractor in question only provides a small part of the outsourced services; or where a large hosting provider is the sub-contractor. In these instances, while the service provider may be able to procure certain audit rights from the sub-contractors, it may not be able to procure the same audit rights.
One option is for the financial institution to engage with the sub-contractor in question and seek to negotiate EBA-compliant audit rights directly. Where a hosting provider is the sub-contractor, for example, then it may be a sub-contractor for more than one of the institution's outsourcing providers and equally may even be a direct supplier of services to the institution in its own right under a separate contract. If this is the case, then the financial institution will be able to leverage its position to negotiate better audit rights than the main service provider is able to.
One challenge with this approach is that where the financial institution is successful in negotiating EBA-compliant audit rights with the sub-contractor, they may not, and are probably unlikely to be, the same audit rights as it has with its service provider. Accordingly, there is a compliance risk when read against guideline 79(b). Institutions will need to gauge the risk of the audit rights not being strictly the same in the context of it having EBA-compliant audit rights with its service provider and the relevant sub-contractors.
Another option is for the financial institution to tailor its audit rights with the main service provider to something which is more palatable to the sub-contractor. This might include, for example, by using third party certifications and audit reports as interim steps before the right to an on-site audit arises. Where the sub-contractor in question is a core part of the outsourced service, and therefore significant risk sits with it, then this approach may be worth considering. This approach also has the advantage of meeting the requirement of regulatory hurdle of guideline 79(b) of having the "same" audit rights. However, institutions will need to weigh up whether deriving the benefits of placating a subcontractor is worth compromising the fulsome audit rights it can otherwise procure from the service provider.
The challenges posed by the requirement to procure the same audit rights from sub-contractors can therefore be challenging, but in our experience working on projects to update outsourcing contracts to comply with the EBA's outsourcing guidelines, it is not one which is insurmountable.