Tech providers must prepare for EBA outsourcing guidelines

On 30 September 2019, new outsourcing guidelines issued by the European Banking Authority (EBA) earlier this year will begin to apply. The guidelines set out a regime for financial institutions and payment companies to follow when assessing the suitability of outsourcing arrangements. This includes carrying out detailed risk assessments, due diligence of potential technology providers and ensuring that a number of specific rights and obligations are set out in outsourcing agreements.

While the EBA's outsourcing guidelines are not directly applicable to technology suppliers they will impact on those providers, and those suppliers that are unprepared risk missing out on business from financial services customers.

What has happened?

The EBA's predecessor (CEBS) published outsourcing guidelines for banks in 2006. They have not been updated since, although a separate set of 'cloud recommendations' were brought into force last year. This is the first significant update to guidelines on outsourcing for financial institutions in 13 years.

The EBA, as its name suggests, is a supervisory authority that is primarily concerned with credit institutions or banks. These guidelines however are not just directed at banks. The EBA sees it as its role to harmonise the framework for outsourcing arrangements for all financial institutions and payment companies. The new guidelines therefore will be relevant to many more businesses within the financial services sector than the previous ones. 

What risks do the guidelines address?

Financial regulators are required to take steps to protect the stability of financial markets. They supervise financial institutions and payment companies but they do not directly supervise the technology companies on which those businesses rely, although there is an ongoing discussion as to whether technology providers could become so critical to financial systems that they should be subject to direct oversight in the future. The EBA through these guidelines is seeking to address operational and broader risks which may have an impact on the ability of customers to rely on financial institutions. Outsourcing guidelines are necessary to ensure that any transfer of responsibility from regulated entities to their suppliers does not create greater risk for or disruption to the financial system.

Regulators are in particular concerned about concentration risk which may result from many financial institutions relying on a small group of technology providers. They are also concerned about deals where there are no suitable alternatives in the market to the technology provider. Regulators also take more notice where the service provider uses premises located outside the EU as this creates greater risk in respect of the regulators' ability to supervise.

Have the guidelines addressed these risks?

The final guidelines seek to address these risks by imposing obligations on financial institutions in relation to all of their outsourcing activities. One of the main controversies that arose during the consultation period for the guidelines were discussions that questioned whether the EBA overstepped the mark by creating rules that apply to all outsourcing arrangements instead of just critical or important ones. While the final guidelines are an improvement from the draft version, which placed a greater burden on financial institutions in terms of agreements that do not relate to the critical or important functions of a financial institution or payment company, there are now obligations which need to be observed in relation to all outsourcing arrangements.

The guidelines cover both critical and non-critical outsourcing arrangements, with stricter requirements applicable to the former. As a result, how an arrangement is classified will have a significant impact on the contractual protections customers will need to put in place to be compliant with the guidelines.  Technology providers therefore should assess and form their own views in line with the guidelines as to whether their technology and services relate to functions that are critical or important for their customers or non-critical and important, although ultimately customers will need to make their own assessments in order to meet regulatory expectations.

Will the guidelines reduce friction when negotiating with customers?

The guidelines do not address all of the issues that have created friction between technology providers and their financial institution customers over the years in relation to outsourcings which relate to critical and important functions.

• They do not remove the requirement for technology providers to agree to 'on-site' access and audits of data centres and other business premises.

• They require technology providers to get their whole supply chain to agree to the same rights in favour of the financial institution and the financial regulators who supervise them.
• They require technology providers to give regulators access to a wide amount of information about their business which may be commercially sensitive.

While the guidelines are a step forward in providing clarity they could have gone further and will need to be further explained by the EBA in some parts in order to remove doubts about what they mean.

What technology suppliers need to do

Generally, technology providers need to:

• understand that their customers will be reassessing all of their outsourcing arrangements, and may re-classify some arrangements as relating to 'critical or important functions' and others as not relating to critical or important functions – this may have an impact on the expectations the customer will have of its supplier in relation to the contractual provisions and the level of oversight the customer will require;
• ensure that their sub-contracting arrangements and supply chains are not opaque. Financial institutions and payment companies need to maintain oversight to comply with the guidelines;
• determine the extent to which they can agree to broad rights for customers to access their data and conduct on-site inspections and audits of the supplier's head offices, data centres and other operational premises. There are options for technology providers to rely on third-party certifications and audit reports in relation to their services. In most cases these cannot be used as the sole substitute for audits conducted by the customer either alone or as a 'pool' of financial institutions. However, on-site access could be couched as a last resort if other methods such as pooled audits or certifications are not adequate; and
• assess whether the location of data centres causes any issues for their customer in terms of meeting all of the guidelines.

There is also guidance for financial institutions when selecting service providers, to think about human rights and their social and environmental responsibilities and to make sure that the service provider acts in a manner consistent with their values and code of conduct. Suppliers need to have their position on these issues clear to help customers.

Technology suppliers also need to think about the extent to which they can assist financial institutions that wish to exit from the arrangements by migrating data and systems to another supplier. The guidelines require that exit plans be sufficiently tested. In practice, this can be a difficult step to take. Helpfully, the guidelines clarify how tests can be conducted to comply with the guidelines. Examples of activities that form part of a sufficient test include carrying out analyses of the potential costs, impacts, resources and timing implications of the potential transfer.

Understanding your customers' needs

Financial institutions need to take a number of practical steps to comply with the guidelines. Some of these steps require reliance on their suppliers for information, cooperation and assistance. Others may require specific contractual provisions to be put in place, including those relating to sub-contracting, access and audit rights and termination. Suppliers that have an in-depth understanding of the scope of the guidelines will be best placed to meet the needs of their customers and perhaps increase their market share.

Luke Scanlon and Yvonne Dunn are experts in financial services and technology law at Pinsent Masons, the law firm behind Out-Law.