EBA publishes revised Guidelines on Outsourcing Arrangements – adjustments to outsourcing management necessary


The European Banking Authority (EBA) published the final version of its Guidelines on outsourcing arrangements (EBA/GL/2019/02) on 25 February 2019 (EBA Guidelines). The EBA Guidelines aim at establishing a more harmonised framework for outsourcing arrangements of all financial institutions in the scope of the EBA’s mandate. This means the EBA Guidelines – unlike the old CEBS Guidelines on outsourcing – also apply to payment and electronic money institutions. The EBA Guidelines will enter into force on 30 September 2019, but contain some transitional provisions to give the institutions time to implement certain requirements and adjust to the significant changes in requirements for outsourcing arrangements.

Scope of application

To date, the relevant regulatory requirements for the outsourcing of typical institutional services are specified in the German minimum requirements for risk management (MaRisk) and the bank supervisory requirements for IT (BAIT). These requirements, which summarise administrative practice but essentially operate like legal rules, generally apply only to credit institutions and financial services institutions, although the German Federal Financial Supervisory Authority (BaFin) increasingly also expects payment and electronic money institutions to comply with AT 9 of MaRisk. By expressly extending the scope of the EBA Guidelines to such institutions, in future there will be no longer any doubt about the stricter regulatory requirements on outsourcing by payment institutions in accordance with the German Act on the Supervision of Payment Services (ZAG) and flexibility will exist only in the context of proportionality considerations.

The EBA Guidelines are to apply not only on a solo basis but also on consolidated or sub-consolidated basis, whereby the scope of regulatory consolidation is decisive. In this respect the consolidation group is somewhat more narrowly defined than in AT 4.5 para. 1 MaRisk, according to which the material risks to be included in group risk management can also be caused outside the enterprises subject to consolidation. Of course it is clarified that the inclusion in a group for which no group waiver under Art. 7 Regulation (EU) No 575/2013 (CRR) was granted changes nothing regarding the responsibility of the grouped institutions to fulfil the requirements of the EBA Guidelines at institution level.

To create a harmonised framework for outsourcing arrangements, specific standards for outsourcing such as those in the Payment Services Directive 2 (EU) No 2015/2366 in the MiFID II (Markets in Financial Instruments Directive) regulatory package are also taken into account for the EBA Guidelines, as are the EBA recommendations for outsourcing to the cloud (EBA/Rec/2017/03), which are integrated into the EBA Guidelines and thus become void when they come into effect.

Definition of outsourcing

The content of the EBA Guidelines generally applies to all outsourcing arrangements by institutions. The key term of ‘outsourcing’ is defined as an arrangement between one of the institutions listed and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution itself. As before, outsourcing does not require, however, that the institution previously performed the service itself. Instead, outsourcing can be present even if an institution has not yet performed the service itself but considers it to be among the functions expected to be performed by such an institution. Unlike in the consultation paper of June 2018 for the EBA Guidelines, the EBA Guidelines contain examples of what is not to be considered outsourcing according to this standard. This includes all functions which must be performed by certain third parties under applicable law (e.g. year-end audit), global network infrastructure (Visa and MasterCard are stated as examples) and agreements on clearing and settlement with the institutions concerned. In addition, for illustrative purposes, services such as architectural services, legal opinions, cleaning and caretaker services or catering services are listed as services that would not otherwise be performed by the institution and are thus not considered to be outsourcing. This list of exceptions is welcome, since it should help avoid future discussions with internal and external auditors about the classification of certain services as outsourcing.

Outsourcing of critical functions

While the EBA Guidelines apply to all outsourcing, within the requirements listed by the EBA Guidelines a distinction is made between the outsourcing of critical or important functions, to which certain higher standards apply, and other functions for which the stricter requirements are not to be observed. The institutions must therefore check whether a function is to be classified as critical or important. The EBA Guidelines set related standards by means of various factors, the existence of which in some cases requires appropriate classification and in some cases are to be observed at least in classification. For example, a critical or key function is assumed if its defective performance would significantly impair compliance with the permission requirements, financial efficiency or reliability and continuity of the institution’s transactions requiring permission.

Limitations to outsourcing

Bans on outsourcing are only addressed in the EBA Guidelines insofar as they define that outsourcing cannot lead to a delegation of the management’s responsibility and that an institution cannot become an empty shell without sufficient substance. What this means in detail depends on the institution. However, this does not mean per se that an institution may not outsource a certain function. Instead, institutions which are part of a bank supervisory group or a member of an institutional safeguarding system are allowed to outsource the risk control function to a service provider within the group or institutional safeguarding system, provided the proper provision of the outsourced activities is checked, e.g. by appropriate reporting processes. Similar requirements also apply to the outsourcing of outsourcing management (see below), which is also possible within the group or an institutional safeguarding system. In addition, outsourcing restrictions can arise due to the fact that otherwise the requirements for proper outsourcing cannot be met (for example because overly large risks were found during the necessary risk assessment of a planned outsourcing).

From a purely practical perspective, according to the EBA Guidelines the competent supervisory body should be able to intervene before an overly extensive outsourcing because it is planned that institutions, if they intend to outsource a critical or important function, should also first contact the supervisory authority, as in the case of material changes in such outsourcing. That is certainly noteworthy and gives rise to questions of compatibility with German law, because according to the current legislation, only payment institutions and electronic money institutions must notify their intention to carry out significant outsourcing and other institutions must only do so in special cases, especially if they intend to outsource internal safeguarding measures and are required to report this under the German Money Laundering Act (GwG).

Outsourcing management

The EBA Guidelines require institutions to establish an outsourcing function or at least designate a managerial/senior staff member from one of the control functions as the officer in charge of managing the risks associated with outsourcing. For smaller and less complex institutions there is a simplification provided in that they must ensure at least a clear division of tasks and responsibilities with regard to outsourcing management and the outsourcing function can be performed by a member of the management body. That is essentially nothing new for German institutions, because AT 9 para. 12 MaRisk, since its revision in 2017, already requires centralised outsourcing management depending on the type, scope and complexity of the outsourcing activities, but institutions will still have to take a look at themselves to see whether their outsourcing management meets the new requirements. It will be interesting to see in practice how institutions handle the requirement of being able to reverse the outsourcing of critical or key functions within a reasonable timeframe, transfer the performance of tasks to alternative service providers or hire the functions concerned themselves. Thus it is not clear whether this demand is also meant to apply to outsourcing within the group or safeguarding system too and thus goes beyond the current rules for action options and exit processes in MaRisk. It would be at least conceivable to classify the rules in Title 1 of the EBA Guidelines on such outsourcing as special.

For many institutions, the requirement for a written outsourcing policy will not generally present new challenges since a defined process for outsourcing is normally part of a proper business organisation. Of course, adjustments to any existing outsourcing strategies may be required, given the very firm demands in some cases. However, a carefully compiled outsourcing policy should not be seen just as an expense but as an aid in fulfilling the numerous obligations. This is because the policy should reflect the substantive requirements for outsourcing (e.g. by defining responsibilities for taking certain actions) and thus ongoing compliance with those requirements can be well supported by appropriate procedures.

Requirements in terms of content

The requirements in terms of content that are to be fulfilled in the case of outsourcing according to the EBA Guidelines concern in particular the handling of conflicts of interest, risk analysis, documentation requirements, the selection processes for service providers, contract content, control of the outsourced functions, possible exit strategies and outsourcing of functions to third country service providers.

What the EBA Guidelines expressly require is the identification and appropriate handling of conflicts of interest which arise in connection with outsourcing. This is intended to include, in the case of outsourcing within the group or an institutional safeguarding system, the agreement on commercial terms for the outsourced services as with third parties. Also, the practical effectiveness of contingency plans for the outsourced areas will become more important, just like risk analysis. Admittedly this must already be done under MaRisk, but in future it will have to be more elaborate, since a large number of factors is specified which must be taken into account in the risk analysis.

For most institutions, the requirements of the EBA Guidelines for proper documentation of outsourcing should not be totally new, because this is the part of functioning outsourcing management according to AT 9 para. 12 MaRisk. However, the requirements concerned become much more detailed and more comprehensive when an institution’s own register is required in which various details on existing and completed outsourcing arrangements are to be recorded.

Not explicitly mentioned in MaRisk to date, but possibly also an element of a proper business organisation, is the requirement to conduct due diligence checks on service providers before hiring them. This checking requirement is made an explicit requirement in the EBA Guidelines, while in turn various factors are listed which are to be taken into account in the check.

Adjustments will also be required at institutions in respect of the minimum content of outsourcing agreements. This relates mainly to contracts for the outsourcing of critical or important functions for which a list of necessary content is provided which goes beyond the current standard in AT 9 para. 7 MaRisk.

Further, the EBA Guidelines provide for a raft of requirements for ongoing monitoring and control of outsourcing and the possible exit from outsourcing, which are not substantially new but correspond to what many institutions are already implementing today.

In addition, the EBA Guidelines require that certain conditions are met in scenarios where an institution outsource services, the performance of which requires authorization or registration by the competent authority in the Member State where it is authorized, to a service provider located in a third country. In this case the service provider shall be accordingly authorized by the competent authority in the third country and a cooperation agreement between the regulator of the institution and of the service provider shall be in place to ensure an adequate supervision of the service provider and the cooperation required for the competent supervisory authority of the institution to fulfil its supervisory tasks. This, however, should in practice not result in a material hurdle for institutions in Germany as typically the performance of outsourced services as such does not require an authorization.

Entry into force and implementation periods

The revised EBA Guidelines will enter into force on 30 September 2019. For existing outsourcing arrangements, however, the institutions will be given a transitional period to get their outsourcing into line with the requirements of the EBA Guidelines. Unless is it to do with outsourcing to providers of cloud solutions, these requirements are to be implemented at the next contract update but no later than 31 December 2021.

However, that does not mean the institutions covered can initially remain inactive. Instead, they should quickly take the necessary measures, for example to adapt their outsourcing policy, risk analyses and the other internal processes in such a way that they are in line with the new requirements. This is advisable especially because the transitional rules clearly refer only to the documentation of existing outsourcing arrangements. It therefore appears advisable for institutions not to wait for the German translation of the EBA Guidelines or the confirmation from BaFin before applying the EBA Guidelines. Instead the time until then should be used, although it cannot be ruled out that BaFin will place one or two different emphases which may possibly require a subsequent adjustment of the processes.