Back to article list

Outsourcing in financial services – new and stricter guidelines

The European Banking Authority (EBA) has issued new and stricter guidelines on outsourcing arrangements, affecting all entities subject to its supervision, including payment and electronic money institutions. EBA’s guidelines have been prepared in response to the digitalisation of the financial sector, associated with a large number of new and complex FinTech outsourcing arrangements. The guidelines will become effective on 30 June 2019.

The aim of the guidelines is to establish a more harmonised framework instead of the one that is currently fragmented into individual legal regulations of the EU and member states as well as various forms of supervisory bodies’ recommendations. Among other things, the guidelines will also affect the outsourcing of cloud services. At the same time, the guidelines define circumstances under which a certain function will be deemed critical, and additional obligations that will have to be fulfilled when such function is outsourced. 

First, it is necessary to assess whether the subject-matter of outsourcing is a critical function, testing a number of aspects, such as (i) assessment whether the outsourced function immediately relates to the provision of financial services; (ii) the method in which the outsourcing of a particular function affects the entity’s ability to provide financial services; (iii) the impact of outsourcing on risk management, compliance, audit, etc.

The guidelines’ applicability has been extended to cover intracompany outsourcing. This is a major change compared with the original guidelines of 2006 and will result in an additional administrative burden for the entities concerned. The good news is that cloud solutions will not a priori be regarded a critical function and will be subject to the same testing as other functions.

If the entity determines a function to be of a critical nature, it will subsequently have to fulfil a number of additional obligations set by the guidelines. These mainly affect risk management and the legal assessment of whether the particular entity is able and suitable to perform the outsourced function. It may be quite demanding to adhere to the guidelines, especially for FinTech companies as they will have to meet a number of strict requirements on management and control systems. 

We expect that the Czech National Bank will decide to follow these guidelines and that the institutions concerned will adopt all procedures arising from the guidelines on outsourcing into their internal regulations, contractual documentation, and internal processes within the set deadline.