Do you understand your outsourcing obligations?
The EBA Guidelines on outsourcing arrangements apply to investment, payment and e-money firms as well as banks. The guidelines were published in February 2019 and came into force in the UK on 30 September. At this time the FCA stated:-
- “In-scope firms must make every effort to comply with the guidelines”.
If you are not FCA regulated the guidelines provide an excellent best practice base-line
The guidelines cover various aspects of outsourcing arrangements,
- From assessing whether an arrangement is outsourcing,
- The governance framework around the relevant arrangements and
- The actual process of outsourcing.
Incorporating EBA guidelines in your outsourcing framework
- The guidelines touch on every aspect of an outsourcing arrangement, and as such, you’ll need to review the guidelines and consider how you should review your arrangements.
- You should give consideration to areas including due diligence, risk assessment, business continuity management and conflicts management.
- Alongside this, you will also need to make sure you have an outsourcing policy that’s aligned to the guidelines.
- A good outsourcing policy should cover the main phases of the lifecycle of outsourcing arrangements right from the setup of a new arrangement through the entire process, to the termination of an arrangement.
- The policy should cover the following as a minimum:
- The responsibilities of the management body including their involvement in making decisions on outsourcing of critical or important functions.
- Bear in mind that the management body is fully responsible and accountable for the firm’s strategy and its ongoing compliance as well as conflicts and risk management.
- The role of all relevant areas of the business play in the outsourcing arrangements, whether in terms of day-to-day contact with the third party or providing oversight and carrying out internal control functions.
How new outsourcing arrangements are planned, including:
- The definition of business requirements
- The identification of cases where critical or important functions are being outsourced
- Risk identification, assessment and management, including processes for assessing the impact of outsourcing arrangements on operational risk.
- The policy should include the use of scenario analyses and cost-benefit analyses.
- Due diligence on the service provider on an initial and ongoing basis, giving consideration to the third party’s reputation, abilities, expertise, resources, corporate structure and regulated status.
- data considerations, including the location of data and whether that brings any additional risks and the data security standards that the third party operates to.
- The identification and management of conflicts of interest, which is particularly important if you’re outsourcing or offshoring a process to another entity within the same group of companies.
- Consideration of business continuity planning arrangements at the third party and how well they fit with the same within your firm.
- How is your BCP invoked if the third party service deteriorates to an unacceptable standard.
The approval process for new outsourcing arrangements
How outsourcing arrangements are monitored and managed on an ongoing basis including
- Performance assessment,
- Compliance and audit reviews,
- Notification of changes to the arrangement and
- Renewal processes.
- Exit strategies and termination processes –
- For every critical or important function, there should be a documented exit plan (assuming an exit is possible), taking account of possible service interruptions and unexpected termination scenarios.
Ultimately, the policy should provide a governance framework for all outsourcing arrangements you have in place, and it should demonstrate how you manage risks that the outsourcing arrangements might bring.