Do you understand your outsourcing obligations?
The EBA Guidelines on outsourcing arrangements apply to investment, payment and e-money firms as well as banks. The guidelines were published in February 2019 and came into force in the UK on 30 September. At this time the FCA stated:-
- “In-scope firms must make every effort to comply with the guidelines”.
If you are not FCA regulated the guidelines provide an excellent best practice base-line
The guidelines cover various aspects of outsourcing arrangements,
- From assessing whether an arrangement is outsourcing,
- The governance framework around the relevant arrangements and
- The actual process of outsourcing.
Incorporating EBA guidelines in your outsourcing framework
- The guidelines touch on every aspect of an outsourcing arrangement, and as such, you’ll need to review the guidelines and consider how you should review your arrangements.
- You should give consideration to areas including due diligence, risk assessment, business continuity management and conflicts management.
- Alongside this, you will also need to make sure you have an outsourcing policy that’s aligned to the guidelines.
- A good outsourcing policy should cover the main phases of the lifecycle of outsourcing arrangements right from the setup of a new arrangement through the entire process, to the termination of an arrangement.
- The policy should cover the following as a minimum:
- The responsibilities of the management body including their involvement in making decisions on outsourcing of critical or important functions.
- Bear in mind that the management body is fully responsible and accountable for the firm’s strategy and its ongoing compliance as well as conflicts and risk management.
- The role of all relevant areas of the business play in the outsourcing arrangements, whether in terms of day-to-day contact with the third party or providing oversight and carrying out internal control functions.
How new outsourcing arrangements are planned, including:
- The definition of business requirements
- The identification of cases where critical or important functions are being outsourced
- Risk identification, assessment and management, including processes for assessing the impact of outsourcing arrangements on operational risk.
- The policy should include the use of scenario analyses and cost-benefit analyses.
- Due diligence on the service provider on an initial and ongoing basis, giving consideration to the third party’s reputation, abilities, expertise, resources, corporate structure and regulated status.
- data considerations, including the location of data and whether that brings any additional risks and the data security standards that the third party operates to.
- The identification and management of conflicts of interest, which is particularly important if you’re outsourcing or offshoring a process to another entity within the same group of companies.
- Consideration of business continuity planning arrangements at the third party and how well they fit with the same within your firm.
- How is your BCP invoked if the third party service deteriorates to an unacceptable standard.
The approval process for new outsourcing arrangements
How outsourcing arrangements are monitored and managed on an ongoing basis including
- Performance assessment,
- Compliance and audit reviews,
- Notification of changes to the arrangement and
- Renewal processes.
- Exit strategies and termination processes –
- For every critical or important function, there should be a documented exit plan (assuming an exit is possible), taking account of possible service interruptions and unexpected termination scenarios.
Ultimately, the policy should provide a governance framework for all outsourcing arrangements you have in place, and it should demonstrate how you manage risks that the outsourcing arrangements might bring.
Meet the team of industry experts behind ComsureFind out more
Keep up to date with the very latest news from ComsureFind out more
View our latest imagery from our news and workFind out more
Think we can help you and your business? Chat to us todayGet In Touch
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email email@example.com.