|
The revised Guidelines deal with the responsibilities of the management body for the establishment of an appropriate framework for outsourcing, its implementation and application in a group, the due diligence process and risk assessment before entering in such arrangements. The Guidelines also clarify aspects related to the contractual arrangements, the monitoring and documentation of outsourcing arrangements as well as the supervision by competent authorities.
Against this background, the Guidelines specify that the responsibility of the institution's management body can never be outsourced. Outsourcing must not lead to a situation where an institution becomes a so-called ‘empty shell' that lacks the substance to remain authorised. Institutions must remain able to oversee all risks and to manage outsourcing arrangements. Institutions should be able to effectively control, challenge the quality and performance of outsourced processes, services and activities, and carry out their own risk assessment and ongoing monitoring.
The Guidelines set up a framework for the due diligence process of institutions with the objective of ensuring that functions are only outsourced to reliable service providers so that the ongoing provision of services and compliance with regulatory requirements is ensured. Institutions must ensure audit and access rights in written outsourcing agreements both for themselves and for competent authorities and are required to maintain a register of all outsourcing arrangements.
Comments to this consultation can be sent to the EBA by 24 September 2018. A public hearing will take place at the EBA premises on 4 September 2018 from 10:00 to 12:00 UK time.