ESBG: Improving EU outsourcing guidelines
28 September 2018
There is need for more clarity to distinguish between requirements related to outsourcing by banks that apply only to critical or important functions and to remaining functions, ESBG noted in its response to an EBA consultation on draft guidelines for outsourcing arrangements.
Submitted to the EBA earlier this month, the paper from the association of savings and retail banks in Europe also includes its position that requirements for intra-group outsourcing have been disproportionally increased. This could lead to even more outsourcing into the cloud – most often outside the European Union – as well as most likely to ratchet up costs and administrative burdens. ESBG proposes in the paper that the principle of proportionality be applied here as well as in relation to Institutional Protection Schemes or IPSs.
The proportionality principle should also be respected in relation to risk assessments, ESBG argues, and a clear reference to it would be preferred. Some exemptions should be made, however, for cloud outsourcing outside the European Union. This same principle should apply also to the introduction of new governance structures in line with the guidelines.
ESBG also proposes that:
-
The definition of outsourcing should be made more concrete, by including a temporal element. Furthermore, a list of activities definitely not considered outsourcing should be added to the guidelines.
-
The date of compliance is set too early in view of the stock of existing contracts which will be still in force by then. Existing contracts should be exempt to avoid renegotiation of these, while also asking for a later date of application in order for ESBG members to better prepare for the new guidelines. We also recommend six-month delay in the date of application.
-
The requirement of conducting due diligence on a services provider should be limited to the outsourcing of critical or important functions.
-
Monitoring of sub-outsourcing arrangements will be impossible for institutions also because of these being so numerous. A similar notion applies also to the notification of planned outsourcing as this could cause a flood of information to the supervisor without being clear whether veto powers are granted to them. ESBG is therefore against these provisions.
-
A cloud service provider certification regime for non-EU providers is needed, with the underlying standards to be defined by European authorities.
Full press release
Full position paper
© ESBG
