In recent years, in pursuit of cost reduction and efficiency improvement financial institutions around the globe have been increasingly interested in outsourcing their business activities to other institutions and specialised service providers. From asset management, where delegation of certain functions was a standard practice since decades, to small payment companies relying on specialised regulatory compliance service providers, there is almost no area of the financial services sector nowadays that has remained immune to the ever-increasing use of outsourcing arrangements. Moreover, rapid digitisation of the financial service sector, featured by more frequent use of cloud technology and specialised providers of IT-related services to financial institutions has just added more complexity into the game which immediately triggered the attention of financial regulators in the European Union.
ESA’s Guidance Framework
In attempt to bridge these gaps (to the certain extent) the European Supervisory Authorities (ESAs), European Banking Authority (EBA), European Securities and Markets Authority (ESMA and European Insurance and Occupational Pension Authority (EIOPA) have issued guidelines on outsourcing arrangements that stipulate standards and requirements that financial institutions under their respective supervisory remit need to fulfil when entering into outsourcing arrangements.
- EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), see our explanation thereof here
- ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285), see our blog post thereof here.
- EIOPA Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)
What applies to whom?
Whereas EBA Guidelines apply to all types of outsourcing arrangements that financial institutions under its supervisory remit enter into, ESMA and EIOPA Guidelines are focused solely on one specific type of outsourcing arrangements that has attracted much of regulatory scrutiny lately, outsourcing to cloud service providers.
It is unquestionable that ESA’s Guidance framework on outsourcing has provided a valuable set of standards and requirements that financial institutions can follow when ensuring compliance with applicable requirements on outsourcing they may be a subject to under applicable sector specific pieces of EU and national legislation. However, there are small divergences between ESA’s Guidelines and such lack of full alignment brings financial institutions that find themselves under the supervisory remit of more than one European Supervisory Authority in front of significant challenges. Furthermore, given that ESMA and EIOPA Guidelines apply solely to outsourcing to cloud service providers, there is a great number of standard outsourcing arrangements that will still need to be structured in accordance with high-level regulatory requirements on outsourcing stipulated by applicable EU legislation that frequently falls short of providing clear guidance for financial institutions.
Nevertheless, the process of harmonization of rules on outsourcing and operational resilience of financial institutions in general seems to be far from over. As part of its Digital Finance Package published on 24 September 2020, the EU Commission has published a proposal for Regulation on digital operational resilience for the financial sector (commonly known as Digital Operational Resilience Act “DORA”) that aims to harmonize EU regulatory requirements on digital operational resilience in financial services. In the same vein, beside requirements on management of ICT risks, DORA aims to bring certain requirements on outsourcing arrangements, onto a legislative footing. Despite the fact that DORA may harmonize a number of questions related to outsourcing arrangements until it becomes operational (which from today’s point of view is hard to expect before 2023) financial institutions will have to ensure compliance with requirements on outsourcing in accordance with ESA’s Guidelines and applicable sector specific pieces of EU and national legislation.