The EU regulatory framework on outsourcing – where are we now?

In recent years, in pursuit of cost reduction and efficiency improvement financial institutions around the globe have been increasingly interested in outsourcing their business activities to other institutions and specialised service providers. From asset management, where delegation of certain functions was a standard practice since decades, to small payment companies relying on specialised regulatory compliance service providers, there is almost no area of the financial services sector nowadays that has remained immune to the ever-increasing use of outsourcing arrangements. Moreover, rapid digitisation of the financial service sector, featured by more frequent use of cloud technology and specialised providers of IT-related services to financial institutions has just added more complexity into the game which immediately triggered the attention of financial regulators in the European Union.

ESA’s Guidance Framework

In attempt to bridge these gaps (to the certain extent) the European Supervisory Authorities (ESAs), European Banking Authority (EBA), European Securities and Markets Authority (ESMA and European Insurance and Occupational Pension Authority (EIOPA) have issued guidelines on outsourcing arrangements that stipulate standards and requirements that financial institutions under their respective supervisory remit need to fulfil when entering into outsourcing arrangements.

These include:

  • EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02), see our explanation thereof here
  • ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285), see our blog post thereof here.
  • EIOPA Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)

What applies to whom?

Whereas EBA Guidelines apply to all types of outsourcing arrangements that financial institutions under its supervisory remit enter into, ESMA and EIOPA Guidelines are focused solely on one specific type of outsourcing arrangements that has attracted much of regulatory scrutiny lately, outsourcing to cloud service providers.

Outlook

It is unquestionable that ESA’s Guidance framework on outsourcing has provided a valuable set of standards and requirements that financial institutions can follow when ensuring compliance with applicable requirements on outsourcing they may be a subject to under applicable sector specific pieces of EU and national legislation. However, there are small divergences between ESA’s Guidelines and such lack of full alignment brings financial institutions that find themselves under the supervisory remit of more than one European Supervisory Authority in front of significant challenges. Furthermore, given that ESMA and EIOPA Guidelines apply solely to outsourcing to cloud service providers, there is a great number of standard outsourcing arrangements that will still need to be structured in accordance with high-level regulatory requirements on outsourcing stipulated by applicable EU legislation that frequently falls short of providing clear guidance for financial institutions.

Nevertheless, the process of harmonization of rules on outsourcing and operational resilience of financial institutions in general seems to be far from over. As part of its Digital Finance Package published on 24 September 2020, the EU Commission has published a proposal for Regulation on digital operational resilience for the financial sector (commonly known as Digital Operational Resilience Act “DORA”) that aims to harmonize EU regulatory requirements on digital operational resilience in financial services. In the same vein, beside requirements on management of ICT risks, DORA aims to bring certain requirements on outsourcing arrangements, onto a legislative footing. Despite the fact that DORA may harmonize a number of questions related to outsourcing arrangements until it becomes operational (which from today’s point of view is hard to expect before 2023) financial institutions will have to ensure compliance with requirements on outsourcing in accordance with ESA’s Guidelines and applicable sector specific pieces of EU and national legislation.

FCA re-confirms temporary permission regime for inbound passporting EEA firms in case of a hard Brexit – the EU stays strict for now

Brexit will have an impact on the European and the UK financial market. Cross-border services will still be possible but the legal set-up will change and will get more complicated than the current passporting regime. Anyone who provides banking business or financial services in Germany without the appropriate license is committing a criminal offence. If charged, the person committing the criminal offence can become subject to a prison sentence (up to 5 years in case of intention and up to 3 years in case of negligence) or a monetary fine.

Outbound from the UK

If there is no implementation period when the UK withdraws from the EU, the UK will become a ‘third-country’ in relation to the EU and the current passporting regime will no longer cover the provision of financial services, payment services or the management and distribution of funds on a cross-border basis between the UK and continental Europe. Any UK person then providing any such business in Germany without the appropriate license, i.e., without a licensed set-up in Europe, will commit a criminal offence on a personal level.

The current political will in Europe does – at least at this stage – not cater for any easing of the strict criminal regime once the passporting rights of UK firms end due to Brexit.

Inbound to the UK

The FCA (backed by the UK Government) on the other hand just confirmed on October 10, 2018 that they are willing to protect the UK market by offering a transition period in case of a hard Brexit without a transition period. This will allow inbound EEA firms to continue operating in the UK within the scope of their current permissions for a limited period after the exit day, while seeking full UK authorisation. It will also allow funds with a passport to continue temporarily marketing in the UK while seeking UK recognition to continue to market in the UK.

The FCA expects the temporary permissions regime to come into force when the UK leaves the EU on March 29, 2019 and expects the regime to be in place for a maximum of three years, within which time, firms and funds will be required to obtain authorisation or recognition in the UK.

The FCA is currently consulting details of the rules they propose should apply to firms and funds during the temporary permissions regime.

What to do?

Firms will need to notify the FCA that they wish to use the temporary permissions regime.  This will be an online process and the FCA expects to open the notification window in early January 2019.  The notification window will close prior to exit day. Once the notification window has closed, firms that have not submitted a notification will not be able to use the temporary permissions regime. The FCA will then allocate firms a period (‘landing slot’) within which they will need to submit their application for UK authorisation.  After exit day, the FCA will confirm firms’ landing slots so they can start to prepare their applications. The first landing slot will be from October to December 2019 and the last will be from January to March 2021.

The regime will work in a similar way for EEA investment funds with fund managers notifying the FCA of the funds they want to continue to market in the UK.  As with firms, the FCA expects to start accepting notifications in early January 2019 and the notification window will close prior to exit day. Once the notification window has closed, fund managers that have not submitted a notification for a fund will be unable to use the temporary permissions regime for this fund and will not be able to continue marketing the fund in the UK.

It needs to be seen if the EU will align its supervisory authorities to a similar practice to ease disruption of the financial markets, should no deal be reached, and the UK will leave the EU on March 29, 2019.