In the current context of low interest rates, financial institutions' margins are under quite a bit of pressure. As a result, outsourcing is on the rise. Usually considered one of the most effective ways to achieve cost efficiency while enhancing agility, outsourcing allows financial institutions to rapidly introduce digitalization in their business models and to use fintech more seamlessly. This upward trend is particularly strong in Luxembourg, many of whose financial players are subsidiaries of foreign groups and thus long accustomed to outsourcing.

Aiming for a more harmonized governance framework for outsourcing, the European Banking Authority (EBA) has recently published the final version of its revised guidelines on outsourcing arrangements. These guidelines are applicable to credit institutions and investment firms subject to the Capital Requirements Directive, as well as to payment and electronic money institutions; it ensures a level playing field for these different types of institutions. It is worth mentioning, also, that the guidelines are consistent with the requirements on outsourcing under the Payments Services Directive (PSD2) and the Markets in Financial Instruments Directive (MiFID II), which ensures that institutions will be able to apply a single framework on outsourcing for their banking, investment and payment activities, and services.

What's in the guidelines?

The guidelines firstly bring some clarification on which type of arrangements with third parties should be considered outsourcing, though some grey areas nevertheless remain. They also provide guidance on categorizing outsourcing arrangements as critical or important, i.e. as having a higher impact on the risk profile—such arrangements are subject to stricter requirements.

The guidelines furthermore underline that responsibility for outsourced activities always remains with the management body of the financial institution. To this end, and to avoid the creation of "empty shells", the management body should ensure that the institution allocates sufficient resources to adequately manage those responsibilities, especially regarding oversight of all risks and management of outsourcing arrangements. Oversight should be allocated to business functions, but management, the risk committee, and the board of directors should also have a role in ensuring appropriate governance of the processes and their alignment with the business strategy and risk appetite.

As regards service providers located in third countries, the guidelines require financial institutions to ensure compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) especially when outsourcing relates to critical or important functions.

Finally, the guidelines require competent authorities to identify and assess any outsourcing risk concentrations at individual service providers that could pose a risk to the stability of the financial system. In order to meet these needs, financial institutions will have to compile comprehensive documentation on outsourcing arrangements in the form of a standardized register to be provided to the authorities.

The timeline

The guidelines will enter into force 30 September 2019 and will apply to outsourcings concluded, reviewed, or amended after that date. Compliance with the guidelines of existing outsourcing arrangements should be ensured by 31 December 2021.

By those dates institutions will have to perform a comprehensive review of their outsourcing processes, operational structures, and IT systems, as well as internal guidelines and contract documents—and to have adapted them to the new requirements, which are significantly more detailed and prescriptive than the existing requirements on outsourcing set forth in Circular CSSF 12/552 as amended. Indeed, this task will require the interaction of different areas such as organization/IT, procurement, risk control, information security, compliance, and legal. The analysis and implementation effort should therefore not be underestimated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.