German version of the text
The Austrian parliament recently passed an amendment to the
Austrian Banking Act (Bankwesengesetz – BWG), introducing a
new statutory outsourcing regime for credit
institutions applicable from 3 January 2018.
Background
Credit institutions and other financial institutions have entered
into outsourcing arrangements for many years and outsourcing has
become increasingly important in this sector.
The reasons for outsourcing are diverse and include improving cost
structures, leveraging synergies, freeing internal resources to
focus on core functions, taking advantage of the capabilities of a
service provider or accessing new/enhanced technologies, etc.
Despite the increased importance of outsourcing, there is still
no harmonised outsourcing
framework for credit institutions at a European Union
level
[1]. Accordingly, in an attempt to increase legal certainty and
predictability of supervisory actions, the Austrian legislator has
now implemented a dedicated local law regime (also) for credit
institutions.
New outsourcing regime
The new national outsourcing regime introduced by Section 25 of the
Austrian Banking Act (BWG) sets out specific requirements that need
to be complied with before and during the outsourcing of
material operational banking
functions. Conceptually, it follows the outsourcing rules
and principles set forth in MIFID II/regulation (EU) 2017/565 and
PSD II.
Operational banking functions qualify as material if a failure in
their performance would significantly affect compliance with an
institution's obligations under the BWG, its solvability, its
liquidity or the soundness or continuity of any banking services
offered to its clients. Because the outsourcing of non-material
banking functions will not be subject to the statutory outsourcing
requirements, credit institutions should take particular care when
determining which functions are considered significant with regard
to their specific business model. The assessment
of whether or not an outsourced activity qualifies as a material
operational banking function needs to be carried out
consistently and should be
documented accordingly.
As of 3 January 2018, all outsourcing arrangements will need to be
based on written agreements determining the scope
of services to be outsourced to an external service provider. As
one of the key requirements, the outsourcing must not undermine the
quality of the internal control mechanisms of a credit institution
or the ability of the Austrian regulator (FMA) to monitor an
institution's compliance with its legal obligations.
Third-country firms
As opposed to other supervisory laws, such as the Austrian Payment
Services Act, Section 25 of the BWG explicitly requires a
particularly high level of care
and due diligence when outsourcing functions to a
third-country service provider. Specifically, the institution must
continuously monitor the political, legal and economic developments
in the third country to ensure that any adverse developments do not
impair the FMA's supervisory powers.
Outsourcing to third-country providers is therefore likely to
become more burdensome and care should be taken especially in the
context of Brexit, when UK providers become
third-country providers.
Specific requirements
The Austrian legislator has introduced a list of specific
requirements in an annex to Section 25 of the BWG, which contains
12 particular obligations that
any outsourcing arrangement – including intra-group
outsourcings – will need to meet.
These requirements include inter alia:
-
Qualifications: Credit institutions need to ensure
that the service provider has all relevant qualifications and
authorisations and is reliable;
-
Regular assessment: Credit institutions need to
determine methods and criteria (eg performance indicators)
according to which service providers are assessed on a regular
basis;
-
Monitoring: Credit institutions need to
continuously monitor the performance of a service provider to react
to any failures in due course. Thus, credit institutions still need
to maintain appropriately skilled personal resources;
-
Termination: Credit institutions need to be able
to terminate their outsourcing agreements if required and without
any adverse effects on continuity and quality of any banking
services provided to their customers;
- Contingency planning: Credit institutions need to prepare a contingency plan and ensure continuous compliance therewith to maintain customer data safety in case of IT system failures (if relevant for the outsourced activity).
While credit institutions already apply some of these requirements today to comply with the EBA/CEBS outsourcing guidelines, it should be ensured that current documentation and processes are in line with the new statutory – and thus legally binding – regime as of 3 January 2018.
Notification
Going forward, credit institutions will be required to notify the FMA of any new proposed outsourcings that they are about to enter into. Notifications thus have to be made before any functions are outsourced. The FMA may request information in relation to outsourcing agreements and/or the respective service providers. While credit institutions are not required to (actively) notify the FMA about existing outsourcing arrangements, the FMA is permitted to request information about these at any time. It therefore remains to be seen whether the FMA will increasingly request such information.
Next steps
To ensure compliance with the new outsourcing regime, institutions should review and, if necessary, revise their current processes and outsourcing arrangements to demonstrate that they have carefully assessed any risks associated with outsourcing and to comply with the new regulatory parameters. In particular, we recommend that credit institutions:
-
determine which activities are currently outsourced;
-
review any existing outsourcing agreements for compliance with the
new rules and amend them as necessary;
-
review existing and prospective service providers with regard to
their abilities and reliability;
-
establish/revise internal processes (due diligence, monitoring,
etc) in order to comply with the legal requirements when
outsourcing core operational functions;
-
document their outsourcing processes in an outsourcing policy or
revise their existing policies;
-
establish (IT) contingency plans to the extent necessary; and
- notify the regulator of intended outsourcings.
Legal basis
Section 25 of the BWG on outsourcing
Footnotes
[1] However, in 2006, CEBS – the predecessor of EBA – published guidelines on outsourcing which have so far served as (soft law) guidance: CEBS Guidelines on Outsourcing
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.