The new final guidelines on outsourcing arrangements from the European Banking Authority (EBA), which apply to financial firms within the European Union (EU), are set to transform the nature of third-party relationships. However, firms have had little time to prepare; the guidelines are applicable from 30 September 2019.
For firms, the guidelines create a whole new level of governance, risk and compliance activities (GRC) activities for properly managing third-party relationships. Manual third-party risk management (TPRM) programs, based on spreadsheets and document sharing, look increasingly untenable.
The EBA outsourcing guidelines define outsourcing as “an arrangement of any form between an institution, a payment institution, or an electronic money institution and a service provider by which that service provider performs a process, a service, or an activity that would otherwise be undertaken by the institution, the payment institution, or the electronic money institution itself”. The guidelines replace previous guidance from 2006, as well as the more recent guidance on outsourcing to the cloud. Now there is one overall EBA document on outsourcing.
There is a wealth of detail within the guidelines that firms need to take time to explore. However, 10 headline activities they should undertake as soon as possible include:
- Note the deadlines – The guidelines “go live” on 30 September. This deadline will apply to third-party relationships “entered into, reviewed or amended” after that date. There is also a transitional period. Financial firms are expected to update their existing third-party relationships by 31 December 2021 at the latest. There is some fine print to these deadlines – for example, cloud computing arrangements – that should be looked at with care. However, realistically, December 2021 is a fairly tight deadline for a global bank to update thousands of contracts.
- Create or update a third-party register – There are specific requirements for a third-party register in the outsourcing guidelines, including which data fields must be included. Critical or important outsourced functions must be identified. As well, for outsourcing to the cloud, information on where data is actually stored is required. Firms also need to provide information about fourth parties for critical or important outsourced functions. The register has to be in a “processable electronic form.”
- Include third-party risk in the enterprise risk framework – Organizations should have an enterprise-wide risk management framework in place, and TPRM should sit within that, alongside related risks such as data privacy and cyber risk. The document makes a special note of the point that firms remain “fully responsible and accountable for” operations outsourced to third parties. An “outsourcing officer” who is responsible for overseeing and managing the risks in third-party relationships needs to be appointed. Best practice is that this role sits within the risk team.
- Review the firm’s outsourcing policy – Firms need to overhaul their policies to reflect these new guidelines. They stipulate that senior management is generally responsible for compliance. In particular, UK firms will need to assign responsibility for outsourcing arrangements to individual executives under the Senior Managers & Certification Regime (SM&CR). Generally, policies should reflect the different types of outsourcing arrangements that can exist, and the involvement of various internal functions in outsourcing relationships. The policy should also talk about how outsourcing relationships are planned, implemented, monitored, and managed. Firms should pay particular attention to how the policy identifies and handles conflicts of interest in third-party arrangements.
- Refresh business continuity plans – Firms need to have robust business continuity plans in place, particularly for critical or important outsourcing arrangements. These should take account of potential events such as deterioration in the quality of the product or services provided, insolvency at a third party, and political risks in the third party’s jurisdiction.
- Know your fourth parties – When it comes to critical or important functions, contracts with third parties must now specify what may not may not be outsourced by the third party. When a third party outsources to a fourth party, it’s important to record this in the register of third parties. The guidelines include a number of other requirements for notifications, permissions, review of activities, and termination of the relationship. It’s important to note these in detail.
- Undertake a risk assessment – Prior to outsourcing a process or service, firms need to conduct a risk assessment of the impact that outsourcing will have on the operational risk at the organization. This should include a scenario analysis exercise that looks at issues such as concentration risk, the risk of insolvency at the third party, risks associated with sub-contracting, and political risks of the third party’s jurisdiction. This assessment should be regularly updated.
- Perform due diligence – Firms must thoroughly review any organization they intend to outsource processes or services to, taking into account issues such as business reputation, expertise, resources, and regulated status. Particular attention should be paid to the use of the firm’s personal or confidential data by the third party, as well as to the third party’s corporate culture and code of conduct.
- Update contracts – The new guidelines provide rich detail about elements the regulators expect to see captured with third party contracts. Particularly for critical or important third-party relationships, organizations will need to review their existing contractual arrangements to see if they provide correctly for items such as sub-contracting to fourth parties, data security, and monitoring and audit rights.
- Provide oversight of third-party relationships – Now, firms must monitor their third-party relationships on an ongoing basis. The regulator expects firms to do this in a risk-based way, with the main focus on critical or important relationships. The EBA suggests firms look particularly for material changes in risk exposure, at the quality of information security, at levels of concentration risk, and at performance metrics, among other things.
The scale and scope of the EBA’s new outsourcing guidelines will require many financial services firms to consider a fresh approach to managing third party relationships. The EBA’s demands that third party risk is managed at multiple organizational levels makes manual approaches almost impossible to maintain.
It’s important to be familiar with the guidelines, and have an action plan in place. You can find the guidelines here.