This article assesses the regulatory requirements and recommendations for payment institutions and EMI/E-money electronic money institutions in terms of their outsourcing arrangements. It looks at how such firms looking to enter into outsourcing arrangements should supervise, arrange and manage their arrangements with such arrangements.
Directive 2013/36/EU – Capital Requirements Directive provides the requirements for firms with regards to their governance arrangements. Outsourcing is one of the aspects of falling under governance arrangements.
We look at which arrangements with third parties should be considered as outsourcing and assess the criteria for identifying critical or important functions, as such functions have stricter requirements with regards to their outsourcing.
Definitions of key terms
Outsourcing is an arrangement between a firm and a service provider for the performance of a process, service, or activity that would otherwise be undertaken by the firm themselves. A function can be a process, service or activity. A critical or important function is a function considered as critical or important to the operation of the firm. A service provider is a third party providing the outsourced functions, service, or arrangement.
Assessing critical or important functions
In order to assess whether a function is deemed critical or important, firms are required to pay particular attention to:
a. where a defect or failure in its performance would materially impair:
i. compliance with the firm’s regulatory licence conditions and obligations under Directive 2013/36/EU, Regulation (EU) No 57/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations;
ii. their financial performance; or
iii. the soundness or continuity of its banking and payment services and activities;
b. where functions are outsourced unless their assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
c. when the intended outsource functions require authorisation from a regulator.
As part of the assessment of the criticality of the outsourcing function, where it concerns a firm’s core business lines, it should pay particular attention to Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU. Functions that are necessary for it to perform its core business activities will be considered critical functions. As part of this assessment, firms should consider the following:
a. whether the outsourcing arrangement is directly connected to the services for which they are regulated;
b. the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their:
i. short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;
ii. business continuity and operational resilience;
iii. operational risk, including conduct, information and communication technology (ICT) and legal risks;
iv. reputational risks;
v. where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;
c. the potential impact of the outsourcing arrangement on their ability to:
i. identify, monitor and manage all risks;
ii. comply with all legal and regulatory requirements;
iii. conduct appropriate audits regarding the outsourced function;
d. the potential impact on the services provided to its users;
e. the size and complexity of any business area affected;
f. the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;
g. the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);
h. the ability to reintegrate the outsourced function back into its firm, where necessary or desirable;
j. the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity in compliance with Regulation (EU) 2016/67939.
A firm’s management should ensure that is fully responsible and accountable for:
a. ensuring that the firm meets the conditions on an ongoing basis to remain authorised.
b. the internal organisation of their firm;
c. conflict of interests, including their identification, assessment and management;
d. setting the firm’s strategies and policies;
e. overseeing the day-to-day management of the firm, including outsourcing; and
f. the oversight role of the management team, including overseeing and monitoring its decision-making.
Outsourcing – minimum standards
As a minimum, firms should ensure that they:
a. take and implement decisions related to their business activities and critical functions, including those outsourced;
b. maintain good conduct and order of their firm and the regulated services they provide;
c. are able to identify, assess, manage and mitigate the risks, both current and planned, arising from planned outsourcing;
d. have adequate confidentiality arrangements in place regarding data and other information;
e. maintain an appropriate flow of communication and information with service providers;
f. within an appropriate time-frame, are able to undertake at least one of the following actions:
i. transfer the function to alternative service providers;
ii. reintegrate the function (internally); or,
iii. discontinue the business activities that are depending on the function.
g. where service providers process personal data in the EU or third countries, that appropriate measures are implemented, and data is processed in accordance with Regulation (EU) 2016/679.
Conflicts of interests
Firms should ensure that they are able to identify, assess and manage any conflicts of interests in relation to any outsourcing arrangements. Where outsourcing creates conflicts of interests between them and the service provider of the outsourced function, they must take appropriate measures to manage those conflicts of interest.
Where we outsource a function to a service provider that is part of a group or owned by the firm, they should ensure that the outsourced service is provided is set at arm’s length.
Business continuity plan
In accordance with Article 82(2) of Directive 2013/36/EU, firms should maintain and periodically test their business continuity plan with regards to any outsourced functions concerning critical or important functions. Their business continuity plan should consider events involving the provision of the outsourced service to an unacceptable level and the insolvency or other failures of the service provider.
Internal audit function
The internal audit function of a firm should, at a minimum, establish:
a. that their framework for outsourcing is correctly and effectively implemented;
b. the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions;
c. the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with their risk strategy;
d. the appropriate involvement of governance bodies; and
e. the appropriate monitoring and management of outsourcing arrangements.
Firms should assess the potential operational risk arising from potential outsourcing arrangements and take into account their findings and avoid any undue additional operational risks before entering into any commercial outsourcing relationships.
As part of their risk assessment, firms should include different scenarios of potential risks and assess the potential impact of any failed or inadequate services, including the risks caused by processes, systems, people, and external events.
Prior to entering any outsourcing agreements, firms should consider the suitability of the service provider in question. As part of this, they should assess the service provider’s business reputation, expertise, capacity, resources, and organizational structure. They should also ensure that the provider in question is adequately authorised or registered where required. Where the outsourcing arrangement will involve the processing of personal or confidential data, firms should ensure that they are satisfied with the service provider’s technical and organisational measures to protect the data.