Outsourcing Requirements for Payment Institutions & Electronic Money Institutions

Introduction


This article assesses the regulatory requirements and recommendations for payment institutions and EMI/E-money electronic money institutions in terms of their outsourcing arrangements. It looks at how such firms looking to enter into outsourcing arrangements should supervise, arrange and manage their arrangements with such arrangements.


Directive 2013/36/EU – Capital Requirements Directive provides the requirements for firms with regards to their governance arrangements. Outsourcing is one of the aspects of falling under governance arrangements.


We look at which arrangements with third parties should be considered as outsourcing and assess the criteria for identifying critical or important functions, as such functions have stricter requirements with regards to their outsourcing.



Definitions of key terms


Outsourcing is an arrangement between a firm and a service provider for the performance of a process, service, or activity that would otherwise be undertaken by the firm themselves. A function can be a process, service or activity. A critical or important function is a function considered as critical or important to the operation of the firm. A service provider is a third party providing the outsourced functions, service, or arrangement.



Assessing critical or important functions


In order to assess whether a function is deemed critical or important, firms are required to pay particular attention to:


a. where a defect or failure in its performance would materially impair:

i. compliance with the firm’s regulatory licence conditions and obligations under Directive 2013/36/EU, Regulation (EU) No 57/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations;

ii. their financial performance; or

iii. the soundness or continuity of its banking and payment services and activities;

b. where functions are outsourced unless their assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;

c. when the intended outsource functions require authorisation from a regulator.


As part of the assessment of the criticality of the outsourcing function, where it concerns a firm’s core business lines, it should pay particular attention to Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU. Functions that are necessary for it to perform its core business activities will be considered critical functions. As part of this assessment, firms should consider the following:


a. whether the outsourcing arrangement is directly connected to the services for which they are regulated;

b. the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their:

i. short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;

ii. business continuity and operational resilience;

iii. operational risk, including conduct, information and communication technology (ICT) and legal risks;

iv. reputational risks;

v. where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;

c. the potential impact of the outsourcing arrangement on their ability to:

i. identify, monitor and manage all risks;

ii. comply with all legal and regulatory requirements;

iii. conduct appropriate audits regarding the outsourced function;

d. the potential impact on the services provided to its users;

e. the size and complexity of any business area affected;

f. the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;

g. the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);

h. the ability to reintegrate the outsourced function back into its firm, where necessary or desirable;

j. the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity in compliance with Regulation (EU) 2016/67939.



Management responsibility


A firm’s management should ensure that is fully responsible and accountable for:


a. ensuring that the firm meets the conditions on an ongoing basis to remain authorised.

b. the internal organisation of their firm;

c. conflict of interests, including their identification, assessment and management;

d. setting the firm’s strategies and policies;

e. overseeing the day-to-day management of the firm, including outsourcing; and

f. the oversight role of the management team, including overseeing and monitoring its decision-making.



Outsourcing – minimum standards


As a minimum, firms should ensure that they:


a. take and implement decisions related to their business activities and critical functions, including those outsourced;

b. maintain good conduct and order of their firm and the regulated services they provide;

c. are able to identify, assess, manage and mitigate the risks, both current and planned, arising from planned outsourcing;

d. have adequate confidentiality arrangements in place regarding data and other information;

e. maintain an appropriate flow of communication and information with service providers;