The European Banking Authority’s (EBA) guidelines on outsourcing, issued in February 2019 and entered into force in September 2019, have considerably increased the level of control of third-parties including cloud providers. Fortunately, the EBA had foreseen a transitional period, which will end on 31 December 2021. This gives banks, asset managers, payment service providers and electronic money institutions nine months to adapt their operational risk mitigation frameworks and to remediate legacy outsourcing contracts to ensure compliance.
This timeframe is, indeed, very short. Our experience confirms that many financial institutions are yet to address the key aspects of the guidelines, including assigning roles and responsibilities, reviewing the service level agreements (SLAs) for intra-group arrangements and drafting the adapted outsourcing policy. Meanwhile all contractual arrangements with third-parties will need to be properly remediated by the end of the year.
Furthermore, two major trends are putting additional pressure on fulfilling those obligations - the increasing reliance on cloud service providers (which fall entirely into the guidelines scope) and the accelerated digitalization efforts by many if not all financial institutions following the pandemic.
In this first blog in our series on information and communication technology (ICT) risks mitigation framework, Alexandre Vandeput discusses how to ensure safe compliance on time.
Based upon our observations from projects within retail, commercial, payments and electronic money institutions, the pressure is rising on IT, operations and risk departments to adapt their outsourcing control frameworks to the revised guidelines. Furthermore, firms need to ensure that the actual outsourcing arrangements are properly managed.
Many institutions are behind schedule for complying with the guidelines, with substantial internal alignment, efforts to deliver key documentation as well as gap analysis and process review still outstanding. Leaving a ‘sanity’ buffer of three months before the end date is best practice, which means that any institution falling into the scope of the EBA supervisory control needs to be set and ready within six months (i.e. by the end of September) – this also includes the summer holiday period. With such a tight timeframe, if the execution is not managed with razor-sharp precision, institutions may end up in breach.
Working on key deliverables and processes, prioritizing the work ahead, having clear governance in place are some of the prerequisites for ensuring that financial institutions’ Executive Committees will be able to validate the work on time and comply safely.
More precisely, we recommend the following eight-step process to fully comply within the required timeframe:
1. Outsourcing register: Start by leveraging your existing outsourcing register, while making sure you are adding the relevant fields required. Do not forget that this exercise is done for the benefit of the service receiver and that this register needs to be considered from a legal entity standpoint. Also, ensure that all cloud-related outsourcing engagements are identified.
2. Business case: This document is drafted to demonstrate that the justification for outsourcing is articulated and accepted and that the service receiver has considered the different options available before opting for an outsourcing solution, with the materiality level of all outsourcing contracts properly defined.
3. Risk assessment: Ensure that the risk taxonomy is clearly consistent across the institution, potentially leveraging the outcomes of the Internal Control Framework. The level of automation of these assessments is key for this to be efficient. You will also need to identify inherent risks and make sure they are accepted, mitigated, or rejected.
4. Due diligence: This involves ‘vetting’ service providers who must demonstrate sufficient and relevant experience, reputation and overall suitability to perform (including key certifications as required).
5. Oversight: Develop a set of agreed key risk indicators (KRIs) and key performance indicators (KPIs) between the service provider and service receiver, as well as applying the ongoing monitoring principle (the frequency will depend on the materiality of the outsourced activity or process).
6. Contracts, SLA’s and guidelines: Start drafting contractual agreements between intra- and extra-group service providers. Involve at that stage the key stakeholders from your legal department.
7. DRP, BCM and exit plans: Draft exit plans for any material outsourcing arrangements describing exit scenarios and related exit triggers, preceded by tangible disaster recovery planning (DRP) and business continuity management (BCM).
8. Outsourcing policy: This is the cornerstone of your outsourcing remediation framework and should be the conclusive outcome of the whole initiative. Avoid treating this as a tick-box exercise as it will only lead to frustration, misalignment and misunderstanding among key stakeholders.
Starting now is not too late, but the time is short and the task is challenging. Ensure that you can:
- Work in a time-boxed manner
- Leverage a pre-defined set of deliverables and documents
- Have a consistent risks taxonomy in place
- Put in place a clear governance structure with strong sponsorship
- Work on a change management plan from the outset
We would also emphasise that automation should be considered, as the required processes, tools and documents are likely to generate a substantial administrative burden. Automation tools provide useful functionalities such as centralized access, workflow management and automated dashboards and reporting.
Contact us to discuss how Capco can help your firm reach the fast-approaching compliance deadline on time.
Jeroen Dossche, Partner
M +32 478 22 11 80
E jeroen.dossche@capco.com
Alexandre Vandeput, Principal Consultant
M +32 499 755 200
E alexandre.vandeput@capco.com
