by Arnaud Malardé
The revised European Banking Authority or EBA Guidelines on Outsourcing came into effect on September 30th of 2019. They update former guidelines on the subject from 2006 and specifications on cloud services outsourcing from 2017.
They apply to a broader audience than the previous rules: now including not only banks but also credit institutions, investment firms, electronic money institutions and payment providers, all of whom must abide by these guidelines.
Also, the guidelines offer a broader definition of outsourcing and bring a special focus on “critical activities”:
In practice, it means that any service provided by a third-party that supports core banking activities falls into these guidelines. Most IT and cloud services do. On the contrary, services like cleaning, catering, lawyers or consulting do not belong to this category.
It really is a call to action for European banks to secure their outsourcing processes and equip themselves with the right tools to be compliant with the EBA guidelines on outsourcing. Failing to do so would imply severe consequences:
On the other hand, complying with these guidelines ensures a better risk position and therefore a competitive advantage in the industry. This advantage spans further than the sole European banking market. In fact, the Federal Reserve Board (FRB) has somewhat similar outsourcing guidelines for the US market in 2013.
Let us have a detailed look at the obligations that financial institutions are facing and how they can be compliant with these guidelines.
According to the EBA guidelines , outsourcing an activity shall never:
EBA Requirements for outsourced activities
Financial institutions must check all these boxes if they want to be compliant with the EBA guidelineson outsourcing:
If resources allocation lies in the hands of a financial institution’s management, a comprehensive source to pay platform such as Ivalua can help with all other requirements. Let us have a more comprehensive look at some of these.
The EBA guidelines on outsourcing stipulate that a bank must create, approve and regularly update a detailed outsourcing policy. Also, it is responsible for its enforcement.
This requirement can be addressed using Ivalua. First, as a repository of policy documents, specifying expiry dates and offering the notifications need for an update when relevant. Furthermore, it can be the vehicle to enforce policies across the complete Source-to-Pay process. Critical outsourced activities can go through specific approval workflows (e.g., including compliance teams or ensuring that dedicated clauses are signed off by suppliers).
Financial institutions must identify clearly within their current agreements those which concern outsourcing activities, determine if they are critical and performed from a third country (i.e, a country which does not recognize the EBA authority). They must provide exhaustive information about critical outsourcing contracts.
To support this imperative need, Ivalua offers an Outsourced Agreements Register. This is where all outsourcing arrangements can be stored with a unique identifier. They can be qualified according to the type of outsourcing (Outsourced, Subcontracted or Intra-Group), its criticality (Critical, Non-Critical) and its offshoring dimension (Yes/No). Depending on the type of agreement we are considering, some dedicated fields will be triggered to populate more specific information. For example, in the case of a critical activity being outsourced, the following evidence may be required: dates of last and next contract audit, identified alternate supplier, substitutability and re-integration assessment plan.
This register offers a clear view of the outsourcing exposure. The data from this register can be reported on to satisfy any auditing or supervisory request, either on a regular basis or on demand.
Financial institutions must prove they have an efficient outsourcing lifecycle management process. They must be in control of every step of this lifecycle from start to end. This means that they must conduct several checks before entering into any new outsourcing arrangement or before renewing an existing one:
However, this lifecycle does not end with the supplier selection as subsequent steps are of vital importance too:
With Ivalua, you can manage the entire lifecycle of an outsourcing arrangement from selecting the supplier to contracting, evaluating its performance in accordance with the contract and implementing exit strategies if need be.
Sourcing events for outsourcing activities would embed a criticality assessment questionnaire to be filled in by internal stakeholders. If it appears that a project concerns a critical activity, some additional steps would be required. For instance, suppliers would have to agree to certain clauses before having access to the request for proposal. These clauses would be mentioned in the final contract as well. The supplier obligation to let supervisory authorities have a complete access to data related to the service is an example of such a clause.
To guarantee all precautions have been taken before entering into a critical outsourcing agreement, an approval workflow will be triggered prior to awarding the service to any potential supplier. This workflow will incorporate an Internal Audit or Compliance Team review/approval before going forward with the selected supplier.
To make sure the rest of the process goes as smoothly, our solution offers dedicated contractual capabilities, performance and exit strategy management.
Financial institutions must strictly and permanently assess, manage and mitigate their third-party risk, including subcontractor exposure (i.e, fourth-party risk). Special attention must be paid to critical outsourced activities and risk due diligence must be performed even before entering into any agreement.
Ivalua Risk Center supports financial institutions to be compliant with their risk management obligations. It allows them to establish a comprehensive supplier risk mapping with a direct view into the subcontractors and their risk level. This dynamic risk picture aggregates internal and external risk data sources from your preferred providers (e.g, Dun&Bradstreet, Ecovadis). People in charge may receive contextual alerts in case of a rising risk exposure and take proper mitigation plans within the tool.
Ivalua solution is already supporting the compliance strategy of several top European banks.
Arnaud Malardé, Senior Product Marketing Manager, joined Ivalua with over 10 years of experience in several procurement positions. An accomplished industry and procurement expert, Arnaud has worked alongside prestigious international Financial Services, Retail, IT and Media organizations. A product thought leader, blog contributor, and webinar host, Arnaud offers valuable and innovative insight into advanced digital procurement solutions. He holds a Master in Finance from ESCP Europe, one of the top French business schools, and a European Master of Science in Management from London’s City University.