What are the EBA Outsourcing Guidelines?

The European Banking Authority has published new EBA outsourcing guidelines, a document that has wide-ranging implications for every banking organisation, and requires careful consideration by procurement leaders and functions.  The guidelines will enter into force on 30 September 2019.

Twenty years ago, I was a procurement director in the financial services industry, and in the last days of the previous Millennium, we saw the first incursions of the regulators into procurement and outsourcing matters. A form arrived on my desk that required us to list some key contracts – I’m not even sure where it came from, to be honest. But it seemed a bit of a cheek, really. Why did these outsiders want to know about our key strategic suppliers? 

The financial crisis of 2008/9 and a whole range of banking and financial services issues, and occasionally scandals, answered that question. The sector lost the trust of many, and more and tighter regulation was one response, and this new guidance continues that trend. The guidance applies now to credit institutions and investment firms, in other words banks and their close relations, but also to payment providers and “electronic money institutions”.  

And while it explains the principle of proportionality – institutions need to look at the risk and complexity of their activities in deciding the level of resources to put into managing them – it makes it clear that the regulators expect a level of professionalism in Procurement, contract and suppler management that probably wasn’t present in many banks in my day! 

The guidelines insist that attention and focus need to start from the top.

“The management body should ensure that sufficient resources are available to appropriately support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements …”

The EBA is also concerned about organisations outsourcing so much of their work that the essence or core of the institution is lost.

“Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised”. 

Offshoring work does not excuse you from the regulations, either.

“With regard to outsourcing to service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data)”

When it comes down to more specific recommendations, the guidance is strong on governance, understandably. There should be effective management oversight by the “management body”, and outsourcing policies, sound processes and control frameworks must be in place. Risks, from third-party arrangements must be identified, assessed, monitored and reported. There is also a strong focus on contract exit provisions. Buyers must have appropriate plans in place to ensure that the activities outsourced can feasibly be moved to another provider or brought back into the core business if necessary, including in situations where time is short. 

It’s also worth pointing out that this is a pretty broad definition of outsourcing. While it does not include cleaning or catering services, or most professional services (lawyers, consultants etc), it will include a significant proportion of IT services contracts, as well as outsourced back-office, processing and similar services that are specific to each institution. There is a focus on cloud services, for instance – the regulators are rightly worried about the confidentiality, security and integrity of sensitive and vital financial data that could be (as we might say) “floating around” in the cloud! 

There is also a discussion of what the guidance calls “concentration risk” – the danger of having too many critical functions delivered by one supplier, meaning that if it fails, there would be serious problems for the customer organisation. 

In that brief run-through, which covers just some of the key guidance, one important point may have struck you already. This is sensible advice, and really, it could apply to almost every organisation, type and category of Procurement I can imagine. The comments and advice on governance, about risk, or supplier concentration – these all reflect very sensible, best practice approaches and activities that we would hope every competent Procurement function considers. 

However, even for the better organisations, it is well worth using this guidance as a “call to action”. Procurement leaders can use it as an argument for reviewing how outsourcing is carried out and managed, from strategy through supplier selection to performance management and contract end- of-life.  Does the organisation have the right policies, processes and technology in place to meet these demands? Is data available to support the institution’s reporting and compliance management? Are suppliers managed properly, with clear and accessible contracts, performance measures and information? Lastly, how well does the organisation understand and manage third-party risk?

And for those organisations where Procurement is less mature, this is perhaps a wake-up siren rather than a call. You need to get your house in order, and Procurement leaders can use the report as a stick to beat their own bosses and Boards with, to ensure that Procurement gets the resources it needs, at least to execute the more fundamental requirements outlined here.  

For more information on Ivalua’s Financial Services Procurement solutions please visit ivalua.com