The draft EBA guidelines on outsourcing – to be or not to be outsourced?

On 25 February 2019, the European Banking Authority (EBA) issued its final report on the EBA Draft Guidelines on outsourcing arrangements (the Draft EBA Guidelines on outsourcing). This Final Report follows a public consultation which ended on 24 September 2018. That public consultation was preceded by EBA's publication of a Consultation Paper on the EBA Draft Guidelines on Outsourcing arrangements (the Consultation Paper).

Despite the fact that, in general, the principles in the Draft EBA Guidelines on outsourcing are not new and should not come as a surprise for payment service providers (“PSP”), as always the devil is in the details – and some obligations and concepts in the Draft EBA Guidelines on outsourcing raise important questions, both from a legal point of view and from a practical point of view.

These important questions begin with the definitions at the core of the guidelines, namely (i) the definition of outsourcing itself, and (ii) the criteria to determine whether the outsourcing concerns ‘critical or important functions’. Those are key concepts as they trigger, in the first case, the general application of the guidelines and, in the second, the application of additional (and stricter) requirements.

The scope of application of the Draft EBA Guidelines on outsourcing

The Draft EBA Guidelines specify the requirements applicable to credit institutions and investment firms (together, in the guidelines and hereafter, the “Institutions”) as well as to payment institutions and e-money institutions (together, in the guidelines and hereafter, the “Payment Institutions”) regarding outsourcing, based on the provisions of the Capital Requirements Directive, MiFID II, EMD2 and PSD2.

For Payment Institutions, the relevant provisions are Article 19(6) PSD2 and following (on outsourcing) and, to some extent, Article 11 PD2 (on the governance and organisation of Payment Institutions). Both have been made applicable to e-money institutions by Article 3(1) EMD2.

The rules of the Draft EBA Guidelines are divided in two sets of requirements: a basic one, applicable to all outsourcing arrangements, and a stricter one, applicable to the outsourcing of critical or important functions.

Which arrangements qualify as outsourcing under the Draft EBA Guidelines?

While using third party service providers has become general practice in the financial sector, the question of what qualifies as outsourcing under PSD2 is still frequently asked. The concept of outsourcing is not defined in PSD2. National laws or national regulators have sometimes filled that gap and provided their own definition, with the recognizable disadvantage of different interpretations across member states.

Under the EBA Guidelines on outsourcing, outsourcing will be defined (once the guidelines become applicable and provided they are finalised by EBA as such: “an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself“.  This definition was proposed in the Consultation Paper and has remained unchanged in the Final Report.

According to this definition, two criteria must be met for an arrangement with a third party provider to qualify as outsourcing.

First criteria – the performance of a function by a third party: outsourcing only concerns arrangements where a process, a service or an activity (together defined in the Draft EBA Guidelines as a function) are performed by a third party. The purchase of goods, including software, is excluded from the scope of application of the Draft EBA Guidelines on outsourcing (see feedback on answer to Question 3, par. 22 and 23, p. 88 and 89  of the Final Report).

Second criteria – the outsourced function should otherwise be undertaken by the institution or payment institution itself. According to the Draft EBA Guidelines, to assess whether a function would ‘otherwise be undertaken by the (…) payment institution (…) itself‘, one should determine whether this function (or part thereof) ‘would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself‘.

From the EBA feedback on the answers to its Consultation Paper, it appears that the relevant criteria for this is whether the function concerned is ‘normally performed by institutions (or payment institutions) in general‘, i.e. whether it is market practice for Institutions or Payment Institutions to perform that function themselves (see feedback on answer 3, par. 22, p. 88 of the Draft EBA Guidelines).

The EBA’s definition of outsourcing raises several questions:

First, in some cases, distinguishing between the purchase of goods and the acquisition of a service can be tricky – for instance, in the case of the use of a software provided by a third party (the so-called SaaS companies).

Secondly, the adoption of general market practice as a criteria for the determination of whether an outsourced function would otherwise be undertaken by the Institution or Payment Institution concerned raises several questions. For instance, which market should be taken into account? This can be approached from a geographic point of view (EEA vs. local practices?) as well as in terms of granularity: the guidelines are addressed to entities with very different activities (credit institutions, investment firms, payment institutions and e-money institutions), with different potential profiles and diverse business models. Should the market practices be assessed per type of institution or for all kinds of institutions globally? And which market practices? With fintechs having entered the market, there can be significant variation between the business models of traditional institutions and those fintechs. In addition, we have seen that in the past few years the market practices have been subject to major changes and will in the future continue to evolve – how will this evolution be taken into account in the future?

Finally, as more and more Institutions and Payment Institutions outsource IT functions, there is the distinct possibility that these increasingly used IT services will actually be excluded from the definition of outsourcing by virtue of market practice. Such a possibility was in fact suggested by one of the respondents to the Consultation Paper. Obviously this is not the EBA’s intention, but the use of the market practice criteria could in theory trigger this.

While we understand that, by using the market practice criteria, the EBA intended to exclude situations which, obviously, the sector has never considered to be outsourcing (legal advice, cleaning services, etc.), we are not convinced that the criteria which the EBA has adopted will achieve their goal without raising important practical questions.

As further guidance, the Draft EBA Guidelines on outsourcing contain an enumeration of arrangements that Institutions and Payment Institutions should as a principle not consider as outsourcing – in line with the criteria described above:

  • Performance by a third party of a function that is legally required to be performed by an external service provider (for instance, statutory audit)
  • market information services
  • global network infrastructure clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members
  • global financial messaging infrastructures that are subject to oversight by relevant authorities
  • correspondent banking services
  • the acquisition of (i) services that would otherwise not be undertaken by the Institution or the Payment Institution (advice from an architect, providing legal opinions and representation in court or with administrative bodies, cleaning, gardening, medical services, etc.), of (ii) goods (plastic cards, card readers, office supplies, etc.) or (iii) utilities (electricity, gas, telephone line, etc.)

Which outsourced functions are to be considered as ‘critical or important’?

As mentioned above, while the general requirements under the Draft EBA Guidelines on outsourcing apply to all outsourcing arrangements, a set of stricter requirements are imposed on the outsourcing of critical or important functions.

According to the Draft EBA Guidelines on outsourcing, Institutions and Payment Institutions must consider a function as critical or important in the following situations:

  • where a defect or failure in its performance would materially impair
    • their continuing compliance with the conditions of their authorisation or other obligations under the regulatory laws applicable to them (in case of payment institutions, PSD2 and EMD),
    • their financial performance, or
    • the soundness or continuity of their banking and payment services and activities,
  • in case of outsourcing of tasks of internal control functions, unless the (Payment) Institution can establish that a failure to provide the outsourced function or the inappropriate provision thereof would not have an adverse impact on the effectiveness of the internal control function, or
  • in case of outsourcing of banking or payment services activities which require an authorisation by the competent authority of the member state where the Institution is authorised.

Obviously, an outsourced function will only fall under the stricter requirements applicable to critical or important functions if it qualifies as outsourcing in the first place. This means in practice that if a service purchased from a third party does not qualify as such (e.g., the purchase of a legal advice), the rules on outsourcing are strictly speaking not applicable even if its incorrect provision could materially impair the (Payment) Institution’s compliance with the conditions of its authorisation or its financial performances (which are potential consequences of faulty legal advice),. However, as the EBA reminds readers at several occasions in the Draft EBA Guidelines on outsourcing, even in cases where the rules on outsourcing do not apply, institutions should at all times properly manage their risk.

The definition above leaves room for interpretation both by the institutions concerned and by the regulator, which will most probably lead to (i) on the one hand, different approaches between regulators and (ii) on the other hand, discussions between Institutions and the regulators. For instance, the requirement that the defect or failure in the outsourced function’s performance should materially impair the (Payment) Institution’s compliance with its regulatory obligations, its financial performance or the soundness or continuity of the regulated services will have to be assessed on a case by case basis. It is not possible to pre-emptively set fixed criteria to determine whether or not it is the case.

In addition to those criteria, in their assessment of the criticality or importance of an outsourced function, Institutions and Payment Institutions are required to take into account (i) the outcome of their risk assessment of the proposed outsourcing and (ii) additional factors which do not seem to relate to the criticalness or importance of the outsourced function, but which should be part of the initial risk assessment itself (see for instance the obligation to take into account the possibility to transfer the outsourcing arrangement to another service provider or to internalise the outsourced function, the potential impact of the outsourcing on the ability of the institution to identify, monitor and manage its risks, etc.).

In our opinion, while we understand that those elements should certainly be taken into account in the assessment of the proposed outsourcing, we do not believe that they are relevant for the determination of the criticalness or importance of the outsourced function itself: according to the EBA definition, a function should qualify as such whenever any potential failure in its provision could have the consequences listed in the definition, and the probability that that risk could materialise, or any other risks, are not factors for this definition.

This article was originally published in the February 2019 edition of Osborne Clarke’s EPSM Legal Research Newsletter.