Affected regulated entities
PSPs may be credit institutions, e-money institutions or payment institutions. Under German law, such entities are subject to different legal provisions with respect to the outsourcing of certain processes and activities, which are relevant to the provision of payment services. All such regulated entities must have in place appropriate risk mitigation measures depending on the type, scope, complexity and risk level of outsourcing to another company.
Local competent authorities, such as BaFin, have published rules of its administrative practice, which set out different rules to different types of regulated entities. Whereas MaRisk, for instance, applies to credit institutions and financial services institutions, BaFin’s regulatory guidance about the use of services of cloud service providers covers, amongst others, credit institutions, financial institutions, insurance undertakings, payment institutions and e-money institutions. MaRisk also contains provisions on the outsourcing of processes to third parties. On the other hand, BaFin has not published yet administrative rules on the assessment of outsourcing arrangements by payment institutions or e-money institutions.
In addition, the European Banking Authority (“EBA”) has published its EBA guidelines on outsourcing, which are, inter alia, applicable to payment institutions, e-money institutions and credit institutions and which set out specific obligations in relation to the outsourcing of services to third parties. BaFin, the German regulatory authority, has announced its intention to apply the EBA guidelines on outsourcing by 31 December 2020.
Generally, PSPs have to consider by applying a risk-based approach whether it deems a cooperation with a Corporate Servicer as a material outsourcing, and if so, the PSP has to incorporate certain provisions into the agreement with the Corporate Servicer, as well as conducting appropriate risk management measures.
New products offered by PSPs, as well as new products offered by Corporate Servicers to PSPs, create new challenges in the application of outsourcing provisions to PSPs.
New IT-products offered to regulated entities
In contrast to “classic” technical service providers which have designed specific products to support PSPs in conducting payment transactions, new IT service providers have developed products which create benefits for the business conduct of PSPs, but which, however, are not exclusively designed for use by PSPs (and may be used by any other unregulated entity).
One example are entities offering software-as-a-service applications or infrastructure-as-a-service platforms (“cloud service providers”), but there is also a great variety of other IT solutions on the market, which are attractive to PSPs. The question of whether an arrangement constitutes a material outsourcing may also arise in relation to the use of video conferencing systems, offsite back-up systems or the use of external APIs for data enrichment or integration with third-party products.
Given such products are not specifically designed for use by PSPs and may be used as standardised products by a great number of costumers, the product design may conflict with the obligations of PSPs to implement specific contractual provisions with the offering IT service providers.
For instance, audit rights and instruction rights to be provided for each PSP do not fit with the product design of such services. BaFin has noted this issue and has published a circular “Guidance on outsourcing to cloud providers” dated 8 November 2018, in which it (i) clarifies its administrative practice with respect to the use of cloud service providers by regulated entities; and (ii) allows some relief for regulated entities to cooperate with cloud service providers.
Such relief in particular addresses the issue that cloud services are not tailor-made and are not originally designed for regulated entities. However, BaFin’s circular does not solve all the tensions that exist between regulated entities and cloud service providers with respect to outsourcing requirements. In consequence, contract negotiations between regulated entities, such as PSPs, and IT service providers, such as cloud service providers, continue to be challenging for both parties.
Licence as a service
Another area were tensions between PSPs and customers may arise is in relation to licence-as-a-service products. Some licensed institutions, such as PSPs, have developed products for their customers, the Corporate Servicers, which allow Corporate Servicers to offer services, which would otherwise require a licence by BaFin, but where such licensed services are provided by the PSP.
As the Corporate Servicer normally has the first contact which its end users, licence-as-a-service products regularly require the Corporate Servicer to provide services to the PSP in order to handle the business relationship with the end user. Such support may constitute a material outsourcing, depending on the scope of work that the Corporate Servicer is supposed to provide to the PSP. The Corporate Servicer is also often involved in distribution activities of regulated services or in the onboarding procedure of the end user to the PSP. Consequently, tensions often arise if the PSP has to onboard the end user and provide a ‘know your costumer’ check, which might have an impact on the costumer journey of the end user.
With respect to the contractual provisions that PSPs have to agree with the Corporate Servicer using a licence-as-service product, such Corporate Servicers may have fewer issues with instruction rights and audit rights by the PSP since licence-as-a-service cooperations are quite often unique projects of such Corporate Servicer. On the other hand, Corporate Servicers quite often struggle with the obligation to observe certain sets of rules that the PSP and, in consequence, also the outsourcing partner has to comply with and which are often unfamiliar to Corporate Servicers.
Another issue may arise where PSPs conclude that a specific licence-as-a-service business relationship is not to be considered a material outsourcing. However, in such situations PSPs often reserve the right to adjust this decision in the future. The additional obligations which flow from this decision are sometimes an issue for Corporate Servicers, as they require additional effort on their part in the business relationship. PSPs need to be flexible to adjust their risk assessment during the lifetime of a business relationship and have the option to define a cooperation as material outsourcing if the risk assessment changes in the future.
Tensions may also arise in other situations where PSPs cooperate with non-regulated entities. However, the tensions may be a bit lower for PSPs than in the situations described above. An example of this is the case of “classic” technical service providers, which have specifically designed their products to support PSPs in the execution of payment transactions. Tensions may also be lower in respect of cooperations between a PSD and a non-regulated fintech company. Such fintech companies are normally aware of, and have at least a basic understanding of, the regulatory environment in which there are acting and have a (comparably) high level of tolerance with respect to compliance with regulatory provisions (and also greater awareness of it). This might also apply to distributors or brokers of products of PSPs.
Cooperations between PSPs and Corporate Servicers give rise to specific challenges depending on the nature of the cooperation. The negotiation of such cooperation agreements has therefore become more and more relevant, as PSPs on the one hand tend to use more technical products from third parties, which are not originally designed exclusively for the regulated environment. On the other hand, PSPs are offering licence-as-a-service products to Corporate Servicers in order to “lend” their regulatory shield to them. All such cooperations have to be assessed on an individual basis. Technical solutions which are attractive to PSPs are under continuous development and seem to be more and more interesting for PSPs. With respect to Corporate Servicers of licence-as-a-service products their business models are often unique and also require an individual assessment of the associated risks.
Finally, BaFin has stated in its administrative practice, that is aware of the new challenges resulting from such cooperations and have published specific administrative guidelines such as on cloud service providers. PSPs are therefore acting in a changing regulatory environment, with a lot of innovation in the supply of products to them as well as business opportunities vis-a-vis their customers. This creates challenges as well as opportunities.