Search
Contact
08.05.2019 | KPMG Law Insights

New guidelines for outsourcing to service providers in the financial industry

New guidelines for outsourcing to service providers in the financial industry

To increase their effectiveness and reduce costs, companies in the financial sector are outsourcing functions and activities. The new EBA guidelines partially establish new rules for both external and internal outsourcing. For the institutions, this means a significantly increased effort, especially for analysis, control and documentation.

The European Banking Authority (EBA) published the new guidelines on outsourcing, or EBA guidelines, on February 25, 2019. The regulatory treatment of outsourcing includes, in particular, requirements for the governance framework, the preliminary analysis and the outsourcing agreement, sub-outsourcing as well as information requirements vis-à-vis the banking supervisory authority.

Previously, there were only far less detailed regulatory requirements for outsourcing of institution-typical services throughout Europe: The predecessor guidelines from 2006 contained only a few basic principles, which are applied for the German banking industry primarily in General Part 9 (AT 9) of the Minimum Requirements for Risk Management (MaRisk).

The new EBA guidelines use the existing rules as a basis, but these have been significantly expanded and supplemented by very detailed requirements for outsourcing, some of which are new or more stringent. In addition, they now also include requirements from the EBA for the procurement of cloud services, which have been in place since last year. So much more regulation is also reflected in the size: the future EBA guidelines cover more than 30 pages, while AT 9 of MaRisk still took up around three pages.

 

The central new regulations

  1. Scope extended

The new EBA guidelines apply not only to credit and financial services institutions, but also to payment and e-money institutions. This was the first time that regulatory supervision of outsourcing activities was extended at European level to companies that are not subject to the German Banking Act (Kreditwesengesetz) but to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).

 

  1. Introduction of new terms

MaRisk previously distinguished between the categories of material and non-material outsourcing; the EBA guidelines now introduce the concept of outsourcing a “critical or important function”. There are clear criteria for determining which activities are considered critical or important. In the future, many requirements will only apply to the outsourcing of critical or important functions; some of the rules will also apply to other outsourcing.

 

  1. No fundamental privileging of intra-group outsourcing; scope of application for outsourcing worldwide

The guidelines make it clear that, in principle, the regulatory requirements must also be met in the case of intra-group outsourcing and outsourcing within the same institutional protection scheme. In this respect, a stricter standard is even applied in some cases, as possible conflicts of interest in particular must be examined and avoided.

A kind of equivalence principle will apply in the future to outsourcing by European companies in the financial industry to third countries. In particular, cooperation between the supervisory authorities must be ensured in the form of a “Memorandum of Understanding”. The result is that European supervisory rules must be observed by outsourcing companies domiciled in third countries.

 

  1. Documentation requirements extended

In the future, institutions will have to keep a central outsourcing register. The EBA Guidelines contain detailed requirements on the information and documentation to be included here.

Also new is the obligation to conduct a comprehensive risk analysis and assessment, including a review (“due diligence”) of the outsourcing company in advance of outsourcing. Due diligence refers to the reputation, professional qualifications and economic strength of the service provider as well as its ethical and social behavior.

 

  1. Sub-outsourcing more strictly regulated

Institutions will be required to monitor sub-outsourcing companies to a greater extent than before. Subcontractors, for example, must already be checked by the outsourcing company as part of the above-mentioned due diligence. Furthermore, the originally contracted service provider must inform the outsourcing company in advance of any planned sub-outsourcing. In certain cases, a right of objection or consent must be stipulated in the outsourcing agreement.

 

Little time for complex implementation

At September 30, 2019, the new guidelines will come into force. Contracts concluded, amended or reviewed as of that date shall be subject to the new regulation from the beginning. Institutions that have completed their outsourcing by December 31, 2021 have not reviewed accordingly, must inform the competent supervisory authority and explain what measures they will take for further adjustment. This transitional arrangement raises some questions for existing outsourcing agreements: For example, the question arises whether any amendment to an outsourcing agreement already makes the new EBA Guidelines applicable. In practice, for example, service level agreements of outsourcing contracts are constantly adjusted. If this were to result in the new rules being applied, then a very large number of existing outsourcing agreements would probably have to be reviewed to ensure that they comply with the new EBA guidelines.

The implementation of the EBA guidelines means a considerable effort that companies in the financial industry should not underestimate, as they will have to analyze their outsourcing processes, internal guidelines and contractual documents and amend them in line with the new set of rules. As a result, the effort required for analysis, control and documentation will increase significantly in the case of outsourcing.

Explore #more

26.08.2024 | In the media

Interview with Moritz Püstow on sustainability and increasing efficiency in the construction industry

How is the construction industry equipping itself for the future, which is facing major challenges?
In an interview with Baublatt, KPMG Law expert Moritz

22.08.2024 | Press releases

Strategic alliance between KPMG Law and MHP – A Porsche Company

KPMG Law and MHP – A Porsche Company have entered into a strategic alliance.
MHP is a leading consulting firm in the field of Engineering…

21.08.2024 | In the media

Guest article in the dpn: Initial practical experience with the implementation of DORA

In times of crisis and increasing cybercrime, digital operational stability is extremely important for companies.
In future, financial companies and third-party service providers of information…

19.08.2024 | In the media

Guest article at Springer Professional: Giralgeldtoken wants to simplify financial processes in industry

The commercial banks’ cash token should be an alternative to the digital euro for industry and have the character of a deposit.
This could be…

16.08.2024 | Deal Notifications

KPMG Law advises Hagedorn on syndicated financing

KPMG Law advised the Hagedorn Group on the negotiation and closing of a financing transaction A team led by Frankfurt-based KPMG Law partner and head…

06.08.2024 | In the media

Interview with Daniel Kaut on Talent Rocket about working in M&A

Daniel Kaut is a partner at KPMG Law and has been advising on M&A transactions and corporate law for 20 years.
He also has strategic…

06.08.2024 | In the media

Guest article in Betrieb on the topic of data protection and co-determination

The introduction of artificial intelligence in companies offers numerous opportunities, but also brings with it considerable challenges.
Complex issues arise in particular at the interface…

06.08.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

02.08.2024 | KPMG Law Insights

AI and employment law: what the AI Act means for HR

On August 1, the EU AI Act in force.
It regulates the use of artificial intelligence within the European Union.
As a regulation, the AI…

24.07.2024 | In the media

KPMG Law recognized as a top employer in Central Germany in the magazine azur

The legal market in Hesse is clearly characterized by the legal metropolis of Frankfurt am Main.
For those seeking a career in banking and finance…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll