What factors should a financial institution consider before entering a fintech outsourcing contract – and stay compliant with EBA guidelines? Norway’s supervisory agency for the financial sector suggests that at least 11 questions must be answered.
“Guidelines on outsourcing arrangements” (EBA/GL/2019/02) issued by the European Banking Authority (EBA) is the basis for national regulations on fintech outsourcing for financial institutions. One of its specific requirements is a comprehensive overview of the contracts, including a contract register to document each individual contract.
House of Control has a solution for a contract register that makes compliance with EBA requirements easier and more robust – and it is already in use by several Nordic banks and other financial institutions. But what should you consider before entering a fintech outsourcing contract?
The independent government agency for financial sector supervision in Norway, Finanstilsynet, has issued guidelines for financial institutions on outsourcing fintech. The guidelines - based on EBA Guidelines for outsourcing arrangements - are written in an unusual clear language (in Norwegian).
Before a possible outsourcing, your company must consider the contractor (and its subcontractors when relevant). According to Finanstilsynet, the following factors may be relevant:
- When required, does the contractor have the necessary permissions?
- Are there any relationships between the contractor and the company that could cause conflicts of interest?
- Does the contractor have the sufficient capacity, competence and experience to perform the tasks in a responsible manner? This also applies to contingency plans that must be handled by the contractor.
- Has the contractor established a satisfactory system for risk management and internal control?
- Is the contractor certified, and if so, what controls are the basis for the relevant certification?
- Does the contractor have sufficient financial strength to be able to handle problems that may arise in the contractor's operations?
- Where is the contractor located, and where will the tasks be performed? This can be important for, among other things, the risk that personal data and other confidential information will be misused or misled. Location can also determine which legislation and which control and law enforcement regime applies to the contractor's and the contractor's activities.
- Does the contractor have a good reputation?
- Does the contractor follow the principles of good corporate governance, and does the contractor act in a manner that is in accordance with the company's values and ethical guidelines?
- Do you have control mechanisms in place that provides an opportunity to influence the contractor's behavior beyond what follows from the contract?
- Does your board have a real opportunity to fulfill its responsibility for ensuring that the business is run properly by outsourcing to parent companies, companies with the same owner or the like?
Finanstilsynet writes that “further investigations the company should make of the contractor depends on the contract’s significance for the company's activities and reputation”. The requirement for your “assessments of the contractor and any subcontractors is tightened if the outsourced tasks are business-critical or otherwise of great importance” to your business.
Contact us today to discuss how we can help you meet the new requirements of the contract register – and how Complete Control can save you money and give you a better overview!