Complying with the EBA fintech outsourcing requirements

by House of Control | 9/14/20 11:04 PM

New EU rules are strengthening the governance requirements for how banks and other financial institutions handle outsourcing of financial technology (fintech). This includes requirements for a central register of all contracts with sub-service providers. One bank is already using Complete Control to meet these requirements.

The starting point is “Guidelines on outsourcing arrangements” (EBA/GL/2019/02) issued by the European Banking Authority (EBA), which forms the basis for national regulations. The rules will apply throughout the EU and EEA, including in Denmark, Sweden and Norway.

The guidelines have been drawn up to reflect the fact that financial institutions are increasingly outsourcing commercial operations to reduce costs and to improve flexibility and efficiency. In the introduction to the new guidelines, the EBA refers to digitalisation and the increasing importance of new financial technology (fintech). Financial institutions are adapting their business models to embrace new fintech. Outsourcing plays a key role in providing financial institutions with easy access to new technologies and facilitating major economies of scale.

The new guidelines are aimed at banks, credit institutions, investment firms, payment and electronic money institutions, and contain detailed requirements to ensure that companies that outsource operations have adequate management and control over their outsourcing arrangements.

One of the specific requirements is a comprehensive overview of the contracts in the form of a contract register to document each individual contract. The annexes to the Danish Regulation, which is expected to be broadly the same in the rest of the Nordic region and the EU, define around 30 different qualities expected of such a register. These include:

• Start date, the next contract renewal date, end date and notice periods
• A description of the outsourced service or activity – including a category assignment
• A description of which data has been outsourced, whether or not personal data have been transferred and if their outsourcing is outsourced to a service provider (GDPR)
• The country or countries where the service is to be performed, including which legislation applies
• Whether or not the outsourced function is considered critical or important
• The date of the most recent assessment of the criticality or importance of the outsourced function
• In the case of outsourcing to a cloud service provider, the cloud service and deployment models and the locations where such data will be stored
• An outcome of the assessment of the service provider’s substitutability and whether or not the financial institution in question can perform the tasks itself

House of Control is developing and launching a dedicated module to meet the EBA requirements. Recently we signed a contract with the first bank that will use Complete Control to ensure compliance with the new regulation. The new module will be customised to meet the challenges financial institutions face with regard to documentation, administration, follow-up and maintaining an overview – including timely notifications of relevant deadlines.

As mentioned in the introduction, the rules encompass outsourcing of activities that require a licence. This means, for example, that cleaning, electricity supply and vehicle fleet management are not covered by the regulation. However, we recommend that all companies establish central control over such services.

Contact us today to discuss how we can help you meet the new requirements of the contract register – and how Complete Control can save you money and give you a better overview!

Additional Reading