The European Banking Association (EBA) outsourcing guidelines came into effect in September 2019. They are more prescriptive than the previous guidance and have a broader scope, applying to payment and e-money companies for the first time. Organizations have until 31 December 2021 at the latest to bring them into line.
The guidelines contain, among other things, detailed requirements to ensure that the company that outsources its activities has adequate management and control of the outsourcing.
As part of a risk management program, financial institutions should have an updated register of information on all outsourcing schemes in the company. The documentation must distinguish between critical and important functions, and other outsourcing schemes.
A function is considered important or critical if a failure in delivery can lead to significant financial losses, operational disruptions and problems in fulfilling the company's obligation to its own customers, or non-compliance with regulatory requirements. If the activity requires a license from the authorities or is significant for the company's internal control, this will also indicate that the function may be critical or important.
Watch the video:
One of the specific requirements is a comprehensive overview of the contracts in the form of a contract register to document each individual contract. For each contract, approximately 30 features must be registered, including:
- Start date, the next contract renewal date, end date and notice periods
- A description of the outsourced service or activity – including a category assignment
- A description of which data has been outsourced, whether or not personal data have been transferred and if their outsourcing is outsourced to a service provider (GDPR)
- The country or countries where the service is to be performed, including which legislation applies
- Whether or not the outsourced function is considered critical or important
- The date of the most recent assessment of the criticality or importance of the outsourced function
- In the case of outsourcing to a cloud service provider, the cloud service and deployment models and the locations where such data will be stored
- An outcome of the assessment of the service provider’s substitutability and whether or not the financial institution in question can perform the tasks itself
House of Control has a dedicated module to meet the EBA requirements. It is a module built on our most popular solution, Complete Control, used by more than 1,600 companies in the Nordics to improve contract and financial management.