The financial regulator the European Banking Authority (EBA) has set out a new governance framework for banks that outsource services, including those based in the cloud.

The new guidelines – Final report on EBA guidelines on outsourcing arrangement – come into force in the UK at the end of September. Under the rules banks will need to have contracts terms rights spelt out clearly in agreements with third party suppliers. They will also need to have a comprehensive outsourcing policy, which is both regularly reviewed and updated, and subject to robust monitoring and governance processes.

These guidelines will also apply to any PEO services. For example, if a business outsources its employee management services to a PEO company such as The PEO People, then appropriate measures must be taken.

In addition, all outsourcing arrangements will need to be documented in a register that is accessible by regulators – with critical functions disclosing most information available for inspection.

The guidelines provide a detailed outline of what such policies should cover as a minimum. That includes disclosing details of responsibilities and decision-making procedures, business requirements, risk management processes, due diligence reports, business continuity plans, implementation and management systems, and the provisions governing the termination of contracts.

Enterprise risk management

Banks will also need to adopt an enterprise-wide approach to risk management. “As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units,” says the report.

“Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks.”

Six-part risk assessment

The report says banks wishing to enter into an outsourced arrangement need to carry out a six-part risk management assessment that must continue as an actively-monitored process once the contract has been set up.

The assessment includes:

1. identifying and classifying the relevant functions and related data and systems as regards their sensitivity and required security measures
2. conducting a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing (or have been outsourced) and addressing the potential risks, in particular operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored
3. considering the consequences of where the service provider is located (within or outside the European Union)
4. considering the political stability and security situation of the jurisdictions in question, including:
   1. the laws in force, including laws on data protection
   2. the law enforcement provisions in place
   3. the insolvency law provisions that would apply in the event of a service provider’s failure and any constraints that would arise in respect of the urgent recovery of the institution’s or payment institution’s data in particular
5. defining and deciding on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture
6. considering whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions so, the extent to which the institution controls it or has the ability to influence its actions.

The guidelines also say that banks should make sure they have clauses written into their outsourcing arrangements to enable their internal audit functions to review the supplier. Internal audit should receive full access rights to the business premises and records of the supplier under any agreement.

Banks are expected to review all of their existing arrangements to make sure they are in compliance with the rules by 31 December 2021 at the latest.

Read the guidelines here.