The financial regulator the European Banking Authority (EBA) has set out a new governance framework for banks that outsource services, including those based in the cloud.
The new guidelines – Final report on EBA guidelines on outsourcing arrangement – come into force in the UK at the end of September. Under the rules banks will need to have contracts terms rights spelt out clearly in agreements with third party suppliers. They will also need to have a comprehensive outsourcing policy, which is both regularly reviewed and updated, and subject to robust monitoring and governance processes.
In addition, all outsourcing arrangements will need to be documented in a register that is accessible by regulators – with critical functions disclosing most information available for inspection.
The guidelines provide a detailed outline of what such policies should cover as a minimum. That includes disclosing details of responsibilities and decision-making procedures, business requirements, risk management processes, due diligence reports, business continuity plans, implementation and management systems, and the provisions governing the termination of contracts.
Enterprise risk management
Banks will also need to adopt an enterprise-wide approach to risk management. “As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units,” says the report.
“Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks.”
Six-part risk assessment
The report says banks wishing to enter into an outsourced arrangement need to carry out a six-part risk management assessment that must continue as an actively-monitored process once the contract has been set up.
The assessment includes:
The guidelines also say that banks should make sure they have clauses written into their outsourcing arrangements to enable their internal audit functions to review the supplier. Internal audit should receive full access rights to the business premises and records of the supplier under any agreement.
Banks are expected to review all of their existing arrangements to make sure they are in compliance with the rules by 31 December 2021 at the latest.