by Elina Karpacheva
The future is in digitalisation of financial services. Traditional financial institutions are changing under the disruptive technology that stems from the FinTech sector. Banks, lending, payment, e-money companies, and investment firms have embraced new business models and opportunities for growth by partnering with providers of technology-enabled services. Outsourcing of business activities as a strategy proved value maximising for the financial industry.
In this context, the EBA Guidelines on outsourcing arrangements entered into force on the 30th of September. Despite recognising the new trends, the European Banking Authority discovered too much uncertainty and operational risk in outsourcing that could impair the quality and independence of the financial services sector. EBA also found outsourcing activities to impede institutions’ and regulators’ ability to “oversee and supervise compliance with regulatory requirements”. The Guidelines harmonize the outsourcing requirements, which are set out in various EU legislation (such as CRD IV, MiFID II, PSD2).
In a nutshell, EBA sets out rules for risk management, risk assessment, monitoring of outsourcing processes and services and activities that would otherwise be performed by the financial institutions themselves. The Guidelines provide criteria for determining which types of outsourcing activities and arrangements are considered “critical” or “important” for the operation of the institution, thus influencing its risk profile and internal control framework. If such critical or important functions are outsourced, additional safeguards and stricter rules regarding the selection, contracting and monitoring of the service providers apply. It is interesting that outsourcing of “internal control” functions is designated as “critical”. The interpretations of national authorities remain to be seen, but outsourcing of KYC/AML functions to third-party service providers surely fell well under this critical category.
From the wording of the Guidance, the governance of the outsourcing arrangements clearly falls under the responsibilities of the compliance department:
1. Ensuring management commitment and oversight
2. Identifying, assessing, managing, monitoring, mitigating and reporting of the outsourcing risk as part of the integrated risk management framework of the company
3. Adopting a sound outsourcing policy
4. Creating efficient outsourcing processes and an internal control framework
5. Drafting appropriate plans for the exit from outsourcing arrangements of critical or important functions
6. Keeping written track of the process in order for competent authorities to be able to supervise; and
7. Designating a senior officer who is directly accountable to the management body with respect to outsourcing
Financial institutions are obliged to conduct thorough due diligence when choosing service providers before entering into an outsourcing arrangement in terms of “business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner”. On top of that, financial institutions must screen and analyse service providers’ corporate culture, code of conduct and even corporate social responsibility practices, especially where operations in third jurisdictions are concerned or sub-contractors in third countries are concerned. The service provider must act in an “ethical manner” and adhere to international standards of human rights, environmental protection and appropriate working conditions, including the prohibition of child labor.
Now, the new requirements affect FinTech firms in two ways: as obliged entities under the Guidelines and as service providers. For the bigger and established FinTech players that already possess banking or payment institution license, complying with the Guidance will add additional regulatory pressure and draining of resources. The challenge for FinTech start-ups will be even greater. Financial institutions seeking to use FinTech/RegTech solutions will struggle to balance the desire to be agile under the due diligence and risk assessment requirements of the Guidelines. Too much “de-risking” will leave behind service providers without an established track record, but rather with innovative products. Procuring a value-maximising contract for many FinTech start-ups might become impossible as the scrutiny and demands of the established financial institutions will be rising. Many FinTech founders struggle to keep up with the compliance risks since the very outset of their business activity because the attention and resources are allocated elsewhere – on innovating and ensuring customer satisfaction.
As a conclusion, it is understandable that EBA wants to ensure the integrity of the European financial system. However, the new Guidelines impose requirements to regulated entities that favor established service providers over emerging FinTech start-ups. During the consultation process, a European regulator rejected a proposal to give a two-year grace period for new entrants to the market before they fell under the effect of the outsourcing Guidelines.
There is a transition period of two years up to 31 December 2021. During this period, financial institutions should review and amend the outsourcing arrangements entered into before the 30th of September 2019 and align their risk assessment and internal policies with the requirements of the European regulator.
The author, Dr. Elina Karpecheva is the Chair of the European Compliance Centre based in Sofia, Bulgaria. She is also the Content Director of the Bulgarian website of the Risk & Compliance Platform Europe, to be launched in autumn 2019.