On February 25, 2019, the European Banking Authority (EBA) published its final Guidelines on outsourcing (Guidelines) to ensure that sound risk management measures are adopted by banking, financial, and payment institutions (Institutions).
These Guidelines will become effective September 30, 2019 and specifically highlight FinTech and data protection issues. This not only reveals some potential regulatory challenges that EU players will have to face going forward, but also relates to the broader interest in IT outsourcing also echoed by US regulators.
Outsourcing and digitalization in banking
Traditional banking business models are being challenged by more agile setups, notably FinTech firms (which are not new to the financial industry), and outsourcing is a very common way for Institutions to reach out to market providers with cutting-edge technology skills and up-to-date tools, without resorting to costly arrangements, such as business combinations.
This is the reason behind the Guidelines. The EBA notes that Institutions have increasingly used outsourcing to improve flexibility and efficiency, with the goal of embracing the FinTech mindset. It’s no surprise then that IT-related functions have become some of the most commonly and heavily outsourced activities.
Such reliance on outsourcing of IT functions may pose new risks that will have to be managed by an Institution’s internal control framework. This is especially true when considering that IT is generally seen within the financial services sector as a “critical function”, one whose ineffective execution may result in a bank not being able to meet its licensing requirements.
The Guidelines point out that outsourcing IT and data services to FinTech providers, while having a positive economic effect, may lead to security, data management, and data protection issues. In that respect, the EBA reminds Institutions liaising with FinTech outsourcers to always comply with the EU general data protection regulation 2016/679 (GDPR) when outsourcing and processing personal data and to establish appropriate confidentiality agreements.
Moreover, certain specific risk management measures generally required for outsourcing mainstream services may become harder to implement when it comes to highly innovative and technology-driven activities like FinTech.
For example, the Guidelines recommend that Institutions set clear responsibilities, roles, and tasks under outsourcing agreements and internal policies, which might be difficult for cloud services or decentralized distributed ledger technologies (DLTs). Additionally, the EBA points out that Institutions should appoint an “outsourcing function holder” with adequate knowledge and skills. However, it might not be so easy to quickly find a skilled FinTech expert.
Next Steps: Expected supervisory review
Analyzing how outsourcing interacts with FinTech and potential cyber events is becoming a standard topic on the supervisory agenda, locally and abroad.
Based on the same principles as those underlying the Guidelines, the Bank of Italy and IVASS (the Italian Institute for the Supervision of Insurance) are paying more and more attention to the way Institutions set outsourcing measures to manage IT security risks (for example, see Sicurezza cibernetica: il contributo della Banca d’Italia e dell’Ivass [Cyber security: the role of the Bank of Italy and IVASS], dated August 31, 2018).
On April 2, 2019, the US Federal Deposit Insurance Corporation (FDIC) issued a letter identifying gaps, especially in business continuity and incident response risks, that some examiners had noted in their reviews of contracts between banks and technology service providers.
The current framework is therefore likely to see further regulatory review of FinTech and related outsourcing agreements. Financial operators in the EU should be aware of this and prepare for it; the EBA’s deadline of September 30, 2019 is just around the corner.
Compliments of Portolano Cavallo Studio Legale, a member of the EACCNY