The growth of the fintech ecosystem and the pervasive use of cloud services are testament to its benefits, bringing scale efficiencies and speed to us all, through the pooling of resources which would otherwise be dispersed across firms.
It also reduces risks through improved compliance technology, frequent security patching and service resilience and creates new risks for individuals, firms and the market as a whole. Outsourcing raises questions about whether a third party will provide better anti-money laundering compliance than you can, or whether a vendor’s priorities in a crisis will match yours, and if having a single back office provider creates a dependency across the industry. These outsourcing risks were set out in the Financial Conduct Authority’s (FCA) latest business plan which reported that just under one-fifth of incidents reported by firms were caused by IT failure at a third-party supplier. Following one such failure at Raphaels Bank and fine from the FCA, Mark Steward, executive director of enforcement and market oversight stated: “There is no lower standard for outsourced systems and controls, and firms are accountable for failures by outsourcing providers.”
The increasing need to address these risks is reflected in the European Banking Authority’s (EBA) new guidelines on outsourcing. These guidelines came into force on September 30, 2019, and place new obligations on all payment institutions, e-money institutions, credit institutions and markets in financial instruments directive (MiFID) investment firms for new or amended outsourcing arrangements. They also set a deadline of December 31, 2021, to implement the guidelines across all existing arrangements.
The experience of delivering the general data protection regulation (GDPR) article 28 contract amendments and vendor due diligence and documenting a cloud inventory provides valuable lessons for meeting the EBA guidelines. These show the importance of focusing on three key questions: how will you document and track your vendors easily? How do you focus on the priority risks? How do you create a suitable level of governance? Answering these questions will ultimately require firms to re-design their approach to third-party risk management.
Before firms can start managing their outsourcing arrangements, they need to meet the key challenge of section 11 of the EBA guidelines of maintaining a detailed register of all outsourcing arrangements, including sub-contracting arrangements to third countries, pre-outsourcing analysis and due diligence, recording all outsourcing risks. Just as the article 30 inventory was the foundation of GDPR delivery, the section 11 EBA register is likely to be the foundation of the EBA outsourcing programme and ongoing compliance. Technology to support the management of outsourcing arrangements is rapidly improving and firms should consider how it can best support them. For example, using an information sharing network of pre-populated vendor data could let firms share effort and automate tracking of risk across potentially thousands of vendors, reducing the need for remediation activity and ongoing business as usual oversight.
Identifying biggest risks
The EBA guidelines expand the scope of outsourced function oversight to include intra-group outsourcing, moving beyond only those deemed to be critical or important, which creates a significant need for more monitoring. Much like GDPR, these guidelines incorporate cloud outsourcing and reflect the fact that the highest risks may not come from the largest vendors. Smaller vendors with access to sensitive data or delivering a critical technology service could pose the most significant risks but are often missed under existing assessments. That will create a need to take into account the regulator’s changed view of risk to ensure firms focus on the right areas.
Suitable governance arrangements
The EBA guidelines specify that a senior manager must be accountable for outsourcing arrangements. It is likely this has been considered under the Senior Managers & Certification Regime (SMCR), but the challenge lies in moving to a more centralised assessment of vendors. This will mean a greater compliance focus on onboarding and oversight and delivering on new requirements such as testing exit strategies without creating an over burdensome compliance obligation on the business. Clarity around the end-to-end design will enable firms to identify where they can make small changes and align with existing resilience, security and privacy obligations rather than creating significant duplication with new processes.
Firms should consider these questions now, as regulators are indicating that they intend to test compliance. The National Bank of Belgium, for example, has stated that they plan to review firms’ outsourcing inventories in the first quarter of 2022.
As with all compliance programmes, those who consider the key questions posed by the EBA outsourcing guidelines early and deliver their answers steadily will see a far lower compliance cost and greater business benefits than those who just focus on tactical changes as and when required.
Richard Watson-Bruhn is a financial services expert at PA Consulting
Want to find out more about our work in financial services?