European Banking Authority has finished this February quite efficiently with issuing the revised Guidelines on outsourcing arrangements that all financial institutions, including banks, must follow. This is again underlining the importance of embracing innovations and FinTech in the financial market, where the technology is used to improve cost efficiency and achieve economies of scale. Here is
If you would want to sell your solution to the bank, be sure that they will check everything. It concerns reputation, appropriate and sufficient abilities, expertise, capacity, resources and applicable regulatory authorisation. They will go as deep as looking into your business model, nature, scale, complexity, group structure, long-term relationships with other service providers, and whether you are a parent undertaking or subsidiary. Don’t be surprised if the bank will ask about your corporate values and code of conduct too.
Stricter regime for outsourcing “critical or important functions”
It is rather clear that most of the banks already know what is outsourcing and which functions exactly are critical and important, but in case somebody is struggling, the Guidelines outline core definitions and provide clarity to which aspects should be taken into consideration when doing risk assessment. EBA reminds that the responsibility and accountability still lies within the bank even if it decides to outsource. So, to ensure its security banks will pay extra attention to compliance and management of the outsourcer and even designate a senior staff member who is directly accountable for managing and overseeing the risks of the outsourcing arrangements (consider being friends with this person).
If you don’t want your lawyer or insurer to ask “please tell me you have the contract”, you’d better have one because it’s a legal requirement. And even if that might sound funny to even mention for some, the requirements stated in the Guidelines are quite comprehensive. Moreover, they specify the requirements in (a) all outsourcings; and (b) critical or important outsourcings that are, again, more strict.
Not surprisingly, the outsourced service provider will be monitored on an ongoing basis. This is connected to a very important risk management and government framework that all banks have to implement. The guidelines specify as well, that it should be the obligation of the bank to follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. So don’t underperform because the remedial actions will be taken immediately.
The guidelines are obliging the financial institutions to maintain a register of information on cloud outsourcings. The register must include the information listed in the guidelines, including reference number for each outsourcing, a brief description of the outsourcing, the locations from where the functions are performed, and the start, renewal and end date and/or notice periods. Although this is an obligation of the bank, the service provider may be audited by the competent authorities that would want to exercise its effective supervision.
So what’s next?
If you have been in FinTech long enough you will know that the bigger the client — the more requirements there have. Financial area is increasingly vulnerable for outer risks, so you have to be prepared. Think like the best Risk or Vendor Manager at the bank. Revise your documentation, fulfill all of the compliance requirements, make things clear as a bell. Prepare your team members, ’cause if you are going for outsourcing for a bank, you gotta work hard.