In recent years, financial institutions have become more active in looking at opportunities and executing the outsourcing of various functions in order to stay flexible and boost efficiency, sometimes without realising the large amount of potential risks. In particular, new technologies and opportunities within the FinTech industry are much more easily accessible with the help of external professional service providers.
In June 2018, the EBA consulted on guidelines on outsourcing arrangements (EBA/CP/2018/11), which will apply to credit institutions and investment firms subject to Capital Requirement Directive (CRD), as well as to payment institutions subject to the revised Payment Services Directive (PSD2) and electronic money institutions. With an indicative application date of 30 June 2019, these guidelines will repeal and harmonise the 2006 CEBS guidelines on outsourcing and will also refer to and consolidate the recommendations on cloud outsourcing (EBA/REC/2017/03), which are already applicable as of 1 July 2018.
The guidelines put a greater amount of focus on the outsourcing of IT and its potential risks. In light of GDPR, particularly sensitive and personal data must be protected and kept confidential with internationally accepted IT security standards. The increased use of Cloud Service Providers (CSP) poses additional data protection risks, data location risks, concentration risks and security issues.
Consequently, institutions will need to review their current internal governance and control framework on outsourcing with a particular focus on
- outsourcing of critical or important functions;
- outsourcing to a third country; and
- outsourcing that is related to the distribution of internal data.