Regulation on the Application of the Guidelines on Outsourcing Arrangements

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 1 of 3  Official Gazette of the Republic of Slovenia, No. 45/2019 of 12 July 2019 (in force as of 30 September 2019) Pursuant to the third paragraph of Article 13 of the Banking Act (Official Gazette of the Republic of Slovenia, Nos. 25/15, 44/16 [ZRPPB], 77/16 [ZCKR], 41/17, 77/18 [ZTFI-1] and 22/19 [ZIUDSOL]; hereinafter: the ZBan-2), the eleventh paragraph of Article 243 of the Payment Services, Electronic Money Issuance Services and Payment Systems Act (Official Gazette of the Republic of Slovenia, Nos. 7/18 and 9/18 [revision]; hereinafter: the ZPlaSSIED), and the first paragraph of Article 31 of the Bank of Slovenia Act (Official Gazette of the Republic of Slovenia, Nos. 72/06 [official consolidated version], 59/11 and 55/17), the Governing Board of the Bank of Slovenia hereby issues the following REGULATION on the application of the Guidelines on outsourcing arrangements Article 1 (purpose and field of application of guidelines) (1) Pursuant to Article 16(1) of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331 of 15 December 2010, p 12), as last amended by Regulation (EU) No 2018/1717 of the European Parliament and of the Council of 14 November 2018 amending Regulation (EU) No 1093/2010 as regards the location of the seat of the European Banking Authority (OJ L 291 of 16 November 2018; p 1; hereinafter: Regulation (EU) No 1093/2010), on 25 February 2019 the European Banking Authority published the Guidelines on outsourcing arrangements (EBA/GL/2019/02; hereinafter: the guidelines) on its website. (2) The guidelines referred to in the first paragraph of this article specify the internal governance arrangements, including sound risk management, that institutions, payment institutions and electronic money institutions should implement when they outsource functions, in particular with regard to the outsourcing of critical or important functions. (3) The guidelines are addressed to:

1. institutions as defined in point 3 of Article 4(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176 of 27 June 2013, p 1), as last amended by Regulation (EU) 2019/876 of the European Parliament and of the Council of 20 May 2019 amending Regulation (EU) No 575/2013 as regards the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirements, and Regulation (EU) No 648/2012 (OJ L 150 of 7 June 2019, pp 1-225; hereinafter: Regulation (EU) No 575/2013);
2. payment institutions as defined in point 4 of Article 4 of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337 of 23 December 2015, pp 35-127; hereinafter: Directive (EU) 2015/2366);
3. electronic money institutions as defined in point 1 of Article 2 of Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 2 of 3 and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC (OJ L 267 of 10 October 2009, pp 7-17), as last amended by Directive (EU) 2015/2366; and 4. competent authorities as defined in point 40 of Article 4(1) of Regulation (EU) No 575/2013. Article 2 (content of regulation and scope of application of guidelines) (1) By virtue of this regulation the Bank of Slovenia sets out the application of the guidelines to:

1. banks and savings banks that in accordance with the ZBan-2 have obtained an authorisation to provide banking services in the Republic of Slovenia (hereinafter: banks);
2. payment institutions that in accordance with the ZPlaSSIED have obtained an authorisation to provide payment services as a payment institution;
3. electronic money institutions that in accordance with the ZPlaSSIED have obtained an authorisation to provide electronic money issuance services as an electronic money institution; and
4. the Bank of Slovenia, when in accordance with the ZBan-2 and the ZPlaSSIED in its role as the competent authority it is exercising supervisory powers and tasks over banks referred to in point 1 of this paragraph, payment institutions referred to in point 2 of this paragraph and electronic money institutions referred to in point 3 of this paragraph. (2) Banks referred to in point 1 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to banks. (3) Payment institutions referred to in point 2 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to payment institutions. (4) Electronic money institutions referred to in point 3 of the first paragraph of this article shall take full account of the provisions of the guidelines in the parts addressed to electronic money institutions. (5) In exercising its supervisory powers and tasks in accordance with the ZBan-2, the ZPlaSSIED and Regulation (EU) No 575/2013, the Bank of Slovenia shall take full account of the provisions of the guidelines in the parts relating to the exercise of the powers and tasks of the competent authority. Article 3 (repeal of previous regulation) On the day that this regulation enters into force, the Regulation on the application of the Recommendations on outsourcing to cloud service providers (Official Gazette of the Republic of Slovenia, No. 37/18) shall cease to be in force. Article 4 (entry into force) This regulation shall enter into force on the day after its publication in the Official Gazette of the Republic of Slovenia, and shall begin to be applied on 30 September 2019. Ljubljana, 4 July 2019 Boštjan Vasle President,

THIS TEXT IS UNOFFICIAL TRANSLATION AND MAY NOT BE USED AS A BASIS FOR SOLVING ANY DISPUTE Page 3 of 3 Governing Board of the Bank of Slovenia