Outsourcing Risk Guidance Note for Banks

Page 1 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006

Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity’s use of a third party (the “outsourcing service provider”) to perform activities that would normally be undertaken by the authorised entity, now or in the future. The supplier may itself be an authorised or unauthorised entity; b) purchasing: inter alia, the supply (i) of services, goods or facilities without information about, or belonging to, the purchasing institution coming within the control of the supplier; or (ii) of standardised products, such as market information or office inventory. (Authorised entities should ensure that what they are buying is fit for purpose.). The supply of (i) or (ii) is not outsourcing; c) outsourcing service provider: the supplier of goods, services or facilities, which may or may not be an authorised entity, and which may be an affiliated entity within a corporate group or an entity that is external to the group; d) outsourcing institution: the authorised entity which is the buyer of such goods, services or facilities; e) authorised entity: a licensed bank; f) material activities: (i) activities of such importance that any weakness or failure in the provision of these activities could have a significant effect on the authorised entity’s ability to meet its regulatory responsibilities and/or to continue in business; (ii) any other activities requiring a licence from the supervisory authority; (iii) any activities having a significant impact on its risk management; and (iv) the management of risks related to these activities. g) senior management: persons who effectively direct the business of the authorised entity; h) “chain” outsourcing: outsourcing where the outsourcing service provider subcontracts elements of the service to other providers.

Page 2 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 Part 2: Guidelines on outsourcing addressed to authorised entities Guideline 2 The ultimate responsibility for the proper management of the risks associated with outsourcing or the outsourced activities lies with an outsourcing institution’s senior management.

1. All outsourcing regimes should ensure that the outsourcing of functions to an outsourcing service provider does not impair the supervision of the outsourcing institution.
2. Responsibility for outsourced functions must always be retained by the outsourcing institution. The outsourcing of functions does not relieve an outsourcing institution of its regulatory responsibilities for its authorised activities or the function concerned.
3. Outsourcing institutions should be required to retain adequate core competence at a senior operational level in house to enable them to have the capability to resume direct control over an outsourced activity, in extremis.
4. Outsourcing shall not affect managers' full and unrestricted responsibilities under applicable legislation (e.g. under banking law). Guideline 3 Outsourcing arrangements can never result in the delegation of senior management’s responsibility.
5. The outsourcing of core management functions is considered generally to be incompatible with the senior management’s obligation to run the enterprise under their own responsibility. Core management functions include, inter alia, setting the risk strategy, the risk policy, and, accordingly, the risk-bearing capacity of the institution. Hence, management functions such as the setting of strategies and policies in respect of the authorised entity’s risk profile and control, the oversight of the operation of the entity’s processes, and the final responsibility towards customers and supervisors should not be outsourced. Guideline 4 4.1 An authorised entity may not outsource services and activities concerning the acceptance of deposits or to lending requiring a licence from the supervisory authority according to the applicable national banking law unless the outsourcing service provider either (i) has an authorisation that is equivalent to the authorisation of the outsourcing institution; or (ii) otherwise allowed to carry out those activities in accordance with the relevant national legal framework. 4.2 Any area of activity of an outsourcing institution other than those identified in

Page 3 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 Guidelines 2 and 3 may be outsourced provided that such outsourcing does not impair: a) the orderliness of the conduct of the outsourcing institution’s business or of the financial services provided; b) the senior management’s ability to manage and monitor the authorised entity’s business and its authorised activities; c) the ability of other internal governance bodies, such as the board of directors or the audit committee, to fulfil their oversight tasks in relation to the senior management; and d) the supervision of the outsourcing institution. 4.3 An outsourcing institution should take particular care when outsourcing material activities. The outsourcing institution should adequately inform its supervisory authority about this type of outsourcing.

1. These requirements do not affect the principle of managers' sole responsibility (Guideline 2) for all authorised activities. The managers of the outsourcing institution shall be fully responsible to the supervisory authority for any outsourced activity. The managers should therefore take suitable measures to ensure that the outsourced activities continue to meet the performance and quality standards that would apply if their own institution were to perform the relevant activities in-house.
2. An outsourcing institution should adequately inform its supervisory authority on any material activity to be outsourced. Such information should be made available in a timely manner in order for the supervisor to evaluate the proposal or to allow him to consider whether the proposal raises prudential concerns and to take appropriate action if required. Outsourcing institutions should be aware that for the outsourcing of material activities the supervisory authority may impose specific conditions. In doing so, the supervisory authority will consider factors such as the size of the institution, the nature of the outsourced activity, the characteristics and market position of the service provider, the duration of the contract and the potential of the outsourcing to generate conflicts of interest (e.g. the supervisory authority may wish to prohibit the outsourcing of the financial accounting and the preparation of the annual accounts to the outsourcing institution’s external auditor, or to the office with which the external auditor is connected).
3. An outsourcing institution should inform its supervisory authority of any material development affecting the service provider and its ability to fulfil its obligations to customers.
4. Subject to the principles that apply to cross-border outsourcing expressed under Guideline 4.1(i), no special rules are needed in relation to the geographical location of an outsourcing service provider.
5. Intra-group outsourcing and outsourcing according to Guideline 4.1(i) can be material. Outsourcing institutions should be aware that supervisory authorities may take specific circumstances into consideration, such as the extent to which the outsourcing institution controls the service provider or has the ability to influence its actions, and the extent to

Page 4 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 which the service provider is included in the consolidated supervision of the group, when assessing the risks associated with an intra-group outsourcing arrangement and the treatment to apply to such arrangements. Guideline 5 There should be no restrictions on the outsourcing of non-material activities of an outsourcing institution.

1. In such cases the outsourcing institution does not need to adequately inform its supervisory authority. Nevertheless, outsourcing institutions should adequately manage the risks relating to such outsourcing arrangements at all times. In line with Guideline 2, the senior management of the outsourcing institution should be fully responsible for any outsourced activity.
2. Areas which could be regarded as nonmaterial are those not falling within the definition of “material activities” according to Guideline 1(f), and may include: a) areas which do not potentially constitute relevant risks and which, if outsourced, would not compromise the provisions set forth in Guideline 4.2 above; and b) purely advisory services used by the institution. For example, this applies to legal and tax consulting, even where this is not limited to individual aspects or projects. Guideline 6 6.1 The outsourcing institution should have a policy on its approach to outsourcing, including contingency plans and exit strategies. 6.2 An outsourcing institution should conduct its business in a controlled and sound manner at all times.
3. The outsourcing institution should have a general policy that covers all aspects of outsourcing, including non-material outsourcing, whether the outsourcing takes place within a corporate group or not.
4. When drawing up the policy the outsourcing institution should recognise that no form of outsourcing is risk free. The policy should recognise that the management of non-material and intra-group outsourcing should be proportionate to the risks presented by these arrangements.
5. The policy should explicitly consider the potential effects of outsourcing on certain significant functions (e.g. the internal audit function and the compliance function) when conducting the risk analysis prior to outsourcing.
6. The policy should ensure that the outsourcing service provider's financial performance and essential changes in the service provider’s organisation structure and ownership structure

Page 5 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 are appropriately monitored and assessed by the outsourcing institution's management so that any necessary corrective measures can be taken promptly. 5) The outsourcing institution should specify the internal units or individuals that are responsible for monitoring and managing each outsourcing arrangement. 6) The policy should consider the main phases that make up the life cycle of an institution’s outsourcing arrangements: a) the decision to outsource or change an existing outsourcing arrangement (the decision making phase); b) due diligence checks on the outsourcing service provider; c) drafting a written outsourcing contract and service level agreement (the pre-contractual drafting phase); d) the implementation, monitoring, and management of an outsourcing arrangement (the contractual phase). This may include also the following-up of changes affecting the outsourcing service provider (e.g. major change in ownership, strategies, profitability of operations); e) dealing with the expected or unexpected termination of a contract and other service interruptions (the post-contractual phase). In particular, outsourcing institutions should plan and implement arrangements to maintain the continuity of their business in the event that the provision of services by an outsourcing service provider fails or deteriorates to an unacceptable degree, or the firm experiences other changes. This policy should include contingency planning and a clearly defined exit strategy. Guideline 7 An outsourcing institution should manage the risks associated with its outsourcing arrangements.

1. Compliance with this article should include an ongoing assessment by the outsourcing institution of the operational risks and the concentration risk associated with all its outsourcing arrangements. An outsourcing institution should inform its supervisory authority of any material development. Guideline 8 All outsourcing arrangements should be subject to a formal and comprehensive contract. The outsourcing contract should oblige the outsourcing service provider to protect confidential information.
2. Any outsourcing arrangement should be based on a clear written contract.

Page 6 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 2) An outsourcing institution should make sure that the written contract takes account of the following (bearing in mind other specific national rules and legislation): a) The operational activity that is to be outsourced should be clearly defined. b) The precise requirements concerning the performance of the service should be specified and documented, taking account of the objective of the outsourcing solution. The outsourcing service provider's ability to meet performance requirements in both quantitative and qualitative terms should be assessable in advance, including compliance with these Guidelines. c) The respective rights and obligations of the outsourcing institution and the outsourcing service provider should be precisely defined and specified. This should also serve to ensure compliance with laws and supervisory regulations and guidelines for the duration of the outsourcing arrangement. d) In order to underpin an effective policy for managing and monitoring the outsourced activities, the contract should include a termination and exit management clause, where proportionate and if deemed necessary, which allows the activities being provided by the outsourcing service provider to be transferred to another outsourcing service provider or to be reincorporated into the outsourcing institution. e) The contract should cover the protection of confidential information, banking secrecy and any other specific provisions relating to handling confidential information. Whenever information is subject to confidentiality rules at the level of the outsourcing institution at least the same level of confidentiality should be ensured by the service provider. f) The contract should ensure that the outsourcing service provider's performance is continuously monitored and assessed so that any necessary corrective measures can be taken promptly. g) The contract should include an obligation on the outsourcing service provider to allow the outsourcing institution's compliance and internal audit departments complete access to its data and its external auditors full and unrestricted rights of inspection and auditing of that data. h) The contract should include an obligation on the outsourcing service provider to allow direct access by the outsourcing institution's supervisory authority to relevant data and its premises as required. i) The contract should include an obligation on the outsourcing service provider to immediately inform the outsourcing institution, or the supervisory authority directly, of any material changes in circumstances which could have a material impact on the continuing provision of services. This may require obtaining consents from affected parties such as the parent company and relevant home supervisory authority.

Page 7 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 j) The outsourcing contract shall contain provisions allowing the outsourcing institution to cancel the contract by contractual notice of dismissal or extraordinary notice of cancellation if so required by the supervisory authority. 3) When drafting the contract the outsourcing institution should bear in mind that the level of monitoring, assessment, inspection and auditing required by the contract should be proportionate to the risks involved and the size and complexity of the outsourced activity. Guideline 9 In managing its relationship with an outsourcing service provider an outsourcing institution should ensure that a written agreement on the responsibilities of both parties and a quality description is put in place.

1. A written agreement should normally contain a mixture of quantitative and qualitative performance targets, to enable an outsourcing institution to assess the adequacy of service provision.
2. An outsourcing institution should also consider the need to evaluate the performance of its outsourcing service provider using mechanisms such as service delivery reports, self￾certification or independent review by the outsourcing institution’s, or the outsourcing service provider's, internal and/or external auditors.
3. An outsourcing institution should be prepared to take remedial action if the outsourcing service provider's performance is inadequate. Guideline 10 10.1 The outsourcing institution should take account of the risks associated with “chain” outsourcing. 10.2 The outsourcing institution should agree to chain outsourcing only if the sub-contractor will also fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider, including obligations incurred in favour of the supervisory authority. 10.3 The outsourcing institution should take appropriate steps to address the risk of any weakness or failure in the provision of the sub-contracted activities having a significant effect on the outsourcing service provider's ability to meet its responsibilities under the outsourcing agreement.
4. The sub-outsourcing of outsourced activities and functions to third parties (sub-contractors) should be treated by the outsourcing institution like a primary outsourcing measure. Compliance with these conditions should be ensured contractually, for example by a clause in the outsourcing contract requiring the prior consent of the outsourcing institution to the possibility and the modalities of sub-outsourcing.

Page 8 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 2) The outsourcing institution should ensure that the outsourcing service provider agrees that the contractual terms agreed with the sub-contractor will always conform, or at least not be contradictory, to the provisions of the agreement with the outsourcing institution. Part 3: Guidelines on outsourcing addressed to supervisory authorities Guideline 11 Supervisory authorities should require that the outsourcing institution has established supervisory authority access to relevant data held by the outsourcing service provider and, where provided for by the national law, the right for the supervisory authority to conduct on￾site inspections at an outsourcing service provider’s premises.

1. Supervisory authorities should aim to be satisfied that outsourcing institutions ensure that their outsourcing contracts with outsourcing service providers grant the supervisory authority the rights to information and, where provided for by the national law, to inspection, admittance and access (including access to databases), as well as the right to give directions or instructions, which the supervisory authority needs to exercise its supervisory functions.
2. Supervisory authorities should encourage outsourcing institutions to ensure that information may also be made available to the supervisory authority by the outsourcing service provider's external auditor.
3. Supervisory authorities should aim to ensure that their powers to issue orders or instructions to the outsourcing institution can be reliably enforced, without being compromised by instructions issued to the outsourcing service provider’ by other bodies, so as to ensure the orderly performance of the outsourced activities.
4. The supervisory authorities should aim to ensure that they can obtain detailed information about any outsourcing processes which might undermine the stability of the consolidated group whose overall supervision is, ultimately, their responsibility.
5. In the case of outsourcing to service providers abroad, the outsourcing institution should be responsible for ensuring that the supervisory authority can exercise its information gathering rights, including its right to demand documents and audits, and, compatibly with the overall legal framework its inspection rights.
6. The requirement to cancel the outsourcing contract (under Guideline 8.2(j) should be properly justified by the supervisor on the basis of non-compliance with the provisions of these Guidelines, in particular of those with regard to the safeguarding of rights of supervision and enforcement.
7. The outsourcing institution may – prior to outsourcing – consider in consultation with the supervisory authority what alternative measures could adequately mitigate the risks involved.

Page 9 of 9 Acknowledgements to CEBS – taken from Guidelines on Outsourcing, published December 2006 Guideline 12 Supervisory authorities should take account of concentration risk. Supervisory authorities should seek to identify any concentration risk on a sectoral level and seek to monitor these risks at a systemic level.