These are ongoing requirements. Financial institutions need to thoroughly assess the content of the certifications or audit reports on a continuous basis, and verify that the reports or certifications are not obsolete. Financial institutions must not rely solely on these certifications or reports over time.
Although financial institutions often flow down these conditions for relying on third party certifications and audit reports to the outsourced service provider, they are primarily internal obligations. Financial institutions need to ensure they are themselves satisfied as to the adequacy and sufficiency of the certifications and audit reports. Ultimately, reliance on such certifications and audit reports does not absolve a financial institution from its overall responsibility for outsourcing arrangements.
Contractual requirements where third party certifications or audit reports are relied upon
The EBA guidelines contain two explicit requirements for outsourcing contracts where certifications or audit reports are being relied upon.
Firstly, financial institutions must have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems or controls. This is a point that it is often resisted by suppliers. From a service provider's perspective, the attraction of third party certifications and reports can be diminished if they are required to negotiate further with the third party to satisfy the bespoke requirements of a large group of its customers. The number and frequency of requests for modification of the scope should be reasonable and legitimate from a risk management perspective.
Secondly, where the outsourced function is critical or important, the financial institution must retain the contractual right to perform individual audits at their discretion. This final requirement is problematic and arguably undermines the third-party certifications and third-party or internal audit reports regime. This is because an institution would usually only seek to rely on certifications or audit reports where a supplier is resistant to providing an individual audit right in the first place.
In practice, institutions and service providers have responded by negotiating a set of circumstances in which an individual audit right will be triggered. This is an area that financial institutions will need to carefully consider, having regard to the nature of the outsourcing arrangement and the underlying key risks.
Challenges with sub-contractors and cloud service providers
The question of relying on third party certifications and audit reports often arises where an outsourcing arrangement involves the use of sub-outsourcing to large cloud service providers. Cloud service providers commonly favour reliance on third party certifications and audit reports as an alternative to individual audit rights due to the shared nature of their facilities and their large customer base. This is a difficult area for financial institutions and service providers to negotiate; particularly given the bargaining power cloud service providers hold.
Often a service provider is itself willing to grant full audit rights, but is unable to procure the same rights from its sub-contractor. This is a complex issue for financial institutions, and one that needs to be carefully worked through, particularly as the EBA guidelines make clear that a financial institution should only agree to sub-outsourcing if the sub-contractor undertakes to grant the financial institution the same rights of access and audit as those granted by the service provider.
Other considerations for financial institutions
Relying on third party certifications and audit reports is not a one-off exercise, and financial institutions have ongoing responsibilities to ensure the adequacy and sufficiency of these arrangements. Financial institutions need to ensure that their internal policies and procedures on outsourcing reflect the requirements of the EBA guidelines in this regard.
From a practical point of view, financial institutions will need to ensure they have the necessary technical and subject matter expertise to be able to assess and review the certifications and audit reports both before and during the life of the outsourcing arrangement. This is a point made by the EBA itself – any staff of the financial institution reviewing third party certifications or audits must have appropriate and relevant skills and knowledge.
The EBA's guidelines on outsourcing have applied to new outsourcing arrangements from 30 September 2019. Financial institutions have until December 2021 to update their existing outsourcing contracts to meet the standards set out in the guidelines.