Out-Law Analysis 5 min. read
17 Aug 2020, 9:54 am
Both institutions and service providers should take steps to understand the access and audit rights that must be provided for in outsourcing contracts to comply with the European Banking Authority's (EBA's) guidelines on outsourcing.
Under the EBA's guidelines, outsourcing agreements relating to critical or important functions of financial institutions must provide the institutions with "full access to all relevant business premises" operated by service providers and "unrestricted rights of inspection and auditing" of the outsourced services. The broad nature of these rights will naturally be met with some resistance by service providers. When consulting on the guidelines, the EBA resisted requests to produce standard form clauses to cover the new access and information right and audit right provisions. However, institutions can comply with the guidelines while simultaneously giving service providers some comfort around the scope of the wide rights.
The EBA's guidelines on outsourcing have applied to all new outsourcing from 30 September 2019. Institutions have until December 2021 to update all pre-existing outsourcing contracts and related documentation to meet these standards.
The requirement to ensure "full access" and "unrestricted" audit rights only applies to the outsourcing of critical or important services. If only one part of the services being outsourced are critical, for example the hosting of the institution's data, the audit rights could be narrowed in scope to apply only to those services, which may be of some comfort to service providers.
In the context of providers of 'non-critical' services, institutions will need to assess the need to include such broad rights in their contracts with those providers based on the outcome of its risk assessment of the provider. The institution should consider whether a similar audit right is required "on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities". In such cases, the institution will have some scope to be able to agree to limitations regarding the frequency of audits provided that the limitations do not apply to audits required by the regulator or in emergency situations.
The guidance requires that the outsourcing contracts between institutions and their service providers provide the institutions and their regulators with "full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors".
Service providers may have legitimate concerns that such access may lead to increased security risks for other customers' data or their own confidential information. If auditors are to be given the wide access rights envisaged this could create a serious risk that they will be party to confidential data. Contractual provision can be made to apply obligations of confidentiality and/or require that the institution or regulator be accompanied on the audit. This should help ensure that institutions can still comply with the EBA guidelines whilst respecting the service provider's confidentiality obligations. The institution will not be able to agree that the regulator will enter into a non-disclosure agreement or similar with the supplier and so should not commit to doing so.
When carrying out an audit in multi-customer environments, the guidelines state that institution should take care to ensure that risks to another business' operations – such as any impact on service levels or availability of data – are avoided or mitigated. This obligation could be agreed with the service provider to give comfort that, in the course of an audit, the institution will take steps to minimise any impact on the supplier's ability to provide the services.
The concept of an 'unrestricted' audit right has raised the question of whether institutions are required to provide notice of the audit to their service providers. While the audit right is stated to be unrestricted, the guidelines go on to provide that before a planned on-site visit, institutions should provide reasonable notice to the service provider, "unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective".
Therefore for most audits, an institution can audit on the provision of reasonable notice – the precise meaning of which the parties may determine in advance – unless the audit is required because of an emergency or exceptional situation.
To have a properly unrestricted right of audit as required by the guidelines there cannot be a limit on the number of audits that an institution can make. That said, institutions will not be expecting to audit the service provider more than is necessary and the guidelines require that when exercising their access and audit rights, determining the audit frequency and areas to be audited, institutions should adopt a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards.
This comfort can be provided to service providers to address the risk that they will be overly consumed by dealing with audit requests, particularly when exercised by multiple customers.
If the issue with the scope of the audit right is the unknown frequency and the time taken to manage these by the provider, the parties may agree a forecast audit schedule for the forthcoming year, for example when IT security, financial and vendor management audits will be undertaken and how long they are expected to take. This schedule should expressly exclude any exceptional audits that may need to be exercised by the institution where no notice is required to be provided.
Good contract management and audit should be a regular part of the parties' successful relationship. If the issue from the service provider side is that they have not priced for assisting with audits then it may be that the parties can come to a commercial arrangement to ensure that the necessary rights are procured. Where the institution has to audit the provider following a breach or in an exceptional situation however, then it would not be reasonable for the supplier to charge in those circumstances.
Procuring rights to audit the main service provider's sub-contractorsis one of the more challenging aspects of complying with the EBA's guidelines – the guidelines provide that an institution must only agree to sub-outsourcing if the sub-contractor undertakes to "grant the institution … the same contractual rights of access and audit as those granted by the service provider"
The onus is on the institution to ensure that the same rights of audit provided for in the agreement with the main service provider flow down to any sub-contractors of the critical and important function. It may not be practical for the contract to simply require that the main service provider procures the same rights of audit for sub-contracted functions as those that apply to functions it carries out itself. In most cases, the main service provider will already have its sub-contractors in place and may have limited scope to renegotiate those agreements, particularly with cloud service providers.
In such circumstances, institutions and the main service provider should reconsider whether those sub-contracted services are critical in their own right, and establish whether the same standards of audit rights are to apply. If so, the most practical solution may be to agree a period during which the supplier can procure the necessary rights. If they cannot, the agreement would be that the institution can require the service provider to select an alternative sub-contractor or choose instead to terminate the outsourcing agreement without penalty.
Co-written by Cameron Ireland of Pinsent Masons.
05 Aug 2020
08 Jul 2020