Consent requirements for financial institutions' sub-outsourcing

Out-Law Analysis | 21 Aug 2020 | 1:50 pm | 2 min. read

Financial institutions will need to familiarise themselves with their direct outsource providers' supply chains and secure a degree of control over any proposed sub-outsourcing by those providers in order to comply with the European Banking Authority's (EBA's) guidelines on outsourcing.

The increased digitalisation of the financial services sector has brought with it greater complexity in how supply chains are structured and in the number of parties that may be involved. This has been recognised by the EBA which has identified sub-outsourcing as a specific risk point for financial institutions to address in its outsourcing guidelines. 

The EBA has been quite clear that, notwithstanding the sub-outsourcing of any aspect of outsourced functions, the institutions remain responsible for the outsourced functions and in meeting the guidelines' requirements.

Approval of sub-outsourcing

The guidelines reference a number of notice and consent provisions that must be included by relevant financial institutions in their outsourcing contracts for critical or important functions. They include provisions that require:

  • the service provider to obtain a specific or general authorisation from the financial institution for any sub-outsourcing of data;
  • the service provider to give notice of any intended sub-outsourcing or material changes in sub-outsourcing, and;
  • the explicit approval of the institution, or a right to object, to any intended sub-outsourcing or material changes to sub-outsourcing arrangements.

The institution has a right to terminate the outsourcing agreement if there is any 'undue' sub-outsourcing, such as where the service provider sub-outsources without meeting the approval requirements. 

Nature of approval

The authorisation from the institution for the sub-outsourcing of data can be a "specific or general written authorisation". This mirrors the wording in Article 28(2) of the GDPR in relation to consent for the appointment of sub-processors in the context of processing personal data.

However, and somewhat confusingly, the guidelines provide for a separate approval requirement for any intended sub-outsourcing or material changes in sub-outsourcing arrangements. Unlike the provision dealing with sub-outsourcing data, there is no reference to a general or specific approval being required in this context, simply that approval needs to be 'explicit'.

It may well be that the intention of the EBA in permitting a general authorisation for the sub-outsourcing of data was to align it with the equivalent provision in the GDPR, thereby avoiding a more restrictive approval process for sub-outsourcing that solely involves the processing of personal data.

Even if that was the motivation behind the provision, the potential for instances where the sub-outsourcing activity is that limited would seem to be low. The net result of having both provisions is likely to be that, as a matter of prudence, institutions will seek to include specific consent as a pre-requisite for all instances of sub-outsourcing to avoid a compliance risk.

Notice of sub-outsourcing

Regardless of the nature of consent, institutions must ensure that outsourcing contracts stipulate that service providers must give notice of any planned sub-outsourcing, or material changes in existing sub-outsourcing.

The guidelines require the notice period to be sufficiently long to enable the institution to carry out a risk assessment of the proposed sub-outsourcing or relevant changes. This is likely to involve a variety of stakeholders within an institution, such as people involved in the security, compliance and risk functions, so practical consideration should be given to this. A prolonged period can, of course, have a potential operational and financial impact on the outsourcing provider, so institutions might well find service providers wanting to negotiate this point.

Operational resilience

These consent requirements might well be seen by suppliers as introducing an additional administrative layer into an outsourcing relationship, and no doubt some will view them as unduly restricting how they resource their service offering. Ultimately, however, they operate to provide greater oversight for institutions of their outsourced functions, giving them greater control and enabling them to better manage risk.