Out-Law Analysis | 22 Jun 2020 | 8:57 am | 5 min. read
The EBA's guidelines require that outsourcing agreements specify whether or not sub-outsourcing of critical functions is permitted. Where a critical or important function is being sub-outsourced, the guidelines also specify that financial and payment institutions should ensure they have the contractual right to terminate the outsourcing agreement where there is undue sub-outsourcing or if proposed sub-outsourcing will result in material increase of risk or could have material adverse effects on the arrangement.
Institutions will find it difficult to agree contractual termination rights of this nature with providers because of uncertainty over what constitutes 'undue' sub-outsourcing. However, some alternative options are available to provide certainty to the parties on when the termination right may be triggered that still allow institutions to comply with the guidelines.
These are options institutions and service providers might want to consider ahead of a regulatory deadline imposed by the EBA. The EBA's guidelines on outsourcing have applied to all new outsourcing from 30 September 2019, but institutions have until December 2021 to update all existing documentation to meet the standards.
One area of particular scrutiny by the EBA relates to the use of sub-outsourcers by service providers. Sometimes known as "chain-outsourcing", sub-outsourcing means a situation where the service provider under an outsourcing arrangement further transfers an outsourced function to be performed by another service provider.
The EBA's guidelines stipulate that outsourcing agreements must clearly specify the extent to which any critical functions can be sub-outsourced, and further highlights several important issues which should be considered if sub-outsourcing is to be permitted. These include a right for institutions to be notified of any envisaged sub-outsourcing and to oversee those services as they are carried out. The purpose of these conditions is for institutions to retain as much contractual control as possible over critical functions.
In order to comply with the guidelines, institutions must ensure that their outsourcing agreements are sufficiently detailed with regards to sub-outsourcing. Rather than simply stating whether or not sub-outsourcing is permitted, the agreement should specify which parts of the service may be sub-outsourced. If the institution considers any services or functions to be critical, this should be expressly flagged in the outsourcing agreement and recorded in the institution's outsourcing register.
The guidelines introduce two circumstances where institutions should have the right to terminate the outsourcing agreement in relation to their sub-outsourcing arrangements.
Institutions have an obligation to continue to oversee not just the service provider but any sub-service providers. This includes the obligation to ensure that there are flowdown provisions in the service provider's sub-contract to ensure that the sub-outsourcer agrees to comply with all applicable laws, regulatory requirements and contractual obligations and grants the institution and its regulators the same right of access and audit as the main service provider. Institutions will need a contractual right of approval from service providers in relation to any proposed sub-outsourcing and if "the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, [including where the flowdown provisions referred to above would not be met], the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract".
The guidelines require that where a service provider is permitted to sub-outsource a critical or important function the outsourcing agreement must contain "the contractual right to terminate the agreement in the case of undue sub-outsourcing".
However, it is unclear what exactly would constitute "undue sub-outsourcing" under the guidelines. The guidelines cite two examples of when this might occur, but has otherwise not defined the concept. The examples given are:
These examples are not exhaustive but do show an intention that the sub-outsourcing or change in sub-outsourcing must have an impact on the risk profile of the arrangement and the impact must be material.
In the 'background' section of the guidelines, the EBA states that "institutions and payment institutions should always have the right to terminate the contract if planned changes to services, including such changes caused by sub-outsourcing, would have an adverse effect on the risk assessment of the outsourced service". This language mirrors the wording used in the EBA's now-defunct guidelines on cloud computing. However, it is explanatory only and not binding and it would certainly appear that it is the EBA's intention that the termination right under the new guidelines is in fact broader.
The guidelines do not specify exactly how the contract should deal with the right to terminate in cases of undue sub-outsourcing. For instance, they do not prescribe how much notice is required, or whether the institution can allow the service provider to remedy the fact that there has been undue sub-outsourcing of a critical or important function.
Institutions could just mirror the language used by the EBA to ensure compliance but as the term is not explicitly defined service providers will be reluctant to accept it and the lack of clarity could lead to protracted disputes over whether or not the institution can exercise the termination right in the first place.
One way of addressing the problem around the lack of a definition of undue sub-outsourcing, while still complying with the guidelines, would be for an institution to include a right to terminate the agreement if there is a change to the permitted sub-outsourcing arrangements without the institution's prior consent. This ensures that the institution is made aware of any proposed changes in advance and can then take the decision as to whether or not the proposed change would have an impact on the risk profile of the arrangement. It should be remembered that this termination right only relates to sub-outsourcing of critical or important functions so would not limit a service providers' right to sub-contract generally.
Another way of clarifying this situation could be to include a definition of "undue sub-outsourcing" in the agreement with a non-exhaustive list of examples. Provided the definition was sufficiently broad, this would likely satisfy the guidelines. To achieve this, the definition should at least include the examples of undue sub-outsourcing cited in the guidelines, as well as refer to a breach of the provisions relating to the service provider's conduct around sub-outsourcing.
Agreeing termination rights is always a hard negotiated area and it may be that institutions need to be creative if a new standalone right cannot be agreed. For example, the institution could look to incorporate the right as a deemed material breach of contract or look at whether the termination for convenience provisions are flexible enough that they could move away from the arrangement if the institution considers that there has been undue sub-outsourcing.
Additional reporting by Cameron Ireland of Pinsent Masons.
03 Mar 2020