Out-Law News | 26 Sep 2018 | 9:51 am | 2 min. read
Pinsent Masons, the law firm behind Out-Law.com, warned that some service providers could be persuaded not to enter the financial services market due to the onerous obligations banks could be required to place on them under draft guidance proposed by the European Banking Authority (EBA).
Banks too might develop an overly cautious approach to outsourcing and miss out on innovative digital solutions available in the market as a result of a lack of clarity in the EBA's proposals, it said.
Pinsent Masons' warnings were contained in a response to the EBA's consultation on draft new Committee of European Banking Supervisors (CEBS) guidelines on outsourcing that it opened in June. The consultation closed on Monday.
The new CEBS guidance will be an important document as, when finalised, it will update the existing CEBS outsourcing guidelines that have been in place since 2006 as well as separate cloud outsourcing recommendations the EBA has developed more recently, which only came into effect in July.
In its response, Pinsent Masons highlighted a number of deficiencies with the EBA's draft new CEBS guidance, including in relation to requirements around audit rights and sub-contracting arrangements the regulator has proposed.
However, even more fundamental issues were identified, including the broad scope of the proposed new guidelines. Pinsent Masons said the new CEBS guidelines should only apply to "critical or important outsourcings" engaged in by financial institutions.
"To provide the necessary level of clarity and certainty to both institutions and service providers, and enable institutions to focus their financial and human resources on applying to guidelines to arrangements in a proportionate and risk-based manner to critical or important outsourcings, we call on the EBA to dis-apply the guidelines entirely with regard to the outsourcing of non-critical or important functions," Pinsent Masons said.
"It is not, for example, clear to us why it would be necessary for an institution to maintain a detailed record of noncritical/important outsourcings, as this will not enable competent authorities to monitor operational and concentration risk in the banking industry in any meaningful way. It is also not an efficient use of their resources," it said.
"Furthermore, we believe that this broad application of the guidelines will have the effect of stifling competition between small and large technology providers, on the basis that smaller providers will likely not have the financial or operational resources (or bargaining power with larger suppliers in their supply chain) in order to meet the requests of institutions seeking to implement the guidelines to their arrangements with those providers," it said.
"In turn, this may create an uneven 'playing field' by making it more challenging for small providers to meet these requests, meaning they are forced to focus on clients outside of financial services. This cannot be in the interests of the banking industry given it would leave institutions with less choice," Pinsent Masons said.
The EBA's proposed definition of 'outsourcing' is also too broad as it stands, Pinsent Masons said. It does not reflect the reality of how many institutions in the market now operate, it said.
"As IT services continue to evolve, particularly cloud-based ones, there are many activities which are commonly viewed as ones that in a practical sense would never be undertaken by the institution," Pinsent Masons said. "Accordingly, we recommend the EBA clarify that, where an IT service is not critical for the provision of continuous and satisfactory service to clients, it should not be considered one that 'would otherwise be undertaken by the institution' and consequently fall outside the definition of outsourcing."
Pinsent Masons also called on the EBA to narrow the concept of 'outsourcing' by excluding lower risk "non-critical or important third party arrangements".
The UK's Financial Conduct Authority (FCA) recently said that the way banks currently outsource some of their activities does not raise "significant concerns". The FCA announced in the summer that its cloud computing guidance no longer applies to banks and instead directed banks to follow the EBA's recommendations on cloud outsourcing.