What do vendors need to consider when providing outsourcing services in the financial and insurance industry?
Mindfulness is the watchword for IT outsourcers in regulated industries
Companies outsource business activities for a variety of reasons such as cost reduction, increased flexibility, less time to market or to focus on their core competence. Companies operating in regulated sectors, such as the financial and insurance industry, healthcare and the public sector, also take these into account when outsourcing certain functions.
However, outsourcing in these industries is proving to be more challenging, as they are subject to sector-specific regulation and the regulatory focus on outsourcing is increasing. This is particularly the case for outsourcing in the financial and insurance sector where the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA), have adopted a regulatory framework for outsourcing in these sectors.
Vendor challenges
The EBA Guidelines on Outsourcing Arrangements and EIOPA Guidelines on Cloud Outsourcing are legal instruments adopted by, respectively, the EBA and EIOPA. Both guidelines specifically aim at ensuring the resilience and stability of the financial and insurance industry. They primarily focus on risk management and impose strict requirements on areas such as business continuity, exit, vendor management, performance and quality monitoring, and governance.
Although these guidelines apply to financial institutions and insurance companies, they nevertheless also affect vendors who aim to provide outsourcing services to such regulated companies. Both guidelines impose specific contractual and operational requirements that need to be adhered to by providers who aim to provide outsourcing and cloud services in these industries.
Since many outsourcing providers use their own standard contracts and a standardised approach for their service offering, the regulatory requirements as imposed by the EBA and EIOPA guidelines often prove to be challenging for these providers as they, to a certain extent, require them to adapt their business and contractual processes to specific clients or industries.
Contractual requirements
The EBA and EIOPA guidelines provide minimum contractual requirements that need to be included in the outsourcing agreement. Although many of these requirements are typically included in any outsourcing agreement (for example, requirements on termination and exit management, liability, service levels and business continuity), there are, nevertheless, some specific topics that are less common. These relate, among others, to unrestricted audit rights, restrictions on engagement of subcontractors and suspension measures in case of insolvency.
Unrestricted audit rights
Section 13.3 of the EBA guidelines, for instance, states that the outsourcing agreement for an outsourcing that is deemed "critical or important" must provide that the financial institution has full access to all relevant premises and have an unrestricted right of inspection. Under certain conditions, financial institutions may however rely on pooled audits or third party certifications.
In addition, the outsourcing arrangement should also expressly refer to the investigatory and information gathering powers of the competent authorities. Consequently, a vendor who aims to provide outsourcing services in the financial sector must accommodate possible inspections performed by competent authorities such as national banks. The EIOPA guidelines impose a similar regime.
Critical-important functions
The EBA guidelines impose stricter conditions on "critical or important" functions. These are generally defined as functions where a defect or failure would materially impair their continued compliance with their obligations under their banking licence or insurance licence, their financial performance or continuity of the banking or insurance activities.
If the institution intends to outsource a critical or important function, the outsourcing agreement should also expressly provide whether or not the outsourcing provider might sub-outsource portions of the service to third parties. If such sub-outsourcing is contractually permitted, then the contract should also foresee the conditions under which such sub-outsourcing is permitted.
In any case, should the outsourcing provider aim to sub-outsource a critical function, it should obtain a prior specific or general authorisation and the right to object to a material change in sub-outsourcing providers.
Location, location
Aside from the conditions on the use of sub-outsourcers, the EBA and EIOPA guidelines also provide that the outsourcing agreement must expressly provide the locations from where the outsourced services are being provided, the location where the relevant data (which is broader than personal data) will be kept and the obligation to notify the institution of any changes to such locations.
This requirement is particularly challenging in the context of cloud outsourcing as for some cloud providers different cloud services will be provided from different locations across the world.
Banking continuity
Following the Bank Recovery and Resolution Directive (BRRD), national authorities have comprehensive powers to take appropriate action to ensure the continuity of a bank in case a bank becomes subject to insolvency proceedings.
The BRRD also affects outsourcing agreements. Further to the EBA guidelines, outsourcing agreements must specifically include a reference to the intervention powers of national authorities under the BRRD. As a result, the contract should, among others, provide that national authorities might under certain circumstances, as is further clarified in the BRRD, suspend the termination of the outsourcing agreement.
Operational impact
The guidelines not only have an impact on the contents of the outsourcing agreement but also on the operations of an outsourcing provider. For instance, the restrictions on the use of subcontractors implies that an outsourcing provider that provides a critical or important function to a financial-industry client, can no longer unilaterally change subcontractors without some form of approval from the client. In addition, should a cloud provider wish to change the location of its data centres, it would at least need to notify the relevant financial institution.
This concern equally applies to audit rights. As the outsourcing agreement imposes an unrestricted audit right with full access from the financial or insurance institution, vendors should refrain from including audit clauses that would restrict the financial institution in its audit rights.
Regulatory mindfulness
When providing outsourcing services in a regulated industry, the outsourcing provider should always be mindful of the regulatory requirements that apply in these sectors. On that basis, the outsourcing provider could analyse if, and to what extent, its standard contractual terms and business processes would need to be adapted to accommodate such regulatory requirements.
Connect with one of our experts
Laurens Dauwe, Lead author Counsel, Belgium laurens.dauwe@osborneclarke.com +32 515 93 72
Prashant Mara Partner, BTG Legal, India prashant@btg-legal.com +91 (0) 22 2482 0820
Dr. Daniel Walter Partner, Germany daniel.walter@osborneclarke.com +49 221 5108 4088
Karima Lachgar Partner, France karima.lachgar@osborneclarke.com +33 1 84 82 46 21
Adrian Schneider Partner, Germany adrian.schneider@osborneclarke.com +49 221 5108 4370