Outsourcing can be an effective way to lower costs and promote innovation, but it also comes with some challenging aspects. It inherently increases risk regarding data privacy and data security and reduces a bank’s in-house capability. With outsourcing only becoming more popular, the EBA has created guidelines around the practice, the effects of which will need adhering to by December of this year. So what does this mean for you, and what’s the most efficiently smooth way to achieve compliance?
Understanding & Unpacking the Guidelines
These guidelines have been created to accomplish and mitigate several issues that could arise with unchecked outsourcing. From a data & IT perspective, they work to ensure that the concentration risk is lower – so if one of the larger, more popular data or IT service providers fails, it doesn’t take half the banking industry with it while plummeting everything into chaos. It also supports measurable, manageable, trackable, provable practices that encourage accountability and increase security over-all. They enable adequate supervision to the practice of outsourcing arrangements that can be monitored and ask for comprehensive demonstrative documentation.
Secondly, these guidelines want to curb the idea of financial institutions becoming an empty shell. They want to make sure that banks don’t become just a name brand in an impressive building while a collection of 3rd party companies does all the actual work. The management body needs to remain responsible and accountable and offer actual services themselves.
Thirdly, the measures address the geographical concerns that outsourcing presents. Highlighting the fact that not all countries have the same legal standards for privacy outside the EU. Even the recently departed U.K. now will have discrepancies that need to be considered.
Practical Implications & Solutions
So, what needs to be done at your institution? The answer might be more complicated than you think. Beginning with a master list of all your outsourcing partners will be a good start, followed by assessing criticality, exit strategies, consideration for outsourcing outside the EU, concentration risk, substitutability, and conflicts of interest. Newer or up-coming contracts will be easy to navigate into compliance, but what about all the ongoing arrangements that have been on the books for years? How many contracts will you need to open up and rearrange? The remediation process can be complicated and time-consuming, to say the least. How can you ensure that your 1st Line implements everything correctly while mediating the risk? How can you ensure your 2nd Line’s guidelines are effective with proper oversight? How can you ensure your 3rd Line is performing the appropriate audits?
How can you ensure you have the oversight and the compliance proof you need while carrying on BAU?
Like all regulatory change, it can be overwhelming. At ACE, we’re helping our clients by not only laying out crystal-clear, intuitive roadmaps and extensive lists we also make sure that these processes are worked into your framework sustainably, which means a more thorough, smoother compliance journey.
If you’re interested in learning more about how we can help with this or any other topic, reach out.
As always, thanks for reading,
TEAM ACE