Banks had until December 31, 2021 to revise their contracts with their PECI subcontractors if they wanted to comply with the EBA guidelines published 2 years earlier.

These directives define the concept of outsourcing and lay down criteria for determining whether an outsourced activity is critical or important, and establish a governance framework for relations with the service provider.

What is outsourcing?

This is an agreement between an institution, payment institution or electronic money institution and a service provider, under which the service provider takes over a process or performs a service or activity that would otherwise be carried out by the institution itself.

These recommendations apply to the outsourcing of critical or important functions, but not only, as well as to intra- and extra-group outsourcing operations.

How do you know if a service is critical and important?

By answering yes to one of these questions:

• will an anomaly or failure in its execution seriously undermine the ability of establishments to comply on an ongoing basis with the conditions of their approval or with their other obligations?
• will an anomaly or failure in its execution seriously undermine their financial performance?
• will an anomaly or failure in its execution seriously undermine the soundness or continuity of their banking and payment services and activities?
• will an anomaly or failure in its execution seriously undermine their short- and long-term financial resilience and viability, including, where applicable, their assets, capital, costs, funding, liquidity, profits and losses?
• does an anomaly or failure in its execution affect business continuity and operational resilience?
• does an anomaly or failure in its execution increase their operational and reputational risks?

In practical terms?

Banking and payment institutions must keep an up-to-date outsourcing register and document all outsourcing agreements. This register, which can be maintained centrally within a group, must include a list of information for each operation.

Control points that a banking or payment institution must have with regard to a subcontractor:

• Remain autonomous in decisions relating to their banking activities, even when outsourcing.
• Maintain the regularity of their activities
• Identify, assess, manage and mitigate risks associated with current and planned outsourcing arrangements, including ICT and financial technology risks. This includes BCP (Business Continuity Plan), DRP (Disaster Recovery Plan), and IRP (Information Recovery Plan).

The impact is considerable for the PECI provider

These regulations apply to all banking and payment institutions, regardless of the size of their subcontractors.

The facility must be able to undertake at least one of the following actions within an appropriate timeframe: transfer the function to other service providers; re-insource the function; or discontinue business activities dependent on the function.

The rules and conditions for audits are quite strict. Arrangements can be made during contract negotiations. (e.g. frequency, duration)

If the outsourcing involves personal data, the establishment must ensure that the service provider takes appropriate technical and organizational measures to protect it.

RGPD EBA same battle

Strictly speaking, the RGPD does not require that a register of subcontractors be kept, but that outsourced operations involving the processing of personal data be identified and monitored.

But the information to be collected under the RGPD is similar to that mentioned by the EBA. So, in the interests of rationalization, storing all this information in the same place could help simplify the two processes and make them more coherent.