A key condition is that financial institutions ensure that an appropriate cooperation agreement is reached between the supervisory authorities of the financial institution and the supervisory authorities of the service provider. In addition, this revised definition also applies to internal group outsourcing, as these subcontractings would not necessarily be less risky than outsourcing to a company outside the group. From now on, financial institutions will also be required to take into account conflicts of interest that may be caused by intragroup outsourcing agreements. 4. What are the most important requirements in the pre-outsourcing phase? Financial institutions must ensure: 2. How does the EBA define outsourcing? The EBA proposes a new definition of outsourcing that should be applied with care. The guidelines also set out global regulatory points that will be included and regulated in the outsourcing agreements themselves. Organizations have different reasons for outsourcing IT functions to third parties (“providers”). Companies that outsource (“Outsourcer”) can do so to reduce operating costs, or for expertise. Unfortunately, the significant risks associated with outsourcing important technology functions are ignored. These risks include business continuity, information security and data protection, intellectual property and unrepated procedural risks.
At the broadest level, the lack of control and management control is at the root of the majority of outsourcing risks. All of these risks are related to the broader theme of compliance, and when key functions are outsourced, it becomes increasingly difficult to manage risk and control compliance. The field of information security and data protection attracts a lot of attention and it is not surprising that it poses a major risk in outsourcing technological functions. For example, the guidelines were published by the EBA on February 25, 2019 and came into effect on September 30, 2019. Outsourcing agreements concluded after 30 September 2019 must meet the new requirements, subject to a declaration by the competent authorities of their intention to comply with the instructions set out in the EBA guidelines (see Article 16, paragraph 3, Regulation (EU) 1093/2010. A transitional period until December 31, 2021 applies to existing outsourcing contracts, with the exception of existing cloud service agreements, which are not required to comply with the guidelines. According to the definition in the guidelines, “outsourcing” refers to “an agreement of any kind between an institution, payment institution or electronic money institution and a service provider through which that provider performs a process, service or activity that would otherwise be carried out by the institution, payment institution or electronic money establishment itself.” The guidelines also clearly define what is not considered outsourcing. 6. What about outsourcing agreements outside the EU? When a process is outsourced, it can be more difficult to monitor and manage a process. In addition, almost every state has its own data protection and identity theft laws for residents residing in that particular state.
When a business does business with a resident of a particular state and is in a situation of security breach or unauthorized access to the resident`s non-public personal data, the company must notify the resident in accordance with legal requirements. Once the functions are outsourced, events that result in termination obligations may be more difficult to detect.