The European Banking Authority has published its Final Report on EBA Draft Guidelines on outsourcing arrangements (the Guidelines).
What is its scope?
The Guidelines are relevant to UK banks, building societies, designated investment firms and IFPRU investment firms. (For brevity, we simply refer to banks below.) Other FCA controlled entities, such as UK insurers, should continue to comply with the FCA's F16/5 Guidance for Cloud.
They set out the governance framework for bank outsourcings, including cloud outsourcings, in one document.
When does it come into force?
The Guidelines enter into force on 30 September this year and will apply to bank outsourcings "entered into, reviewed or amended" after 30 September.
Under the transitional period, with the exception of outsourcing to Cloud providers (for which the EBA recommendation already applies), banks are also expected to review and amend their existing outsourcing arrangements to ensure compliance at first renewal or, at the latest, 31 December 2021.
An exception is Guideline 63(b), which applies to the outsourcing of banking or payment services to a service provider located in a third country. This scenario will require a cooperation agreement between the bank's regulator and the regulator which supervises the service provider, a requirement which comes into force from 31 December 2021.