EBA Outsourcing Guidelines – Update

Philipp Rosenauer Head Legal Regulatory Implementation, Legal, PwC Switzerland 02 May 2019

It was expected, or at least there was wishful thinking, that MiFID II (2014/65/EU) and GDPR (Regulation (EU) 2016/679) would be the regulatory summit for our high mountain region. However, the European Regulator is continuing to pursue its overall goal of strengthening the regulatory framework in the European Union, which, in turn, is having a major impact on the Swiss financial industry.

On the 25th February 2019, the EBA published its final version of the new EBA Outsourcing Guidelines (EBA/GL/2019/02) (hereinafter the “EBA Guidelines” or “guidelines”) that will be applicable from 30 September 2019. These Guidelines will replace the current CEBS Guidelines of 2006 (GL02/2006) and will repeal the Recommendation on Outsourcing to Cloud Service Providers of 20 December 201 (EBA/REC/2017/03).

The EBA has taken the latest developments with regard to financial markets and the corresponding regulatory initiatives as an opportunity to redefine outsourcing standards and guidelines to ensure that they comply and align with the various requirements of CRR/ CRD IV (Regulation (EU) 575/2013), GDPR (Regulation (EU) 2016/679), PSD II (2015/2366/EU), BRRD (2014/59/EU), and MiFID II (2014/65/EU). Furthermore, it also addresses internal as well as external outsourcing as well as cloud outsourcing.

An important difference as compared with FINMA Circular 2018/3 is that the EBA Guidelines apply to all outsourced functions, not just those deemed to be “critical and important”, to cite the wording used in MiFID II and Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II in identifying services, activities or functions falling within the scope of the existing provisions on outsourcing arrangements. Furthermore, the FINMA circular consists of 6 pages, whereas the EBA Guidelines provide around 50 pages of complex reading.

The new guidelines require external service providers in a third country to apply the regulatory requirements in almost the same way as EU domiciled banks. How to do so, and what it means, is outlined below.

This paper gives you an easy to read, but also fundamental, overview of the complexity and impact of this major topic, and prepares you for the new obligations in this field. The following key points are discussed:
  • Executive summary
  • Background and looking ahead
  • Key topics to understand
  • Target Operating Model
  • Conclusion and impact on the financial industry
  • Legal background

Download our updated whitepaper here

Have a good reading and please don’t hesitate to contact us in case of any question.

 

Contact us

Dr. Günther Dobrauz

Dr. Günther Dobrauz

Partner and Leader Legal, PwC Switzerland

Tel: +41 58 792 14 97

Philipp Rosenauer

Philipp Rosenauer

Head Legal Regulatory Implementation, Legal, PwC Switzerland

Tel: +41 58 792 18 56

Vanessa Dutzi

Vanessa Dutzi

Strategic Regulatory & Sustainability Services, Legal, PwC Switzerland

Tel: +41 58 792 4759