a)   In line with the Title II of the EBA guidelines on outsourcing arrangements (EBA/GL/2019/02), institutions should establish whether an arrangement with a third party falls under the definition of outsourcing, i.e “an arrangement of any form between an institution […] and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself”.

Within this assessment, consideration should be given to whether the function (or a part thereof) that is provided by a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions, even if the institution has not performed this function in the past itself.

On this basis, subject to the above assessment, any activity, process or service that is usually performed by the credit institution could be outsourced and therefore shall fall into the scope of application of the GL, this assessment does not depend on the way the activity, process or service is performed by a third party (e.g. via a cloud service). The scope of application of the EBA GL on outsourcing is not limited to activities that are listed in the Annex I of CRD.

The activities listed in Annex I do not establish criteria to determine whether an arrangement with a third-party provider is an outsourcing. All functions performed by third parties that are related to activities performed by the institution may be qualified as outsourcing where such activities are usually performed by credit institutions. This is not limited to activities listed in the Annex I of Directive 2013/36/EU.

Once an arrangement with a third-party provider is qualified as outsourcing under the criteria within par 26 to 28 of the guidelines, institutions should take into account the criteria listed in paragraphs 29 to 31 of the guidelines to assess whether the outsourcing arrangement is critical or important.

The reference to Annex I of Directive 2013/36/EU, as included in par. 29.c, footnote 35 of the guidelines, was to provide further guidance to institutions on the arrangements with third parties that should be considered as a critical or important function considering the risks associated with the function.

The guidelines provide criteria to ensure that the assessment of the criticality or importance of functions is harmonised. Outsourcing of critical and important functions can have a strong impact on the institution’s or payment institution’s risk profile. To this end, additional requirements apply to the outsourcing of critical or important functions, which aim to ensure the soundness of their governance arrangements and that competent authorities can exercise effective supervision.

Also, for clouds services, the above mentioned assessment as specified in paragraphs 26 to 31 of the guidelines should be performed. There is no automatism that leads to the conclusion whether or not all cloud services are outsourcing arrangements, including the usage of a community or hybrid cloud service.

More specifically, as regards to cloud services, it has to be noted that the provisions of the EBA Recommendations on outsourcing to cloud service providers, published in December 2017, have been integrated into the EBA GL on outsourcing. 

2. In line with Regulation (EU) No 575/2013 a “branch” is a place of business which forms a legally dependent part of an institution and which carries out directly all or some of the transactions inherent in the business of institutions. Branches are non-independent parts of the institution. The institution should take all the actions which are needed in order to comply with the outsourcing requirements of the home Member States in all of its EU branches. EU branches of institutions are not subject to additional authorisation requirements (Article 17 Directive 2013/36/EU).

Notwithstanding legal requirements that apply on a national basis (e.g. AML/CFT), branches in the European Economic Area (EEA) of a credit institution whose head office is located in a different Member State (EU branches) are subject to the supervision of the competent authority of that Member State (home Member State). EU branches shall therefore adopt internal governance arrangements, including on outsourcing arrangements, which are in line with those of their head office when resorting to outsourcing arrangements. Therefore, the institution should take all the actions which are needed in order to comply with the outsourcing requirements of the home Member State in all of its EU branches.

Regarding institutions’ branches established in a third country, local requirements apply in principle as far as this is not contrary to the requirements set out under the relevant EU framework: institutions should also take all the actions, which are needed to ensure that the EU outsourcing requirements are taken into account by their branches established in a third country.

3. In accordance with paragraph 99 c) of the EBA guidelines on outsourcing, the outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution. The written outsourcing arrangement should set an appropriate transition period, during which the service provider, after the termination (i.e. cancellation) of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions (i.e. the services will be provided during an appropriate period where the contractual rights and obligations continue to apply). When determining the appropriate period, the institution should take into consideration potential delays when transferring or re-incorporating the outsourced function after the event triggering the termination of the contract.

Institutions should include in their contractual arrangements with  service providers the obligation of the service providers to cooperate and ensure a smooth transition, including after triggering the termination of the contract. As this obligation forms part of the contractual arrangements, it should be enforceable towards the service provider, who would provide the services in this transition period until the contractual obligation ends.