The Guidelines
The EBA issued its final Guidelines in February of this year. The Guidelines set out the EBA’s recommendations as to minimum requirements to be implemented in outsourcing (including cloud) arrangements carried out by certain types of financial regulated parties. (A link to the final text is available here and to our summary of the Guidelines here).
From an outsourcing contract perspective, the Guidelines build upon pre-existing rules and they do require organisations to undertake reviews (perhaps large scale reviews) of outsourcing arrangements entered into before the effective date to identify the gaps between those current arrangements and what is required under the Guidelines, and then remediate them.
Effective date
There appears to be an inconsistency within the Guidelines with regards to when organisations are required to remediate their non-compliant outsourcing agreements.
The Guidelines specify that with the exception of one particular requirement (the requirement for supervisory authorities to put in place cooperation agreements between themselves), the Guidelines will apply to all outsourcing agreements “entered into, reviewed or amended” on or after 30 September 2019.
The Guidelines separately specify that the deadline for updating the documentation of all existing outsourcing agreements (except existing cloud outsourcing agreements) is “following the first renewal date of each existing outsourcing arrangement but by no later than 31 December 2021”.
It is therefore unclear whether organisations can wait until after the first renewal period to update contractual documentation or whether the review and refresh needs to be completed at an earlier point.
Despite the confusion, it would be prudent to remediate existing agreements at the earliest possible point within the remediation period, and especially when leverage is strong. Contract renewal, expansions or formal vendor review times are obvious examples of when leverage is strong.
Approaches to remediation
The task of remediating one’s outsourcing agreements is no doubt a challenge for many, with potentially significant resources having to be dedicated.
Given the effective date is almost upon us, organisations should now be considering how to best achieve the required levels of compliance (for example, triaging existing contracts in order of criticality/importance, implementing a form of blanket/wholesale contractual amendment across all existing outsourcing arrangements, or something else). Each option comes with its own advantages and challenges (resource-related or otherwise) and due thought should be given before an approach is selected. Technology-related assistance (for example, through the use of AI technology) should also be considered to help categorise the agreements to be remediated.
For more information on the Guidelines or any of the above material, please contact a member of the Simmons ICT team.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
.jpg?crop=300,495&format=webply&auto=webp)
