Outsourcing Policy Update to align with new EBA and local requirements

SUMMARY

Avantage Reply assisted a Private Banking group in the Eurozone to review of group Outsourcing policy.

In light of changing European and national regulatory requirements that came into force in 2019, our client revised the internal processes and procedures regarding the management and oversight of both, intra-group and third-party outsourcing activities.

A key concern of the client was to define a new group policy that considers the existing organization of the bank. This included the roles and responsibilities of three lines of defense (“3 LoD”), European and local regulatory requirements.

CUSTOMERS GOALS

Our client’s main goal was to define a new group outsourcing policy that would be compliant with the minimum requirements as defined by the EBA (EBA/GL/2019/02) and reflect its internal organization for outsourcing arrangements.

THE CHALLENGE

The key challenge for the project was a changing and overlapping set of regulations. To achieve full compliance with the new regulations, our client had to consider both, EBA guidelines in force from September 2019 but not yet translated into national regulation and local requirements regarding outsourcing to cloud computing infrastructures. Additionally, being head office of the group, our client had to consider local organizational constrains in the subsidiaries and how the proportionality principle would apply.

From an operational point of view, the multitude of stakeholders and the fact that not all elements of the outsourcing oversight are specifically tailored to outsourcing contributed to the complexity of the project (e.g. outsourcing risk is also a part of the general operational risk framework of the bank).

APPROACH AND SOLUTION

Avantage Reply took a three-step approach to identify outstanding regulatory and organizational gaps and to define the group outsourcing policy:

1. Conduct interviews with all stakeholders (such as operational departments, risk, compliance and legal) to identify their respective roles and responsibilities within the outsourcing process,
2. Review all existing documentation (i.e. committee minutes, procedures, outsourcing register, roles and responsibilities),
3. Draft the group outsourcing policy taking into account the client’s adopted 3 LoD model, management body structure and roles and responsibilities at subsidiaries level.

The key deliverable of the project was a complete outsourcing policy, to serve as a key guideline for all outsourcing-related processes and procedures within the group. It covers the main steps of the outsourcing process with references to the respective regulatory texts and practical examples (e.g. list of functions and activities not classified as an outsourcing). It includes:

• outsourcing definition, categorization and obligations vis-à-vis local regulator,
• roles and responsibilities of the 3 LoD and the management body,
• planning of outsourcing arrangements incl. risk assessment and due diligence process,
• contractual phase,
• implementation, monitoring and management of outsourcing arrangements,
• outsourcing register and oversight,
• business continuity plan and exit strategies,

As a result, our client implemented the newly defined policy and aligned all related procedures to fully comply with the new regulatory requirements.