{ "pages": [ { "name": "Title I – Proportionality1", "elements": [ { "type": "matrixdropdown", "name": "Proportionality", "title": "Proportionality", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "18. Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved.", "19. When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities.", "20. When applying the principle of proportionality, institutions, payment institutions and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU." ] } ], "title": "Title I – Proportionality: group application and institutional protection schemes" }, { "name": "Title I – Proportionality: group application and institutional protection schemes2", "elements": [ { "type": "matrixdropdown", "name": "Outsourcing_by_groups_and_institutions", "title": "Outsourcing by groups and institutions that are members of an institutional protection scheme", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "21. In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels.", "22. Institutions and payment institutions, in accordance with paragraph 21, and institutions that, as members of an institutional protection scheme, use centrally provided governance arrangements should comply with the following: a. where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme33, the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; b. where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including throu h the receiving of appropriate reports.\"", "23. In addition to paragraph 22, institutions and payment institutions within a group for which no waivers have been granted on the basis of Article 109 of Directive 2013/36/EU and Article 7 of Regulation (EU) No 575/2013, institutions that are a central body or that are permanently affiliated to a central body for which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU, or institutions that are members of an institutional protection scheme should take into account the following: a. where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; b. institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes;\"", "23 c. where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; d. where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; e. where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed.", "24. Where waivers have been granted pursuant to Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013, the provisions of these guidelines should be applied by the parent undertaking in a Member State for itself and its subsidiaries or by the central body and its affiliates as a whole.", "25. Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis." ] } ], "title": "Title I – Proportionality: group application and institutional protection schemes" }, { "name": "Title II – Assessment of outsourcing arrangements1", "elements": [ { "type": "matrixdropdown", "name": "Outsourcing", "title": "Outsourcing", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "26. Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself.", "27. Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together.", "28. As a general principle, institutions and payment institutions should not consider the following as outsourcing: a. a function that is legally required to be performed by a service provider, e.g. statutory audit; b. market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch); c. global network infrastructures (e.g. Visa, MasterCard); d. clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; e. global financial messaging infrastructures that are subject to oversight by relevant authorities; f. correspondent banking services; and g. the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line)." ] } ], "title": "Title II – Assessment of outsourcing arrangements 1" }, { "name": "Title II – Assessment of outsourcing arrangements2", "elements": [ { "type": "matrixdropdown", "name": "Critical_or_important_functions", "title": "Critical or important functions", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "29. Institutions and payment institutions should always consider a function as critical or important in the following situations:34 a. where a defect or failure in its performance would materially impair: i. their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; ii. their financial performance; or iii. the soundness or continuity of their banking and payment services and activities; b. when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; c. when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation35 by a competent authority, as referred to in Section 12.1.\"", "30. In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution’s assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function.", "31. When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: a. whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services38 for which they are authorised; b. the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: i. short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; ii. business continuity and operational resilience; iii. operational risk, including conduct, information and communication technology (ICT) and legal risks; iv. reputational risks; v. where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; c. the potential impact of the outsourcing arrangement on their ability to: i. identify, monitor and manage all risks; ii. comply with all legal and regulatory requirements; iii. conduct appropriate audits regarding the outsourced function; d. the potential impact on the services provided to its clients; e. all outsourcing arrangements, the institution’s or payment institution’s aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;\"", "31 f. the size and complexity of any business area affected; g. the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; h. the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’); i. the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; j. the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679.\"" ] } ], "title": "Title II – Assessment of outsourcing arrangements 2" }, { "name": "Title III – Governance framework1", "elements": [ { "type": "matrixdropdown", "name": "Sound_governance_arrangements_and_third_party_risk", "title": "Sound governance arrangements and third-party risk", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "32. As part of the overall internal control framework,40 including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks.", "33. Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2.", "34. Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements." ] } ], "title": "Title III – Governance framework 1" }, { "name": "Title III – Governance framework2", "elements": [ { "type": "matrixdropdown", "name": "Sound_governance_arrangements_and_outsourcing", "title": "Sound governance arrangements and outsourcing", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "35. The outsourcing of functions cannot result in the delegation of the management body’s responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions.", "36. The management body is at all times fully responsible and accountable for at least: a. ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; b. the internal organisation of the institution or the payment institution; c. the identification, assessment and management of conflicts of interest; d. the setting of the institution’s or payment institution’s strategies and policies (e.g. the business model, the risk appetite, the risk management framework); e. overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and f. the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making.\"", "37. Outsourcing should not lower the suitability requirements applied to the members of an institution’s management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements.", "38. Institutions and payment institutions should: a. clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; b. allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; c. taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution’s or payment institution’s management body.\"", "39. Institutions and payment institutions should maintain at all times sufficient substance and not become ‘empty shells’ or ‘letter-box entities’. To this end, they should: a. meet all the conditions of their authorisation43 at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; b. retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; c. where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and d. have sufficient resources and capacities to ensure compliance with points (a) to (c).\"", "40. When outsourcing, institutions and payment institutions should at least ensure that: a. they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; b. they maintain the orderliness of the conduct of their business and the banking and payment services they provide; c. the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); d. appropriate confidentiality arrangements are in place regarding data and other information; e. an appropriate flow of relevant information with service providers is maintained; f. with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: i. transfer the function to alternative service providers; ii. reintegrate the function; or iii. discontinue the business activities that are depending on the function. g. where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679.\"" ] } ], "title": "Title III – Governance framework 2" }, { "name": "Title III – Governance framework3", "elements": [ { "type": "matrixdropdown", "name": "Outsourcing_policy", "title": "Outsourcing policy", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "41. The management body of an institution or payment institution44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA’s Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance.", "42. The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: a. the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; b. the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; c. the planning of outsourcing arrangements, including: i. the definition of business requirements regarding outsourcing arrangements; ii. the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; iii. risk identification, assessment and management in accordance with Section 12.2; iv. due diligence checks on prospective service providers, including the measures required under Section 12.3; v. procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; vi. business continuity planning in accordance with Section 9; vii. the approval process of new outsourcing arrangements;", "42. d. the implementation, monitoring and management of outsourcing arrangements, including: i. the ongoing assessment of the service provider’s performance in line with Section 14; ii. the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); iii. the independent review and audit of compliance with legal and regulatory requirements and policies; iv. the renewal processes; e. the documentation and record-keeping, taking into account the requirements in Section 11; f. the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement.\"", "43. The outsourcing policy should differentiate between the following: a. outsourcing of critical or important functions and other outsourcing arrangements; b. outsourcing to service providers that are authorised by a competent authority and those that are not; c. intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and d. outsourcing to service providers located within a Member State and third countries.\"", "44. Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: a. the institution’s risk profile; b. the ability to oversee the service provider and to manage the risks; c. the business continuity measures; and d. the performance of their business activities.\"" ] } ], "title": "Title III – Governance framework 3" }, { "name": "Title III – Governance framework4", "elements": [ { "type": "matrixdropdown", "name": "Conflicts_of_interests", "title": "Conflicts of interests", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "45. Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance,45 and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements.", "46. Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest.", "47. When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm’s length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity." ] } ], "title": "Title III – Governance framework 4" }, { "name": "Title III – Governance framework5", "elements": [ { "type": "matrixdropdown", "name": "spørsmål1", "title": "Conflicts of interests", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "48. Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance,46 and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions.", "49. Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider’s jurisdiction." ] } ], "title": "Title III – Governance framework 5" }, { "name": "Title III – Governance framework6", "elements": [ { "type": "matrixdropdown", "name": "Internal_audit_function", "title": "Internal audit function", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "50. The internal audit function’s47 activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan48 and programme should include, in particular, the outsourcing arrangements of critical or important functions.", "51. With regard to the outsourcing process, the internal audit function should at least ascertain: a. that the institution’s or payment institution’s framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; b. the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; c. the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution’s risk strategy; d. the appropriate involvement of governance bodies; and e. the appropriate monitoring and management of outsourcing arrangements." ] } ], "title": "Title III – Governance framework 6" }, { "name": "Title III – Governance framework7", "elements": [ { "type": "matrixdropdown", "name": "Documentation_requirements", "title": "Documentation requirements", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "52. As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period.", "53. Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally.", "54. The register should include at least the following information for all existing outsourcing arrangements: a. a reference number for each outsourcing arrangement; b. the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; c. a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; d. a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; e. the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); f. the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; g. whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; h. in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; i. the date of the most recent assessment of the criticality or importance of the outsourced function.", "55. For the outsourcing of critical or important functions, the register should include at least the following additional information: a. the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; b. whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; c. the date of the most recent risk assessment and a brief summary of the main results; d. the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; e. the governing law of the outsourcing agreement; f. the dates of the most recent and next scheduled audits, where applicable; g. where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the sub-contractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; h. an outcome of the assessment of the service provider’s substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; i. identification of alternative service providers in line with point (h); j. whether the outsourced critical or important function supports business operations that are time-critical; k. the estimated annual budget cost.", "56. Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements49 or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values).", "57. Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement.", "58. Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54.", "59. Institutions and payment institutions50 should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions’ or payment institutions’ business activities.", "60. Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment)." ] } ], "title": "Title III – Governance framework 7" }, { "name": "Title IV – Outsourcing process1", "elements": [ { "type": "matrixdropdown", "name": "Pre_outsourcing_analysis", "title": "Supervisory conditions for outsourcing", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "61. Before entering into any outsourcing arrangement, institutions and payment institutions should: a. assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; b. assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; c. identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; d. undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; e. identify and assess conflicts of interest that the outsourcing may cause in line with Section 8.", "62. Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: a. the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or b. the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework.", "63. Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: a. the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a ‘supervisory authority’); b. there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and c. the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: i. obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; ii. obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; iii. receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; andiv. cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable." ] } ], "title": "Title IV – Outsourcing process 1" }, { "name": "Title IV – Outsourcing process2", "elements": [ { "type": "matrixdropdown", "name": "Pre_outsourcing_analysis2", "title": "Risk assessment of outsourcing arrangements", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "64. Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements.", "65. The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis.", "66. Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: a. concentration risks, including from: i. outsourcing to a dominant service provider that is not easily substitutable; and ii. multiple outsourcing arrangements with the same service provider or closely connected service providers; b. the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; c. in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and d. the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks.", "67. Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: a. the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; b. the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them.", "68. When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider’s performance, institutions and payment institutions should, at least: a. identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; b. conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; c. consider the consequences of where the service provider is located (within or outside the EU); d. consider the political stability and security situation of the jurisdictions in question, including: i. the laws in force, including laws on data protection; ii. the law enforcement provisions in place; and iii. the insolvency law provisions that would apply in the event of a service provider’s failure and any constraints that would arise in respect of the urgent recovery of the institution’s or payment institution’s data in particular; e. define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; f. consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2." ] } ], "title": "Title IV – Outsourcing process 2" }, { "name": "Title IV – Outsourcing process3", "elements": [ { "type": "matrixdropdown", "name": "Pre_outsourcing_analysis3", "title": "Due diligence", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "69. Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable.", "70. With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract.", "71. Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: a. its business model, nature, scale, complexity, financial situation, ownership and group structure; b. the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; c. whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; d. whether or not the service provider is supervised by competent authorities.", "72. Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data.", "73. Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour." ] } ], "title": "Title IV – Outsourcing process 3" }, { "name": "Title IV – Outsourcing process4", "elements": [ { "type": "matrixdropdown", "name": "Contractual_phase", "title": "Contractual phase", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "74. The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement.", "75. The outsourcing agreement for critical or important functions should set out at least: a. a clear description of the outsourced function to be provided; b. the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; c. the governing law of the agreement; d. the parties’ financial obligations; e. whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the sub-outsourcing is subject to; f. the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); g. where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; h. the right of the institution or payment institution to monitor the service provider’s performance on an ongoing basis; i. the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; j. the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider’s ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider;", "75. k. whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; l. the requirements to implement and test business contingency plans; m. provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; n. the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; o. for institutions, a clear reference to the national resolution authority’s powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the ‘substantive obligations’ of the contract in the sense of Article 68 of that Directive; p. the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; q. termination rights, as specified in Section 13.4." ] } ], "title": "Title IV – Outsourcing process 4" }, { "name": "Title IV – Outsourcing process5", "elements": [ { "type": "matrixdropdown", "name": "Contractual_phase2", "title": "Sub-outsourcing of critical or important functions", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "76. The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted.", "77. If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register.", "78. If sub-outsourcing of critical or important functions is permitted, the written agreement should: a. specify any types of activities that are excluded from sub-outsourcing; b. specify the conditions to be complied with in the case of sub-outsourcing; c. specify that the service provider is obliged to oversee those services that it has sub-contracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; d. require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; e. include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of sub-contractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; f. ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; g. ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution.\"", "79. Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: a. comply with all applicable laws, regulatory requirements and contractual obligations; and b. grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider.", "80. Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract." ] } ], "title": "Title IV – Outsourcing process 5" }, { "name": "Title IV – Outsourcing process6", "elements": [ { "type": "matrixdropdown", "name": "Contractual_phase3", "title": "Security of data and systems", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "81. Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards.", "82. Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis.", "83. In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations.", "84. Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients’ information, where applicable, are observed)." ] } ], "title": "Title IV – Outsourcing process 6" }, { "name": "Title IV – Outsourcing process7", "elements": [ { "type": "matrixdropdown", "name": "Contractual_phase4", "title": "Access, information and audit rights", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "85. Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach.", "86. Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries.", "87. With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: a. full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider’s external auditors (‘access and information rights’); and b. unrestricted rights of inspection and auditing related to the outsourcing arrangement (‘audit rights’), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements.\"", "88. For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time.", "89. Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights.", "90. Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards.", "91. Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: a. pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; b. third-party certifications and third-party or internal audit reports, made available by the service provider.", "92. For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time.", "93. Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: a. are satisfied with the audit plan for the outsourced function; b. ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; c. thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; d. ensure that key systems and controls are covered in future versions of the certification or audit report; e. are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, re-performance/verification of the evidence in the underlying audit file); f. are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; g. have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and h. reta n the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions.", "94. In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes.54 Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures.", "95. Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective.", "96. When performing audits in multi-client environments, care should be taken to ensure that risks to another client’s environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated.", "97. Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers." ] } ], "title": "Title IV – Outsourcing process 7" }, { "name": "Title IV – Outsourcing process8", "elements": [ { "type": "matrixdropdown", "name": "Contractual_phase5", "title": "Termination rights", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "98. The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: a. where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; b. where impediments capable of altering the performance of the outsourced function are identified; c. where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); d. where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and e. where instructions are given by the institution’s or payment institution’s competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution.", "99. The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: a. clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; b. set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and c. include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement." ] } ], "title": "Title IV – Outsourcing process 8" }, { "name": "Title IV – Outsourcing process9", "elements": [ { "type": "matrixdropdown", "name": "Oversight_of_outsourced_functions", "title": "Oversight of outsourced functions", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "100. Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4.", "101. Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements.", "102. Institutions should regularly update their risk assessment in accordance with Section 12.2 and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions.", "103. Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines.", "104. Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: a. ensuring that they receive appropriate reports from service providers; b. evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and c. reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing.", "105. Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary." ] } ], "title": "Title IV – Outsourcing process 9" }, { "name": "Title IV – Outsourcing process10", "elements": [ { "type": "matrixdropdown", "name": "spørsmål2", "title": "Oversight of outsourced functions", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "106. Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: a. the termination of outsourcing arrangements; b. the failure of the service provider; c. the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; d. material risks arising for the appropriate and continuous application of the function.", "107. Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: a. develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and b. identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase.\"", "108. When developing exit strategies, institutions and payment institutions should: a. define the objectives of the exit strategy; b. perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; c. assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; d. define success criteria for the transition of outsourced functions and data; and e. define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit." ] } ], "title": "Title IV – Outsourcing process 10" }, { "name": "Title V – Guidelines on outsourcing addressed to competent authorities", "elements": [ { "type": "matrixdropdown", "name": "Title_V_Guidelines_on_outsourcing_addressed_to_competent_authorities", "title": "Title V – Guidelines on outsourcing addressed to competent authorities", "columns": [ { "name": "Etablering", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Etterlevelse", "cellType": "radiogroup", "colCount": 1, "isRequired": true, "choices": [ { "value": "1", "text": "Vesentlige svakheter" }, { "value": "2", "text": "Må forbedres" }, { "value": "3", "text": "Bør forbedres" }, { "value": "4", "text": "Tilstrekkelig" }, { "value": "5", "text": "Svært god" }, { "value": "6", "text": "Ikke aktuelt" } ] }, { "name": "Innspill", "cellType": "comment" } ], "choices": [ 1, 2, 3, 4, 5 ], "rows": [ "109. When establishing appropriate methods to monitor institutions’ and payment institutions’ compliance with the conditions for initial authorisation, competent authorities should aim to identify if outsourcing arrangements amount to a material change to the conditions and obligations of institutions’ and payment institutions’ initial authorisation.", "110. Competent authorities should be satisfied that they can effectively supervise institutions and payment institutions, including that institutions or payment institutions have ensured within their outsourcing arrangement that service providers are obliged to grant audit and access rights to the competent authority and the institution, in line with Section 13.3.", "111. The analysis of institutions’ outsourcing risks should be performed at least within the SREP or, with regard to payment institutions, as part of other supervisory processes, including ad-hoc requests, or during on-site inspections.", "112. Further to the information recorded within the register, as referred to in Section 11, competent authorities may ask institutions and payment institutions for additional information, in particular for critical or important outsourcing arrangements, such as: a. the detailed risk analysis; b. whether the service provider has a business continuity plan that is suitable for the services provided to the outsourcing institution or payment institution; c. the exit strategy for use if the outsourcing arrangement is terminated by either party or if there is disruption to the provision of the services; and d. the resources and measures in place to adequately monitor the outsourced activities.\"", "113. In addition to the information required under Section 11, competent authorities may require institutions and payment institutions to provide detailed information on any outsourcing arrangement, even if the function concerned is not considered critical or important.", "114. Competent authorities should assess the following on a risk-based approach: a. whether institutions and payment institutions monitor and manage appropriately, in particular, critical or important outsourcing arrangements; b. whether institutions and payment institutions have sufficient resources in place to monitor and manage outsourcing arrangements; c. whether institutions and payment institutions identify and manage all relevant risks; and d. whether institutions and payment institutions identify, assess and appropriately manage conflicts of interest with regard to outsourcing arrangements, e.g. in the case of intragroup outsourcing or outsourcing within the same institutional protection scheme.", "115. Competent authorities should ensure that EU/EEA institutions and payment institutions are not operating as an ‘empty shell’, including situations where institutions use back-to-back transactions or intragroup transactions to transfer part of the market risk and credit risk to a non-EU/EEA entity, and should ensure that they have appropriate governance and risk management arrangements in place to identify and manage their risks.", "116. Within their assessment, competent authorities should take into account all risks, in particular: a. the operational risks posed by the outsourcing arrangement; b. reputational risks; c. the step-in risk that could require the institution to bail out a service provider, in the case of significant institutions; d. concentration risks within the institution, including on a consolidated basis, caused by multiple outsourcing arrangements with a single service provider or closely connected service providers or multiple outsourcing arrangements within the same business area; e. concentration risks at the sector level, e.g. where multiple institutions or payment institutions make use of a single service provider or a small group of service providers; f. the extent to which the outsourcing institution or payment institution controls the service provider or has the ability to influence its actions, the reduction of risks that may result from a higher level of control and if the service provider is included in the consolidated supervision of the group; and g. conflicts of interest between the institution and the service provider.", "117. Where concentration risks are identified, competent authorities should monitor the development of such risks and evaluate both their potential impact on other institutions and payment institutions and the stability of the financial market; competent authorities should inform, where appropriate, the resolution authority about new potentially critical functions58 that have been identified during this assessment.", "118. Where concerns are identified that lead to the conclusion that an institution or payment institution no longer has robust governance arrangements in place or does not comply with regulatory requirements, competent authorities should take appropriate actions, which may include limiting or restricting the scope of the outsourced functions or requiring exit from one or more outsourcing arrangements. In particular, taking into account the need of the institution or payment institution to operate on a continuous basis, the cancellation of contracts could be required if the supervision and enforcement of regulatory requirements cannot be ensured by other measures.", "119. Competent authorities should be satisfied that they are able to perform effective supervision, in particular when institutions and payment institutions outsource critical or important functions that are undertaken outside the EU/EEA." ] } ], "title": "Title V – Guidelines on outsourcing addressed to competent authorities" } ], "showQuestionNumbers": "off" }