Outsourcing opportunities and challenges
Over the past decade, technological developments have not only changed customers’ expectations with respect to banking services, they have also changed the way banks deliver those services and how they operate. The advent of cloud computing in particular has had a significant impact on how banks structure their business and what they consider should still be done in-house and what should be outsourced to external service providers.
These developments provide banks with an as yet unknown range of business opportunities and easy access to fields of service and expertise outside the regular banking realm. With these opportunities, however, comes the challenge of managing the associated risks; risks to which European banking authorities naturally pay close attention. In early 2017, for instance, the European Banking Authority (EBA) issued recommendations on outsourcing to cloud service providers, and ECB Banking Supervision has conducted a thematic review to take stock of banks’ outsourced activities and how they are managing the associated risks (including IT risks). The ECB is also carefully monitoring the situation to ensure that outsourcing arrangements do not result in euro area banks becoming letterbox firms or empty shells or create obstacles to effective supervision in the Brexit context.
These fast-moving technological advances affect the banking sector worldwide. They are, however, addressed very differently within the different legal frameworks, even in countries within the euro area. Indeed, the Capital Requirements Directive (CRD) and Capital Requirements Regulation (CRR) do not include a binding framework for outsourcing. The last guidelines on outsourcing, produced by the Committee of European Banking Supervisors (CEBS), date back to 2006 and – being principle-based – leave considerable leeway for Member States regarding their implementation. This means that a common European supervisory approach has not yet developed.
Most euro area countries have by now translated the CEBS Guidelines into national approaches in one form or another. However, these approaches vary widely in what they require and when. At one end of the spectrum are frameworks that, in addition to setting out supervisory expectations, require ex-ante supervisory approval for the outsourcing of what are commonly referred to as “material” activities. These frameworks envisage advance information for, and the involvement of, the supervisory authority and in some countries also envisage challenging deadlines for both the bank and the supervisor. At the other end of the spectrum are euro area countries that rely on a less formal approach, providing only the supervisory expectations on how to manage outsourcing and the associated risks. These countries mostly incorporate reviews of outsourcing arrangements ex-post, e.g. through their on-site inspection cycles.
A comparison with supervisors outside the euro area also adds to the impression that there is only one common binding element in supervisors’ approaches to outsourcing: all countries assessed, including Australia, Canada, Malaysia, Switzerland, the UK and the US, provide banks with their expectations regarding the management of outsourced activities. In none of these countries, except for the UK, is it mandatory for banks to provide the supervisor with ex-ante information on planned outsourcing. Instead, countries apply different tools, for example the use of regular supervisory assessments of their overall risk management, including that of outsourcing risk, or ex-post on-site inspections of certain outsourced services.
In this diverse landscape ECB Banking Supervision will formulate and ultimately implement its own supervisory approach for all euro area countries, in parallel with the existing national laws that supervisors are required to apply. At this stage, and in close cooperation with the EBA, the ECB intends to complete the work on the thematic review on outsourcing with an ECB guide applicable to significant institutions. A consultation on a draft guide will be conducted in the course of 2018, in alignment with the expectations set by the EBA. Based on best practices identified in the banks, this guide will present supervisory expectations in terms of outsourcing arrangements, risk management, governance and monitoring, and will address the procedures followed and engagement with the supervisor. Overall, the guide will clarify and operationalise expectations with respect to banks’ management of outsourcing, thereby harmonising standards for significant institutions.