CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Transcription

1 CEBS CP 02 April 2004 COMMITTEE OF EUROPEAN BANKING SUPERVISORS CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE Introduction 1. European banking supervisors began work in 2002 on developing high level principles (HLPs) that could be used to help converge supervisory approaches and practices in relation to outsourcing. It was agreed that the starting point for any set of principles should be based on widespread current practices and the common policy elements that have been elaborated to date in various Member States. 2. The Committee of European Banking Supervisors (CEBS) is now in a position to share its thinking with the industry. 1 This work is also timely as other committees, at the EU and global level, are also planning work in this field. CEBS is keen to promote these principles and to build on the work that has already been done. But more importantly CEBS wishes to be ambitious and to promote convergence across the financial services sectors and to aim for an international regulatory definition of outsourcing and commonly accepted principles. Overview 3. In large part these principles are addressed to institutions. They set out in broad terms what supervisory authorities should expect from institutions themselves, from a prudential point of view (HLPs I VIII), and also from the supervisory authorities (HLPs IX XI). Moreover, they could be used as guideline for respective legislative and other measures. 4. Respondents may want to note that CEBS has considered the issue of "materiality" and "pre-notification" of outsourcing. In particular, supervisors will want pre-notification of all material proposals for outsourcing so that they can analyse them from the standpoint of their impact on institutions' systems and controls and/or their effect on the risk profile of the institution. On the other hand, supervisors may not want to be pre-notified of non-material outsourcing, although institutions will still be obliged to ensure that they remain within the policy guidelines set by their supervisors. 5. CEBS is proposing a three-tier classification of activities: - Strategic or core activities which cannot be outsourced (HLP I); - Non-strategic but material activities, which should be pre-notified to the supervisory authority (see HLP III); and - Non-strategic and non-material activities, which do not have to be prenotified but for which the institution must remain responsible for ensuring any supervisory guidelines are still met (see HLP IV). 1 This convergence objective is in line with tasks set out by the European Commission in its Decision to establish CEBS, see 1 / 10

2 Further work 6. While this set of principles is fairly self-contained, CEBS acknowledges from the outset that there is scope to develop these principles further. In particular further work may be needed in developing more guidance on what (i) may be regarded as strategic or core activities and (ii) on the concept of a materiality test (see Principle IV) (e.g. some jurisdictions operate a scoring system to assess materiality). 7. Moreover, as part of CEBS' work on supervisory convergence, it intends to address further principles on supervisors own activities (Part 2 of the Principles), for example: The paper s primary focus is on financial institutions own risk management in the area of outsourcing and is lighter on supervisory measures. For example, under the draft principles, it is in principle the institution that, subject to certain conditions, decides whether it enters into or continues an outsourcing arrangement on the basis of the risk analysis prior to outsourcing and the monitoring post outsourcing. The paper does not address the circumstances in which the supervisor might intervene when, for instance, an outsourcing arrangement goes wrong or there are indications that the arrangement may go wrong after the arrangement is already in place. It may also be useful to add another key principle to cover the supervisory assessment of compliance with the principles. Consultation process 8. CEBS now welcomes comments from interested parties on these principles. Respondents may also wish to flag other areas where additional analysis or future work could prove useful. 9. The consultation process will be conducted on basis of CEBS draft Public Statement on Consultation Practices, which has been released for public consultation yesterday. It should be noted that this is CEBS' first consultation exercise on a specific convergence issue. As such industry practitioners and other interested parties should also regard the consultation process itself as a learning experience. CEBS intends to draw lessons from this exercise as it develops its open and transparent relations with the industry and others. 10. Please send your comments to CEBS, by (CP02@c-ebs.org), by 31 July CEBS will make all comments available on its website (except where respondents specifically request that their comments remain confidential). Annex: CEBS Consultation Paper: High Level Principles on Outsourcing 2 / 10

3 Annex CEBS CONSULTATION PAPER HIGH LEVEL PRINCIPLES ON OUTSOURCING Introduction A number of European countries have, for some years, had in place formal outsourcing regimes. In order to assist European banking supervisors to converge their national policies and practices, they agree to adopt the following high level principles. These are based on a range of current practices and the common elements of policy that have been elaborated to date in various Member States. Part 1: Definitions It is acknowledged from the outset that there are a number of definitions of what constitutes outsourcing. For the purposes of these principles outsourcing is defined as follows: Outsourcing is the supply to an authorised institution by another entity (either intra-group or independent third party) of goods, service or facilities on a structural basis (i.e. the contractual supply of goods, service or facilities that form part of the business processes and which are necessary to support the provision of banking or other financial services). The supplier may itself be an authorised or unauthorised entity. This definition does not cover purchasing contracts, although as with outsourcing, firms should ensure that what they are buying is fit for purpose. Purchasing is defined, inter alia, as the supply of services, goods or facilities without information about or belonging to the purchasing institution coming within the control of the supplier; or of standardized products, such as market information or office inventory. In this context the supplier of goods, services or facilities is referred to as the outsourcing service provider, which may or may not be an authorised entity. The buyer of such goods, services or facilities is referred to as the outsourcing institution, and is for the purposes of these principles an authorised entity (e.g. a credit institution). Part 2: High level principles on outsourcing addressed to institutions I. Strategic and core management responsibility and functions cannot be outsourced. The outsourcing of core management functions is considered generally to be incompatible with the managers' obligation to run the enterprise under their 3 / 10

4 own responsibility. Hence core management functions such as strategic oversight, risk management and strategic control should not be outsourced. Outsourcing shall not affect managers' full and unrestricted responsibilities under the applicable law (e.g. under banking law). II. The ultimate responsibility for proper management of the risks associated with outsourcing lies with an outsourcing institution s senior executive management. All outsourcing regimes should ensure that the outsourcing of functions to an outsourcing service provider does not impair the supervision of an outsourcing institution. Responsibility for outsourced functions must always be retained by the outsourcing institution. The outsourcing of functions does not relieve an outsourcing institution of its regulatory responsibilities for its authorised activities or the function concerned. Outsourcing institutions should be encouraged to retain adequate core competence at a senior operational level to enable them to have the capability to resume direct control over an outsourced activity, in extremis. Exceptions for certain types of intra-group outsourcing may be allowed, provided the outsourcing institution can demonstrate that it can manage the risk (e.g. in connection with general instructions and decisions relating to central risk management) and where the outsourcing institution is a member of a group that is subject to supervision on a consolidated basis. (In the case of banking, such group-wide risk management refers to non-core functions and cannot result in elimination or limitation of risk management function on a solo basis in an outsourcing institution. In the case of outsourcing of non-core functions, domestic supervisory authorities, i.e. the host country, should also be involved in the decision to allow outsourcing, when needed.) Where such exceptions apply, and especially where the group covers more than one jurisdiction, the relevant regulations, documents, and other information on how the parent group manages the risk should be made available to the outsourcing institution. The outsourcing institution should also be able adequately to demonstrate to its own direct supervisory authority that it is compliant with risk management regulations. The supervisory authority should also be satisfied that it has adequate access to the outsourcing service provider. 4 / 10

5 III. An outsourcing institution should take particular care when outsourcing material activities, i.e. activities of such importance that any weakness or failure in the provision of these activities could have a significant affect on its ability to meet its regulatory responsibilities and/or to continue in business. In such cases the outsourcing institution should pre-notify its supervisory authority. In principle, any area of activity of an outsourcing institution other than those identified in Principles I and II may be outsourced provided that such outsourcing does not impair: the orderliness of the outsourcing institution s business being conducted or the financial services provided; the senior executive management's ability to manage and monitor the business and its authorised activities; and the supervisory authority's right to require an audit of the business or its ability to supervise the business. An institution may not outsource services and activities that are covered by the institution's authorisation unless the outsourcing service provider either (i) has an authorisation that is comparable to the authorisation of the outsourcing institution; or (ii) is acting as agent of the outsourcing institution. An outsourcing institution should conduct its business in a controlled and sound manner at all times. These requirements do not affect the principle of managers' sole responsibility (Principle I) for all authorised activities. The managers of the outsourcing institution shall be fully responsible to the supervisory authority for any outsourced area. The managers should therefore take suitable measures to ensure that the outsourced areas continue to meet the performance and quality standards that would apply if their own institution were to perform the relevant activities in-house. An outsourcing institution should inform (by prior notification and/or regular report) its supervisory authority on any important activity to be outsourced, in order for the supervisor to evaluate the proposal. Outsourcing institutions should be aware that the supervisory authority may distinguish between important and less important activities, and may impose certain conditions on institutions that outsource important activities. These conditions may be determined by factors such as the size of the institution, or the nature of the outsourcing service provider. The supervisory authority may also wish to prevent potential conflicts of interest (e.g. the supervisory authority may wish to prohibit the outsourcing of the financial accounting and the preparation of the annual accounts to the outsourcing institution s external auditor, or to the office with which the external auditor is connected). Subject to the principles that apply to cross-border outsourcing (expressed under Principle IX) no special rules are needed in relation to the geographical location of an outsourcing service provider. However, due to possible data protection risks, institutions should be encouraged to take special care when 5 / 10

6 entering into and managing outsourcing agreements that are undertaken outside the EEA. IV. There should be no restrictions on the outsourcing of non-material activities of an outsourcing institution. No requirements or conditions should be imposed on institutions that wish to outsource non-core activities that have little or no implications for internal control or key authorised functions. In such cases the outsourcing institution does not need to inform its supervisory authority. Nevertheless, outsourcing institutions should ensure adequate risk management at all times irrespective of the type of outsourced activity. In line with Principle III, the managers of the outsourcing institution should be fully responsible for any outsourced area. Areas which could be regarded as non-core include: Areas which do not potentially constitute relevant risks and which, if outsourced, would not lead to an impairment of the orderliness of the business, or of the managers' ability to manage and monitor it, or of the supervisory authority's right to audit and ability to oversee it. Purely advisory services used by the institution. For example, this applies to legal and tax consulting, even where this is not limited to individual aspects or projects. V. The Outsourcing institution should have a policy on its approach to outsourcing, including contingency plans and exit strategies. Outsourcing institutions should have a general policy that covers all aspects of outsourcing, including non-core outsourcing. It should also cover intra-group and external outsourcing. When drawing up this policy the outsourcing institutions should take into consideration that no form of outsourcing is entirely risk free. The policy should also recognise that the management of non-core and intra-group outsourcing should be proportionate to the risks presented by these arrangements. This policy should explicitly take account of the potential effects of outsourcing on certain significant functions (e.g. the internal audit function, the compliance function and the risk management function) when conducting the risk analysis prior to outsourcing. The policy should ensure that the outsourcing service provider's performance is appropriately monitored and assessed by the outsourcing institution's 6 / 10

7 management so that any necessary corrective measures can be taken immediately. The outsourcing institution should specify an internal unit or individual that is responsible for supervising and managing each outsourcing measure. This policy should also reflect the main phases that make up the life cycle of an institution s outsourcing arrangements: The decision to outsource or change an existing outsourcing arrangement (the decision making phase). Due diligence checks on the outsourcing service provider. Drafting a written outsourcing contract and service level agreement (the contract drafting phase). The implementation, monitoring, and maintenance of an outsourcing arrangement (the contractual phase). Dealing with the expected or unexpected termination of a contract and other service interruptions (the post-contractual phase). In particular, outsourcing institutions should plan and implement arrangements to maintain the continuity of their business in the event that the provision of services by an outsourcing service provider fails or deteriorates to an unacceptable degree, or the firm experiences other changes. This policy should also include some form of contingency planning and the establishment of a clearly defined exit strategy, evaluated against the costs and benefits of such planning. VI. An outsourcing institution s policies should require it to manage the risks associated with its outsourcing arrangements. Compliance with this principle should include an assessment of the operational risks associated with outsourcing. Outsourcing institutions should bring all serious problems with an outsourcing service provider to the supervisory authority s attention. VII. All outsourcing arrangements should be subject to a formal and comprehensive contract. As mentioned under Principle V, any outsourcing solution should be based on a clear written contract. Outsourcing institutions should make sure that the written contract takes account of the following (bearing in mind other specific national rules and legislation): 7 / 10

8 The operational area that is to be outsourced should be clearly defined. The precise requirements concerning the service performance should be specified and documented, taking account of the objective of the outsourcing solution. The outsourcing service provider's ability to meet performance requirements in both quantitative and qualitative terms should be assessable in advance. The respective responsibilities and competencies of the outsourcing institution and the outsourcing service provider should be precisely defined and distinguished. In order to underpin an effective policy for managing and monitoring the outsourced areas, the contract should include a termination and exit management clause, where proportionate and if deemed necessary, which allows the activities being provided by the outsourcing service provider to be transferred to another outsourcing service provider or to be reincorporated into the outsourcing institution. The contract should ensure that the outsourcing service provider's performance is continuously monitored and assessed so that any necessary corrective measures can be taken immediately. The contract should consider granting the outsourcing institution's internal auditing department and its external auditors full and unrestricted rights of inspection and auditing at all times. In the case of outsourcing within a group, the outsourcing institution needs to ensure that it is able to give effective rights of access to information to the supervisory authority (see Principle IX). This may require obtaining consents from affected parties such as the parent company and relevant home supervisory authorities). When drafting the contract the outsourcing institution should bear in mind that the level of monitoring, assessment, inspection and auditing required by the contract should be proportionate to the risks involved and the size and complexity of the outsourced activity. VIII. In managing its relationship with an outsourcing service provider an outsourcing institution should ensure that a service level agreement (SLA) is put in place. A service level agreement should normally contain a mixture of quantitative and qualitative performance targets, to enable an outsourcing institution to assess the adequacy of service provision. An outsourcing institution should also consider the need to evaluate the performance of its outsourcing service provider using mechanisms such as 8 / 10

9 service delivery reports, self-certification or independent review by the outsourcing institution s or the outsourcing service provider's internal and or external auditors. An outsourcing institution should be prepared to take remedial action if the outsourcing service provider's performance is inadequate. Part 3: Other supervisory principles on outsourcing IX. Supervisory authorities should aim to establish a right to information, and to conduct, or order, on-site inspections in an outsourcing service provider s premises. 2 Supervisory authorities should aim to be satisfied that outsourcing institutions ensure that their outsourcing contracts with outsourcing service providers grant the supervisory authority the rights to information, inspection, admittance and access (including access to databases) as well as the instruction and monitoring rights which the supervisory authority needs to exercise its surveillance functions. Supervisory authorities should also encourage outsourcing institutions to ensure that information may also be made available to the supervisory authority by the outsourcing service provider's external auditor. Supervisory authorities should aim to ensure that their ability to order or instruct the outsourcing institution can be reliably enforced, directly and irrespective of any conflicting instruction rights, so as to ensure the orderly performance of the outsourced activities and functions. The supervisory authorities should aim to ensure that they maintain control and can obtain detailed information about any outsourcing processes which might undermine the stability of the consolidated group whose overall supervision is, ultimately, their responsibility In the case of outsourcing to service providers abroad, the outsourcing institution should be responsible for ensuring that the supervisory authority can exercise its information rights, including its right to demand documents, and its auditing rights. 2 At present most supervisors do not have such legal rights, and must resort to other more indirect methods to ensure that information is forthcoming. It is suggested that these HLPs encourage supervisors to have the same powers including on-site inspections regardless of the type of outsource provider chosen by the outsourcing institution (e.g. whether this is internal or a third party). Some regimes rely on the supervisory authority to require the outsourcing institution to include relevant access rights in the outsourcing agreement. Directly imposing the obligations on the outsourcing service providers would require an expansion of such regimes. It may be useful to establish this principle as a legal power. 9 / 10

10 The supervisory authority should be able to cancel the outsourcing measure if the outsourcing institution cannot ensure the exercise or enforcement of the rights of supervisors (as mentioned in this principle). The outsourcing institution may prior to outsourcing consider in consultation with the supervisory authority what alternative measures could adequately mitigate the risks involved. If this is considered appropriate, and there are clear safeguards, the supervisory authority may grant a dispensation from the requirement in the previous paragraph. X. Supervisory authorities should take account of concentration risk, where one outsourcing service provider provides outsourcing services to several authorised outsourcing institutions. 3 Supervisory authorities should be aware of any concentration risks and manage and monitor these risks at a systemic level. XI. Supervisory authorities should take account of the risks associated with chain outsourcing (whereby the outsourcing service provider subcontracts elements of the service to other providers). The sub-outsourcing of outsourced activities and functions to third parties (sub-contractors) should be treated by the outsourcing institution like a primary outsourcing measure. The supervisory authority should encourage the outsourcing institution to agree to this only if the sub-contractor will also fully comply with the obligations existing between the outsourcing institution and the outsourcing service provider, including obligations incurred in favour of the supervisory authority. Compliance with these conditions should be ensured contractually, for example by a clause in the outsourcing contract requiring the prior consent of the outsourcing institution to the possibility and the modalities of sub-outsourcing. Supervisors should ensure that the outsourcing institution takes appropriate steps to address the risk of any weakness or failure in the provision of the subcontracted activities having a significant effect on the outsourcing service provider's ability to meet its responsibilities under the outsourcing agreement and SLA. Supervisory authorities should encourage the outsourcing institution to ensure that the outsourcing service provider agrees that the contractual terms agreed with the sub-contractor will always conform, or at least not be contradictory, to the provisions of the agreement with the outsourcing institution. 3 There are currently no restrictions on this. 10 / 10