Outsourcing in financial institutions, including cloud outsourcing
Outsourcing is a topical issue irrespective of specific industries. This trend is driven by multiple factors, predominantly potential financial savings, development of technological solutions and the digitalisation trend. Outsourcing to the cloud environment may provide unique opportunities and create space for further innovation across industries.
Outsourcing in regulated entities
For financial institutions, namely banks and insurance companies that are subject to rather strict public regulation in terms of their required financial and operational stability, outsourcing may have significant regulatory consequences and can even be banned in some situations.
If a bank or an insurer concludes any contract with a third party to perform activities that the bank or insurer could perform itself (regardless of whether it is a “core” or a “back office” activity), compliance with outsourcing regulations should be verified.
In our practice, we have already analysed whether the use of a transport company for closed cash deposits, the use of external filing services or storing internal data in a cloud are subject to the definition of outsourcing and what requirements must be met to implement the plans.
The above examples clearly show that outsourcing regulation applies to situations where we might not expect it.
Impacts of outsourcing regulation
With respect to the prudent management of banks and insurance companies, outsourcing entails a number of obligations that the relevant institution must implement internally. For example, it is required to:
- Comply with outsourcing policy rules;
- Assess risks to eliminate situations in which the related potential risks make the planned outsourcing unlawful;
- Meet the rules for business continuity and exit strategies when outsourcing is terminated; and
- Comply with regulations of personal data protection, etc.
Obligations are stipulated by not only local regulations but also EU law and binding guidelines of the EU regulatory bodies (EBA, EIOPA).
In some cases, the regulator must be notified of an outsourcing plan.
In addition, statutory obligations and binding instructions applicable to outsourcing must be reflected in the contractual documentation with a third party that is intended to perform activities for the relevant bank or insurer externally. The generally used Business Cooperation Agreement is usually entirely insufficient for these purposes.
The Czech National Bank has already published its official guidance for outsourcing to cloud service providers. By issuing the guidance, the CNB has made it clear that it has been aware of the innovative solutions, has understood them and has been ready to intervene should any regulatory obligations be violated.
How can we help you?
As part of our approach to the implementation of outsourcing solutions, we are able to combine legal and regulatory perspectives with our experience in IT, operations architecture, risk assessment, cybersecurity and project management.
Our multidisciplinary approach helps manage risks effectively and ensure compliance as well as an efficient and safe implementation of outsourcing.