Outsourcing Policy Update to align with new EBA and local requirements

FOCUS ON: Case studies,

SUMMARY

Avantage Reply assisted a Private Banking group in the Eurozone to review of group Outsourcing policy.

In light of changing European and national regulatory requirements that came into force in 2019, our client revised the internal processes and procedures regarding the management and oversight of both, intra-group and third-party outsourcing activities.

A key concern of the client was to define a new group policy that considers the existing organization of the bank. This included the roles and responsibilities of three lines of defense (“3 LoD”), European and local regulatory requirements.

CUSTOMERS GOALS

Our client’s main goal was to define a new group outsourcing policy that would be compliant with the minimum requirements as defined by the EBA (EBA/GL/2019/02) and reflect its internal organization for outsourcing arrangements.

THE CHALLENGE

The key challenge for the project was a changing and overlapping set of regulations. To achieve full compliance with the new regulations, our client had to consider both, EBA guidelines in force from September 2019 but not yet translated into national regulation and local requirements regarding outsourcing to cloud computing infrastructures. Additionally, being head office of the group, our client had to consider local organizational constrains in the subsidiaries and how the proportionality principle would apply.

From an operational point of view, the multitude of stakeholders and the fact that not all elements of the outsourcing oversight are specifically tailored to outsourcing contributed to the complexity of the project (e.g. outsourcing risk is also a part of the general operational risk framework of the bank).

APPROACH AND SOLUTION

Avantage Reply took a three-step approach to identify outstanding regulatory and organizational gaps and to define the group outsourcing policy:

Conduct interviews with all stakeholders (such as operational departments, risk, compliance and legal) to identify their respective roles and responsibilities within the outsourcing process,
Review all existing documentation (i.e. committee minutes, procedures, outsourcing register, roles and responsibilities),
Draft the group outsourcing policy taking into account the client’s adopted 3 LoD model, management body structure and roles and responsibilities at subsidiaries level.

The key deliverable of the project was a complete outsourcing policy, to serve as a key guideline for all outsourcing-related processes and procedures within the group. It covers the main steps of the outsourcing process with references to the respective regulatory texts and practical examples (e.g. list of functions and activities not classified as an outsourcing). It includes:

outsourcing definition, categorization and obligations vis-à-vis local regulator,
roles and responsibilities of the 3 LoD and the management body,
planning of outsourcing arrangements incl. risk assessment and due diligence process,
contractual phase,
implementation, monitoring and management of outsourcing arrangements,
outsourcing register and oversight,
business continuity plan and exit strategies,

As a result, our client implemented the newly defined policy and aligned all related procedures to fully comply with the new regulatory requirements.

RELATED CONTENTS

Case Study

Implementation of the supervisory stress test

Avantage Reply supported a large European bank with the submission of the 2020 ECB Stress Test exercise. The bank was looking for the assistance in implementing the new stress test methodology, completing all stress test templates, developing the explanatory notes and performing all necessary corrections during the ECB submission period. Avantage Reply supported the client through the 2020 ECB Stress Test as well as the 2021 post-COVID relaunch of the ECB Stress Test exercise. In addition, Avantage Reply carried out all project management activities during this project.

Case Study

Implementing new ILAAP Handbook

The client wished to perform an enhanced gap-analysis of the organisation’s current ILAAP framework against the ECB and EBA guidelines as well as to use this information to design and implement an ILAAP Handbook/Framework document covering all in-scope entities. The final deliverable also included a detailed remediation roadmap, which helped the client and its entities to remediate and align their ILAAP processes across the Group in line with the regulatory and supervisory requirements.