Avantage Reply assisted a Private Banking group in the Eurozone to review of group Outsourcing policy.
In light of changing European and national regulatory requirements that came into force in 2019, our client revised the internal processes and procedures regarding the management and oversight of both, intra-group and third-party outsourcing activities.
A key concern of the client was to define a new group policy that considers the existing organization of the bank. This included the roles and responsibilities of three lines of defense (“3 LoD”), European and local regulatory requirements.
Our client’s main goal was to define a new group outsourcing policy that would be compliant with the minimum requirements as defined by the EBA (EBA/GL/2019/02) and reflect its internal organization for outsourcing arrangements.
The key challenge for the project was a changing and overlapping set of regulations. To achieve full compliance with the new regulations, our client had to consider both, EBA guidelines in force from September 2019 but not yet translated into national regulation and local requirements regarding outsourcing to cloud computing infrastructures. Additionally, being head office of the group, our client had to consider local organizational constrains in the subsidiaries and how the proportionality principle would apply.
From an operational point of view, the multitude of stakeholders and the fact that not all elements of the outsourcing oversight are specifically tailored to outsourcing contributed to the complexity of the project (e.g. outsourcing risk is also a part of the general operational risk framework of the bank).
Avantage Reply took a three-step approach to identify outstanding regulatory and organizational gaps and to define the group outsourcing policy:
The key deliverable of the project was a complete outsourcing policy, to serve as a key guideline for all outsourcing-related processes and procedures within the group. It covers the main steps of the outsourcing process with references to the respective regulatory texts and practical examples (e.g. list of functions and activities not classified as an outsourcing). It includes:
As a result, our client implemented the newly defined policy and aligned all related procedures to fully comply with the new regulatory requirements.