ABN AMRO RESPONSE ON CEBS CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING

Similar documents
Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03)

RECOMMENDATIONS ON CLOUD OUTSOURCING EBA/REC/2017/03 28/03/2018. Recommendations. on outsourcing to cloud service providers

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 9

ASX CLEAR OPERATING RULES Guidance Note 9

Deutsche Börse Group Response

Statement of Guidance: Outsourcing Regulated Entities

BOM/BSD 17/May 2006 BANK OF MAURITIUS. Guidelines on Outsourcing by Financial Institutions

Third Party Trust Manage your outsourcing arrangements

Final Report. Recommendations on outsourcing to cloud service providers EBA/REC/2017/ December 2017

3. Trustees and Governance 3.1 Charity and Clinical Governance

Internal Audit. Healthcare Governance. October 2015

MINIMUM CRITERIA FOR REACH AND CLP INSPECTIONS 1

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Report on the interim evaluation of the «Daphne III Programme »

Outsourcing Guidelines. for Financial Institutions DRAFT (FOR CONSULTATION)

consultation A European health service? The European Commission s proposals on cross-border healthcare Key questions for NHS organisations

Current and future standardization issues in the e Health domain: Achieving interoperability. Executive Summary

White Paper on the use of social media messaging services by medical professionals practising under UK law. December 2017

COMMISSION IMPLEMENTING REGULATION (EU)

Industrial Collaborative Awards in Science and Engineering (icase) studentships

Northern Ireland Social Care Council Quality Assurance Framework for Education and Training Regulated by the Northern Ireland Social Care Council

Collaboration Agreement between The Office for Students (OfS) and UK Research and Innovation Dated: 12 July 2018

England. Questions and Answers. Draft Integrated Care Provider (ICP) Contract - consultation package

Therefore the provision of medicines is an area for which a Community regulatory framework should be properly supervised to ensure full and

Research Governance Framework 2 nd Edition, Medicine for Human Use (Clinical Trial) Regulations 2004

Outsourcing. a practical guide on how to create successful outsourcing solutions

Tel: ey.com

Application for Recognition or Expansion of Recognition

Response to recommendations made in the Independent review into Liverpool Community Health NHS Trust

Growth Hub Summary Document

Guide to Assessment and Rating for Services

Academy Health and Safety Policy 2017/2018

Developing a regulatory strategy for pharmacy education and training

Sub-granting. 1. Background

ROYAL COLLEGE OF ART HEALTH AND SAFETY POLICY

Libra Domiciliary Care Ltd

ED0028 Adverse event, critical incident, serious issue, and near miss procedure

Australian Medical Council Limited

Licensing application guidance. For NHS-controlled providers

Developing a framework for the secondary use of My Health record data WA Primary Health Alliance Submission

Outsourcing in the Banking Sector in the Bailiwick of Guernsey. A Thematic Report issued by the Guernsey Financial Services Commission

AWARDS. for Best Practice in Outsourcing. National Outsourcing Association PARK PLAZA RIVERBANK HOTEL, LONDON THURSDAY 25TH OCTOBER 2012 ENTRY PACK

Practice Guidance: Large Scale Investigations

SFI Research Infrastructure Call 2018 FAQs

COMIC RELIEF AWARDS THE GRANT TO YOU, SUBJECT TO YOUR COMPLYING WITH THE FOLLOWING CONDITIONS:

HEALTH AND SAFETY POLICY

Charter of the Remuneration Committee Danske Bank A/S CVR no

Managing Risks and Security in Outsourced Environment

Effectiveness of an internal audit function

Public Consultation on Guideline on Authorization of Virtual Banks FTAHK response, March 2018

Outsourcing in Financial Services

NHS Wales Escalation and Intervention Arrangements

MEMORANDUM OF UNDERSTANDING THE CHARITY COMMISSION FOR NORTHERN IRELAND AND THE FUNDRAISING REGULATOR

Occupational Health & Safety Policy

OUTSOURCING IN 2010 RECENT TRENDS & KEY ISSUES FOR IRISH BUSINESSES

Good Practice Principles:

LIVE HEALTHILY and LIVE WELL

Using the Quality Assessment Framework and Meeting Essential Standards of Quality and Safety

REQUEST FOR PROPOSALS (RFP) For. External Audit Services

CCS Consults on Proposed Amendments to the Competition Act

GDPR readiness at efinancialcareers. Our Responsibilities and the General Data Protection Regulation

Farm Data Code of Practice Version 1.1. For organisations involved in collecting, storing, and sharing primary production data in New Zealand

St Anne's Community Services Staff Manual

Foreword... 1 Introduction... 2 Context... 2 Key Messages from the Review... 5 Aim and Objectives of the HSA Plan for the Healthcare Sector...

Recommendation 029 E Best Practice for Investigation and Inquiry into HSE Incidents

Dispersed Services Policy Position and Guidance

Conditions of Registration 2018/19

Adopted by Pharmacovigilance Risk Assessment Committee 20 February Adopted by Pharmacovigilance Inspectors Working Group 21 March 2014

REACH Pre-registration Questions and Answers

Collaborative Agreement for CCGs and NHS England

Guidance for the Tripartite model Clinical Investigation Agreement for Medical Technology Industry sponsored research in NHS Hospitals managed by

Asbestos identification, risk assessment approaches, asbestos register and asbestos management plan

EFTA SURVEILLANCE AUTHORITY DECISION of 11 September 2013 not to raise objections to individual aid to the NCE Maritime innovation cluster (Norway)

HSQF Scheme HUMAN SERVICES SCHEME PART 2 ADDITIONAL REQUIREMENTS FOR BODIES CERTIFYING HUMAN SERVICES IN QUEENSLAND. Issue 6, 21 November 2017

9. GOVERNANCE. Policy 9.13 WORK HEALTH SAFETY POLICY

Health and Safety Roles and. Responsibilities SI0317

1.1 About the Early Childhood Education and Care Directorate

The Board is asked to note the survey outcome as Substantial (green rag rating). Progress with action planning and delivery has commenced

Developing an EU Standardised Approach to Vocational Qualifications in Healthcare Waste Management

National review of domiciliary care in Wales. Wrexham County Borough Council

MAS RELEASES REVISED GUIDELINES ON OUTSOURCING RISK MANAGEMENT

Contracting Authority: European Commission (EuropeAid) PRO INVEST. Guidelines for grant applicants

Incubator Support initiative. An element of the Entrepreneurs Programme

February 18, Re: Draft Trusted Exchange Framework and Common Agreement

Standards for Registered Pharmacies

HEALTH AND SAFETY POLICY

Health and Safety Policy for Academies Mill Chase Academy

Health and Safety Policy and Managerial Responsibilities

Procedures and Conditions of Building Consent Authority Accreditation

OIG AUDIT A GRANTEE S PERSPECTIVE

Outsourcing of Child Welfare Services: Has Effective Oversight Been Established?

Sentinel Scheme Rules

Registering your business name

A CODE OF CONDUCT FOR PRIVATE PRACTICE RECOMMENDED STANDARDS OF PRACTICE FOR NHS CONSULTANTS

NOT PROTECTIVELY MARKED

INTERNAL AUDIT OVERSIGHT OF EXTERNAL OUTSOURCING ENHANCING GOVERNANCE THROUGH INTERNAL AUDIT

Internal Audit. Public Dental Service Accounts Receivable. December 2015

Framework for Risk Management in Outsourcing Arrangements by. Financial Institutions

Regulatory Incident Management Policy

Memorandum of Understanding between the Higher Education Authority and Quality and Qualifications Ireland

Comments by TeliaSonera on the VoIP consultation document

Transcription:

EU LIAISON OFFICE Regentlaan 53 1000 Brussel Belgium Tel: +32 2 546 03 67 Fax: +32 2 546 04 24 ABN AMRO RESPONSE ON CEBS CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING I. Introduction ABN AMRO welcomes the opportunity to comment on CEBS consultation on the High Level Principles (HLPs) on outsourcing. We believe that this initiative to work on further convergence on supervisory practices in relation to outsourcing represents an important step forward to promote the necessary convergence of supervisors practices at EU level. Outsourcing is becoming a key component of financial institutions business. These HLPs on outsourcing should also serve as a basis for any international regulatory definition of outsourcing and commonly accepted principles at global level. International co-operation on practices between supervisors is of the utmost importance to ensure consistency in the supervisory treatment of any EU company operating globally. II. General Comments ABN AMRO would like to give the following general comments, before detailing the proposed HLPs set out by CEBS. 2.1 Three-tier classification CEBS is proposing a three-tier classification of activities: - strategic or core activities which cannot be outsourced; - non-strategic but material activities, which should be pre-notified to the supervisory authority; - non-strategic and non-material activities, which do not have to be pre-notified but for which the institution must remain responsible for ensuring any supervisory guidelines are still met. CEBS acknowledges that further work should be done in developing more guidance on what (i) may be regarded as strategic or core activities and (ii) on the concept of a materiality test. ABN AMRO would indeed like to see "strategic/core activities" and materiality better defined and would suggest the following comments: - There should be no reference to a list of specific strategic functions (for instance it is generally accepted by a number of supervisors that functions such as Risk Management, Compliance, Internal Audit should never be outsourced) but instead CEBS should include reference to principles of evaluating strategic/significant or core functions. - Instead of limiting the outsourcing possibilities, CEBS should focus on the process of outsourcing, because ultimately management is always responsible and whether activities are outsourced is not the issue. An institution can never outsource accountability for service delivery, but instead may outsource responsibility. In turn, management should then appraise the risk of changing services delivery models in the context of the nature of the service under review. - A clear distinction between "management of the activity" and the activity itself should be made. The language "Strategic and core management responsibilities and functions can not be outsourced" leaves confusion. Is it about the activity, or managing the activity, or either, or both? As said above, accountability can never been outsourced, activities can/might be.

2.2 Scope of the consultation paper The paper s primary focus is on financial institutions own risk management in the area of outsourcing, but there is little emphasis on supervisory measures. On supervision, we would like to provide the following comments: - Co-operation with/between supervisors Outsourcing is a subject that gives rise to changes in the outsourcing institution's operational risk profile. We suggest that oversight, supervision or approval of outsourcing proposals and activities is solely a matter for the outsourcing institution's leading supervisor. Where the activity is material and is the responsibility of a locally-incorporated subsidiary, the (host) supervisor for the subsidiary should take account of the views of the lead supervisor of the group. - Intervention of the supervisor The paper does not address the circumstances under which the supervisor might intervene. We welcome this, and believe that the supervisor should only intervene through the outsourcer to secure adequate controls, as the contractual relationship and accountability sits with them. If there are insufficient controls or they are updated, then the organisation should work with the third party to understand the impact and change the control mechanism and contract as appropriate. - Rules should not be too detailed We support the High Level Principles-based approach adopted by CEBS, since we believe a rulebased approach with too many details would not be appropriate given the diversity of outsourcing activities. This can be achieved by a set of principles that are focused on the real material issues of outsourcing and are aligned with the responsibilities of respectively the supervisors and the financial institutions. 2

III. Details comments on HLPs 3.1 Part 1- Definition of outsourcing We would suggest that when applying those HLPs, CEBS draws a clear distinction between outsourcing to a third party and intra-group (or in-house) as they carry different risk profiles. The regulatory demands should be lower for intra-group or in-house outsourcing, sometimes referred to as offshoring. Ideally, the operational risks attached to outsourcing to a group company are minimised, as one would expect unhindered management control of the outsourced activities. 3.2 Part 2- HLPs on outsourcing addressed to institutions HLP 1 - Strategic and core management responsibility and functions cannot be outsourced. Before implementing the HLP1, supervisory authorities should make a clear distinction between accountability and responsibility in outsourcing: an institution can make a third party responsible for service delivery whilst retaining accountability within the organisation. The HLP1 sets out as a principle that core management functions should not be outsourced. We believe that this notion of core management functions needs further clarification through referencing principles of evaluating strategic/significant or core functions (see our general comments). HLP 2 - The ultimate responsibility for proper management of the risks associated with outsourcing lies with an outsourcing institution s senior executive management. Under the HLP2, it is stated that outsourcing institutions should be encouraged to retain adequate core competence at a senior operational level to enable them to have the capability to resume direct control over an outsourced activity, in extremis. We believe that such a requirement will be difficult to comply with since it should be recognised that this core competence may not exist within the organisation and so recruitment or additional training would be required in this instance. This should therefore be addressed contractually with the service supplier. HLP 3 - An outsourcing institution should take particular care when outsourcing material activities, i.e. activities of such importance that any weakness or failure in the provision of these activities could have a significant affect on its ability to meet its regulatory responsibilities and/or to continue in business. In such cases the outsourcing institution should pre-notify its supervisory authority. Under the HLP3, it is mentioned that outsourcing institution should inform its supervisory authority on any important activity to be outsourced. We believe that what could be considered as important activity clearly needs a more precise definition. This broad term could provide the supervisory authorities with too powerful and arbitrary a tool if it is not better defined. We therefore think that the materiality concept should be used for this requirement rather than introduce additional terms such as important activities. Furthermore, we would suggest not to include a formal notification obligation, but to indicate that the supervisor expects the outsourcing institution to notify as soon as possible in an appropriate manner of decisions and developments, or of disasters, which are of material concern. Indeed, we see no purpose in having a pre-notification obligation unless the supervisor wants to use it as a prior-approval for outsourcing, which does not seem to be CEBS intention. HLP 4 - There should be no restrictions on the outsourcing of non-material activities of an outsourcing institution. The HLP4 stipulates that no requirements or conditions should be imposed on institutions that wish to outsource non-core activities that have little or no implications for internal control or key authorised functions. By non-core activities, it is specified areas which do not potentially constitute relevant risks. 3

Again, we would like to see a focus on the process of outsourcing instead of restrictions in outsourcing possibilities. HLP 5 - The outsourcing institution should have a policy on its approach to outsourcing, including contingency plans and exit strategies. We do not have additional comments to the previous ones on the HLP5. HLP 6 - An outsourcing institution s policies should require it to manage the risks associated with its outsourcing arrangements. Complying with this principle includes notification to the supervisory authority of all serious problems. We would want more details on what could be considered as a serious problem here, to ensure that institutions know exactly when communication with the supervisory authority is warranted/necessary. Please see also our comment under HLP3 (we would suggest not to include a formal notification obligation). HLP 7 - All outsourcing arrangements should be subject to a formal and comprehensive contract. One of the requirements of the HLP7 is that the outsourcing service provider's ability to meet performance requirements in both quantitative and qualitative terms should be assessable in advance. We believe that this can only be done on a best efforts basis through the due diligence process. It is also stated that the contract should consider granting the outsourcing institution's internal auditing department and its external auditors full and unrestricted rights of inspection and auditing at all times. Again we think that practicalities drive this and appropriate wording should be included within the contract to cover audit rights. This requirement appears therefore to be unduly onerous, and the key element should be to ensure that sufficient access is granted. Thus, we would suggest the following text: Provisions for the outsourcing institution and its supervisors to perform necessary audit activity must be included in the contract. Such provisions should provide the outsourcer and its supervisors with sufficient authority to obtain information about the outsourced activities from the Service Provider or from its external auditor and, if deemed necessary, to carry out an examination of the external Service Provider. HLP 8 - In managing its relationship with an outsourcing service provider an outsourcing institution should ensure that a service level agreement (SLA) is put in place. We do not have specific comments on the HLP8. 3.3 Part 3- Other supervisory principles on outsourcing HLP 9 - Supervisory authorities should aim to establish a right to information, and to conduct, or order, on-site inspections in an outsourcing service provider s premises. One of the powers of the supervisory authority set out by the HLP9 is that the supervisory authority should be able to cancel the outsourcing measure if the outsourcing institution cannot ensure the exercise or enforcement of the rights of supervisors. ABN AMRO believes that this statement can be problematic in some EU countries from a contractual perspective. Details on how this principle will be put into practice by supervisory authorities need to be clarified. HLP 10 - Supervisory authorities should take account of concentration risk, where one outsourcing service provider provides outsourcing services to several authorised outsourcing institutions We do not have specific comments on the HLP10. 4

HLP 11 - Supervisory authorities should take account of the risks associated with chain outsourcing (whereby the outsourcing service provider sub-contracts elements of the service to other providers). We do not have specific comments on the HLP11. Proposal for a new HLP in Part 3 We would like to propose an additional High Level Principle in Part 3 Other supervisory principles on outsourcing : HLP 12 - "Outsourcing arrangements should not give rise to a duplication by the outsourcing institution (= outsourcer ) and the outsourcing service provider (= insourcer ) of activities designed to meet the regulatory obligations of the outsourcing institution." Where an institution outsources services and activities that are covered by the institution's authorisation to an outsourcing service provider that has authorisation comparable to that of the outsourcing institution, regulatory obligations relating to the services and activities are retained by the outsourcing institution, and do not need to be duplicated by the outsourcing service provider. The monitoring of performance against those obligations can be carried out by the outsourcing service provider, as long as decisions are then made by the outsourcing institution. We have in mind particularly requirements such as KYC ( Know Your Customer ) obligations. If a bank provides payment services to a third party bank, this bank should be obliged to undertake KYC on their clients, and not the bank that provides payment services. It should remain the outsourcing institution's obligation to monitor for unusual transactions and freeze payments. The service provider can operate the monitoring process, but the decisions as to what activity is unusual, or what payments should be made or frozen, must remain with the outsourcing institution itself. IV. Conclusion To conclude, we would like to highlight further that ABN AMRO is supportive of CEBS Principles-based approach, since we believe that it firstly allows for a more consistent approach of supervisors practices at EU level, and secondly it gives the necessary flexibility to supervisors when considering outsourcing activities. We therefore look forward for any further developments that CEBS will undertake on outsourcing, and welcome once more this consultation process on such an important issue for the industry. 5

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback