Danish implementation of EBA guidelines on outsourcing

The regulatory framework

The executive orders follow the consultation published on 15 November 2019 on a new Danish bill aligning the outsourcing regulation for financial institutions with EU regulation. The new bill is currently being read in parliament.

The Danish FSA has published the following two executive orders on outsourcing:

1. Executive order on outsourcing for credit institutions etc. applicable to credit institutions, payments institutions, e-money institutions, shared data centres etc. which implements the EBA Guidelines on Outsourcing (Outsourcing Order).
   
   
2. Executive order on outsourcing for group-II insurance companies etc. applicable to group-II insurance companies, Arbejdsmarkedets Tillægspension, and Lønmodtagernes Dyrtidsfond aiming to align the outsourcing regulation with the outsourcing regulation in Article 274 of the Commission Delegated Regulation (EU) 2015/35 (Solvency II) which is only applicable to group-I insurance companies.

If adopted, the new executive orders will on 1 July 2020 replace executive order no. 1304 on outsourcing of significant areas of activity of 25 November 2010 (in Danish: outsourcingbekendtgørelsen).

Main implications of the Outsourcing Order

Institutions subject to the Outsourcing Order which have or are planning to outsource activities – in particular critical or important functions – should be aware of the following main implications of the Outsourcing Order:

• Extended scope: The scope of the Outsourcing Order is extended to include new types of institutions e.g. payment institutions and e-money institutions. It is still unclear whether account information service providers (AISPs) are subject to the Outsourcing Order.
  
  
• Broader outsourcing definition: The outsourcing definition is aligned with the EBA outsourcing definition and is broader than the current Danish outsourcing definition.
  
  
• Revision of existing outsourcing agreements: The Outsourcing Order will – if adapted - from 31 December 2021 also apply to outsourcing agreements entered into prior to 1 July 2020. Additional requirements to risk assessment and due diligence of outsourcing providers and outsourcing agreements for outsourcing of critical and important functions are introduced in the Outsourcing Order.
  
  
• Update of internal governance: The Outsourcing Order sets out new requirements to governance including new specific requirements to the outsourcing policy, register of outsourcings, conflict of interests, contingency plans, exit strategies etc.
  
  
• Notification to the Danish FSA: Notification of outsourcings to the Danish FSA on outsourcing of critical and important functions is changed from an ex post notification to a prior notification.

Implementation of the EBA Guidelines on Outsourcing

The Outsourcing Order implements the main principles of the EBA Guidelines on Outsourcing. The principle of proportionality is, however, only mentioned in the preliminary remarks to the Outsourcing Order and not set out explicitly in the Outsourcing Order as in the EBA Guidelines on Outsourcing.

The outsourcing definition is aligned with the outsourcing definition in the EBA Guidelines on Outsourcing and the terminology outsourcing of "material activities" is replaced with outsourcing of "critical or important functions".

The Outsourcing Order sets out new requirements to governance including new specific requirements to the outsourcing policy, register of outsourcings, conflict of interests, contingency plans, exit strategies etc.

Contractual requirements to outsourcing agreements

The Outsourcing Order introduces additional requirements to risk assessment and due diligence of outsourcing providers and outsourcing agreements for outsourcing of critical and important functions.

Specifically with respect to sub-outsourcings, the Outsourcing Order sets out that outsourcing agreements covering critical and important functions that allow sub-outsourcing shall include a right for the outsourcing institute to object to planned sub-outsourcings or a requirement of approval of any planned sub-outsourcing or material changes to existing sub-outsourcings.

In the remarks to the bill published for consultation on 15 November 2019 mentioned above, it is stated that the aim with respect to sub-outsourcing is to replace the approval requirement with a notification requirement. Before the bill was introduced in parliament, it was added to the remarks that such notification requirement shall only give the outsourcing institute a right to object to a sub-outsourcing within a specified time period but not a right to block the sub-outsourcing.

A notification requirement is introduced in the Outsourcing Order, however, it is an explicit requirement that the outsourcing agreement includes a right for the outsourcing institution to object to sub-outsourcings (in Danish: modsætte sig) and in our view it is not clear that such objection does not prevent the outsourcing provider from effectuating the planned sub-outsouring.

Further, the requirements relating to sub-outsourcing in the Outsourcing Order seem stricter than the requirements hereto in the EBA Guidelines on Outsourcing as the underlined wording is not included in the Outsourcing Order:

"If sub-outsourcing of critical or important functions is permitted, the written agreement should ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required".

Specifically with respect to audits, the Outsourcing Order introduces a possibility for institutions to use pooled audits, third-party certifications and third-party or internal audit reports to some extent in accordance with the EBA Guidelines on Outsourcing.

Cloud services

The Outsourcing Order does not include any specific provisions regarding cloud outsourcings, which is a bit surprising as the EBA Guidelines on Outsourcing include a number of specific provisions on cloud outsourcings.

Notification to the Danish FSA

The Outsourcing Order sets out that institutions in a timely manner shall inform the Danish FSA of planned critical or important outsourcings. What is understood by "timely manner" is not defined and the process in case the Danish FSA has any questions or comments is not set out either.

Under the current outsourcing regulation for credit institutions etc. the requirements for notification to the Danish FSA is 8 business days after the outsourcing agreement is signed. The Outsourcing Order changes the notification requirement from an ex post notification to a prior notification.

Next step

The deadline for responding to the consultation is 20 March 2020. The proposed executive orders, if adopted, become effective as of 1 July 2020.