On 17 February 2020, the Danish Financial Supervisory Authorities (Danish FSA) published consultations on two new executive orders on outsourcing in the financial sector setting out the requirements to financial institutions' outsourcing of activities. The aim of the executive orders is to further align the regulation with EU regulation including the European Banking Authorities' (EBA) Guidelines on Outsourcing.
The regulatory framework
The executive orders follow the consultation published on 15 November 2019 on a new Danish bill aligning the outsourcing regulation for financial institutions with EU regulation. The new bill is currently being read in parliament.
The Danish FSA has published the following two executive orders on outsourcing:
If adopted, the new executive orders will on 1 July 2020 replace executive order no. 1304 on outsourcing of significant areas of activity of 25 November 2010 (in Danish: outsourcingbekendtgørelsen).
Main implications of the Outsourcing Order
Institutions subject to the Outsourcing Order which have or are planning to outsource activities – in particular critical or important functions – should be aware of the following main implications of the Outsourcing Order:
Implementation of the EBA Guidelines on Outsourcing
The Outsourcing Order implements the main principles of the EBA Guidelines on Outsourcing. The principle of proportionality is, however, only mentioned in the preliminary remarks to the Outsourcing Order and not set out explicitly in the Outsourcing Order as in the EBA Guidelines on Outsourcing.
The outsourcing definition is aligned with the outsourcing definition in the EBA Guidelines on Outsourcing and the terminology outsourcing of "material activities" is replaced with outsourcing of "critical or important functions".
The Outsourcing Order sets out new requirements to governance including new specific requirements to the outsourcing policy, register of outsourcings, conflict of interests, contingency plans, exit strategies etc.
Contractual requirements to outsourcing agreements
The Outsourcing Order introduces additional requirements to risk assessment and due diligence of outsourcing providers and outsourcing agreements for outsourcing of critical and important functions.
Specifically with respect to sub-outsourcings, the Outsourcing Order sets out that outsourcing agreements covering critical and important functions that allow sub-outsourcing shall include a right for the outsourcing institute to object to planned sub-outsourcings or a requirement of approval of any planned sub-outsourcing or material changes to existing sub-outsourcings.
In the remarks to the bill published for consultation on 15 November 2019 mentioned above, it is stated that the aim with respect to sub-outsourcing is to replace the approval requirement with a notification requirement. Before the bill was introduced in parliament, it was added to the remarks that such notification requirement shall only give the outsourcing institute a right to object to a sub-outsourcing within a specified time period but not a right to block the sub-outsourcing.
A notification requirement is introduced in the Outsourcing Order, however, it is an explicit requirement that the outsourcing agreement includes a right for the outsourcing institution to object to sub-outsourcings (in Danish: modsætte sig) and in our view it is not clear that such objection does not prevent the outsourcing provider from effectuating the planned sub-outsouring.
Further, the requirements relating to sub-outsourcing in the Outsourcing Order seem stricter than the requirements hereto in the EBA Guidelines on Outsourcing as the underlined wording is not included in the Outsourcing Order:
"If sub-outsourcing of critical or important functions is permitted, the written agreement should ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required".
Specifically with respect to audits, the Outsourcing Order introduces a possibility for institutions to use pooled audits, third-party certifications and third-party or internal audit reports to some extent in accordance with the EBA Guidelines on Outsourcing.
Cloud services
The Outsourcing Order does not include any specific provisions regarding cloud outsourcings, which is a bit surprising as the EBA Guidelines on Outsourcing include a number of specific provisions on cloud outsourcings.
Notification to the Danish FSA
The Outsourcing Order sets out that institutions in a timely manner shall inform the Danish FSA of planned critical or important outsourcings. What is understood by "timely manner" is not defined and the process in case the Danish FSA has any questions or comments is not set out either.
Under the current outsourcing regulation for credit institutions etc. the requirements for notification to the Danish FSA is 8 business days after the outsourcing agreement is signed. The Outsourcing Order changes the notification requirement from an ex post notification to a prior notification.
Next step
The deadline for responding to the consultation is 20 March 2020. The proposed executive orders, if adopted, become effective as of 1 July 2020.