The Danish FSA has published a new draft executive order on outsourcing implementing the revised EBA Guidelines on Outsourcing into Danish law. The new executive order is overall similar to the EBA Guidelines on Outsourcing, however, the requirements have been restructured and are significantly shorter. With the new executive order, financial institutions will have to rethink the way they source as the new requirements materially changes the scope and approach of outsourcing legislation in Denmark.
Following the draft proposal to an amendment to the Danish financial business act (the “Amendment”) published in November 2019, the Danish Financial Supervisory Agent (“FSA”) has published a new draft executive order on outsourcing (in Danish: “outsourcingbekendtgørelsen”). The Executive Order will implement the EBA Guidelines on Outsourcing (the “EBA Guidelines”) for financial institutions in Danish law and simultaneously revoke the current executive order on outsourcing (executive order no. 1304 of 25 November 2010). This amendment to Danish outsourcing legislation will drastically change how financial institutions approach outsourcing.
The Executive Order is currently a working draft subject to consultation with relevant stakeholders in the financial industry and public authorities. The deadline for input is 20 March 2020. It is expected that the Executive Order will come into force on 1 July 2020 provided parliament passes the Amendment before summer. From this day, compliance with the new elaborate requirement regime known from the EBA Guidelines will become mandatory law for any new outsourcing arrangements entered into by Danish financial institutions. The EBA Guidelines, however, came into force on 30 September 2019 from which date all outsourcing undertakings must have considered the guidelines for any new arrangements. Despite that the guidelines are not mandatory Danish law until 1 July 2020, we recommend that financial institutions already now take the EBA Guidelines and the Executive Order into consideration when entering into new outsourcing arrangements.
In addition, all outsourcing arrangements regardless of the signature date must be compliant before 31 December 2021 as provided for in both the EBA Guidelines and the Executive Order. We note that the Executive Order does not require financial institutions to notify the FSA of any non-compliant arrangements per 31 December 2021 contrary to the EBA Guidelines.
The Executive Order only implements the EBA Guidelines for financial institutions. The intended new legislation on outsourcing requirements for insurance companies is still pending.
The Executive Order is structured differently and is significantly shorter than the EBA Guidelines. However, both the main content and the wording used in the Executive Order are identical to the Danish version of the EBA Guidelines, which in practice provides for an easier interpretation of the Executive Order and lower risk of implementation gaps by the Danish FSA. As part of the draft, the Danish FSA has published a memo explaining the core principles of the new legislation and providing brief elaboration on these principles. In addition, the Danish FSA intends to publish separate guidance, which will elaborate on the provisions in the Executive Order and include relevant interpretations and decisions from the Danish FSA. This guidance is expected to be published shortly after the Amendment and the Executive Order are passed in parliament.
Contrary to the current executive order on outsourcing, the Executive Order not only governs financial institutions’ outsourcing of material business processes but any type of arrangement that falls under the new broader definition of outsourcing, which includes among other things core business processes, outsourcing of IT and all types of cloud services, e.g. SaaS, PaaS and IaaS.
This new approach means that financial institutions must acknowledge and consult the new requirements in their everyday contracting and sourcing, and that will likely result generally in a new approach towards compliance in outsourcing in all parts of the financial institution’s lines of business. In addition, the new legislation imposes extended requirements on outsourcing arrangements that are deemed critical or important to the financial institution. This means that prior to any sourcing, financial institutions must conduct an assessment of the criticality and importance of the outsourced business process to identify which of the requirements under the new legislation are necessary to meet in order to ensure compliance. Based on the EBA Guidelines and the draft Executive Order we have prepared an assessment support tool – essentially a decision tree – that will assist financial institutions in their assessments necessary under the Executive Order; is the intended contract covered by the rules, and if so, is the outsourcing critical?
The EBA Guidelines and the Executive Order implement a variety of new requirements, e.g. on governance structure, notice obligations and contractual requirements. The most important new governance-related requirement is a list of specific overarching responsibilities that cannot be delegated from the institution’s management to an outsourcing supplier. Another item worth mentioning is the required mitigating measures relating to conflict of interest, internal audit, and the mandatory implementation of an outsourcing policy and registry.
In addition to the already elaborate notice obligations for financial institutions, the new legislation also introduces a number of specific situations, where the FSA must be included in the financial institution’s considerations of some outsourcing arrangements as well as additional rights for the Danish FSA to get insight into financial institutions’ outsourcing arrangements.
Finally, the new legislation requires all outsourcing relationships to be governed by a sound written outsourcing agreement that allocates a long list of specific rights and obligations between the financial institution and supplier. Many of these rights and obligations are already common market practices for IT outsourcing. The most essential new requirements are reporting requirements and frequency, service delivery locations and an extended audit and inspection right for the financial institution and public authorities. Given that these new contractual requirements are mandatory legal requirements, we do not expect that the implementation process into existing outsourcing contracts will be difficult. However, the commercial aspects relating to such implementation are not governed by the new legislation and we therefore expect that the need for these new and stricter provisions may lead to renewed negotiations on price and risk allocation of both new and existing outsourcing arrangements.
Please note that the Executive Order is currently a draft and may thus be subject to changes following the consultation process. However, we do not expect any major discrepancies between the draft and final version of the Executive Order and aside from the structural changes and shortened wording, we expect that the material, including the Executive Order, memo and the separate guidance, will in all materiality be identical to the EBA Guidelines.
Our recommendation is therefore to initiate or continue the work necessary to reach compliance with the EBA Guidelines and the Executive Order. To assist with this extensive compliance task, we have developed a number of products ranging from e-learning material to contract compliance assessment and documentation tools. For more information on the EBA Guidelines and our new products, please refer to our digital folder “EBA Guidelines on Outsourcing: Implementation and how to become compliant.”
We will of course follow the implementation of the EBA Guidelines closely and share any new information on the topic. In the meantime, we are available and happy to discuss the new legislation and what impact it will have on your business.