Platis – Anastassiadis & Associates Law Partnership is registered with the Athens Bar, registration number 80240 Partners: Eirinikos Platis and Tassos Anastassiadis
Recent Searches
Following the publication of the guidelines on outsourcing arrangements issued by the European Banking Authority (EBA), Bank of Greece (BoG) adopted the new framework by issuing the Executive Committee Act No. 178/5/2.10.2020 (Government Gazette B’ 4410/06.10.2020). This Act specifies the new regime governing outsourcing arrangements of supervised - by BoG institutions, while it also abolishes the existing framework, laid down in BoG Governor’s Act 2577/9.3.2006 Annex 1, as replaced by BoG Governor’s Act 2597/31.10.2007.
The provisions of the new Act govern all new outsourcing agreements, as well as those currently in force, which are being renewed, reexamined or amended, from 06.10.2020.
Necessity and Purpose of the Regulation The Act aims to establish a harmonised framework for the outsourcing of functions with respect to all institutions, supervised by BoG. Its scope therefore encompasses not only credit institutions, but also financial institutions, including payment and e-money institutions (Institutions). Furthermore, the Act
includes specific internal governance requirements and obligations, to which the Institutions should comply, prior to entering an outsourcing arrangement and during its term, in order to ensure the effective management of the risks entailed. Another innovation among others is that the Act specifies the outsourcing regime to cloud service providers.
Basic provisions of the new Executive Committee’s Act
► Scope: the provisions of said Act apply to the following entities:
i. credit institutions having their registered seat in Greece;
ii. branches of credit institutions having their registered seat in a country outside EEA, operating in Greece;
iii.payment institutions having their registered seat in Greece; iv.electronic money institutions having their registered seat in Greece;
v. leasing companies having their registered seat in Greece; vi.factoring companies having their registered seat in Greece;
vii.credit companies having their registered seat in Greece
viii.credit servicing firms having their registered seat in Greece, which proceed to refinancing of claims; and ix.bureaus de change having their registered seat in Greece
The account information service providers (AISP) of art. 4 par. 3 (h) of Law 4537/2018 are excluded from the Scope of the new Act.
► Proportionality Principle: When entering outsourcing arrangements, the Institutions should have regard to the principle of proportionality, in order to ensure that governance arrangements are consistent with the individual risk profile, the Institution’s nature and business model, as well as the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved.
► Assessment of outsourcing arrangements: Institutions should establish whether an arrangement with a third -party falls under the definition of outsourcing. As a general principle, Institutions should not consider the following as outsourcing:
• function that is legally required to be performed by a service provider, e.g. statutory audit; •market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
• global network infrastructures (e.g. Visa, MasterCard); •clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; •global financial messaging infrastructures that are subject to oversight by relevant authorities; •
correspondent banking services; and •the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. providing legal opinion and representation in front of the court and administrative bodies, cleaning, medical services, catering, receptionists, plastic cards, card readers, electricity, water, telephone line).
► Critical or important functions: Institutions should always consider a function as critical or important in the following situations:
• where a defect or failure in its performance would materially impair:
i. their continuing compliance with the conditions of their authorisation or its other obligations under the applicable regulatory framework
ii. their financial performance, or iii.the soundness or continuity of their banking and payment services and activities
• when operational tasks of internal control functions are outsourced •when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by BoG or Hellenic Capital Market Commission.
Governance framework
•Institutions should adopt a holistic institution-wide risk management framework extending across all business lines and internal units.
•The outsourcing of functions should not result in the delegation of the management body’s responsibilities.
•The management body of an Institution, should approve, review and update on a regular basis a written outsourcing policy and ensure its implementation. •Institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements.
• Institutions should have in place, maintain and periodically test appropriate business continuity plans with respect to the outsourced critical or important functions.
• The internal audit function’s activities should cover, following a risk-based approach, the independent review of outsourced activities.
• Obligation to maintain an updated register
i. As part of their risk management framework, Institutions should maintain an updated register of information on all outsourcing arrangements.
ii. Institutions should maintain the documentation of terminated outsourcing arrangements and the supporting documentation for an appropriate period.
iii. The register should include for all existing outsourcing arrangements the information described in Annex I of the new Act. iv.Institutions should, upon request of the BoG, make available either the full register, or specific sections thereof.
► Obligation for Notification: Institutions should adequately inform BoG, either in writing at least sixty (60) calendar days before the execution of the outsourcing agreement, or engage in a supervisory dialogue with BoG about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important.
► Outsourcing Process •Pre-contractual phase i. Assessment whether the outsourcing arrangement concerns a critical or important function. ii. Assessment whether the supervisory conditions for outsourcing are met. iii.Identification and assessment of the relevant risks of the outsourcing arrangement. iv.Appropriate due diligence on the prospective service provider. v. Identification and assessment of conflicts of interest.
• Contractual phase:
i. The minimum content of the outsourcing agreement is provided, including the option of sub-outsourcing.
ii. Institutions should ensure that service providers comply with appropriate IT security standards.
iii.Institutions should provide access, information and audit rights to BoG.
iv. The outsourcing agreement should explicitly provide for the Institution’s termination right, as well as the events triggering the exercise of such right, the service provider’s obligations and an appropriate transition period in order to facilitate the transfer of the outsourced function to another service provider.
v. Institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing agreements on a risk-based approach.
vi.Institutions should have designed an appropriate exit strategy.
Conclusions
By virtue of the new Executive Committee’s Act:
• a harmonised outsourcing framework is introduced
• outsourcing procedures are amplified and accelerated, since they no more require a prior supervisory approval •a clear definition of outsourcing, as well as of critical or important functions is provided
• the supervisory measures of BoG are expanded (e.g. prohibition of the outsourcing of functions, request for the termination of any outsourcing agreement in force)
• the internal governance requirements and obligations of institutions are increased for the outsourcing of critical or important functions, due to the high risk entailed in such functions •outsourcing to cloud service providers is specified.
About Platis – Anastassiadis & Associates
Platis - Anastassiadis & Associates is part of the ΕΥ Law network operating in 83 countries globally and is comprised of 2,200+ people.
We are an independent law office with a core team of 25 lawyers. Our office provides high quality legal services across the full range of commercial and financial transactions.
Especially in our geographical area, we have established an ongoing cooperation with the respective law firms which are associated with EY, in order to offer seamless and consistent regional services to our clients that have cross country operations.
Our experience allows us to better understand our clients’ needs and offer them integrated multidisciplinary solutions in the fields of accounting, tax and financial advisory services. Platis – Anastassiadis & Associates law office is solution focused. We work closely with our clients to seek innovative and practical ways of dealing with their issues. Our priority is to help our clients meet their business objectives. Our expertise, commitment and enthusiasm has resulted in the build up of a client base which includes local and international listed, state and private sector companies and financial institutions.
