What do the European Banking Authority (EBA) guidelines say about access, information and audit rights?

With regard to the outsourcing of critical or important functions, Payment Institutions (<a href="/glossarycollection/payment-institution" style="color:#48277C;" target="_blank" title="Payment Institution"><u>PI</u></a>) should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following:<br/><br/>

- full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider’s external auditors (‘access and information rights’); and<br/><br/>

- unrestricted rights of inspection and auditing related to the outsourcing arrangement (‘audit rights’), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements.<br/><br/>

Pooled audits and 3rd party certifications can be used, however for the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. Organisations should thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete;<br/><br/>

Organisations should only used pooled Audis or certification if they<br/><br/>

- are satisfied with the audit plan for the outsourced function;<br/><br/>

- ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements;<br/><br/>

- thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete;<br/><br/>

- ensure that key systems and controls are covered in future versions of the certification or audit report;<br/><br/>

- are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, re- performance/verification of the evidence in the underlying audit file);<br/><br/>

- are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place;<br/><br/>

- have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and<br/><br/>

- retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions.