top of page

What are the key factors that should be taken into consideration when deciding whether a function is critical or important?

When assessing whether an outsourcing arrangement relates to a function that is critical or important, Payment Institutions (<a href="/glossarycollection/payment-institution" style="color:#48277C;" target="_blank" title="Payment Institution"><u>PI</u></a>) should take into account, together with the outcome of the risk assessment outlined in the European Banking Authority (<a href="/glossarycollection/european-banking-authority" style="color:#48277C;" target="_blank" title="European Banking Authority"><u>EBA</u></a>) guidelines in Section 12.2, at least the following factors:<br/><br/> 

a) whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services38 for which they are authorised;<br/><br/> 

b). the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their:<br/><br/> 

i.         short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses;<br/><br/>

ii.         business continuity and operational resilience;<br/><br/> 

iii.         operational risk, including conduct, information and communication technology (ICT) and legal risks;<br/><br/> 

iv.         reputational risks;<br/><br/> 

v.         where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation;<br/><br/> 

c) the potential impact of the outsourcing arrangement on their ability to:<br/><br/> 

i.     identify, monitor and manage all risks;<br/><br/> 

ii.     comply with all legal and regulatory requirements;<br/><br/> 

iii.    conduct appropriate audits regarding the outsourced function;<br/><br/> 

d) all outsourcing arrangements, the PI’s aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area;<br/><br/> 

e) the size and complexity of any business area affected;<br/><br/> 

f) the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement;<br/><br/> 

g) the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);<br/><br/> 

h) the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so (‘substitutability’);<br/><br/> 

i)    the ability to reintegrate the outsourced function into the PI, if necessary or desirable;<br/><br/> 

j)     the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the PI and its clients, including but not limited to compliance with Regulation (EU) 2016/67939.

Previous
bottom of page