EBA Guidelines On Outsourcing Arrangements By A Cyprus Investment Firm

This article will examine the interpretation of the legal framework of the Republic of Cyprus in relation to the outsourcing of services by a Cyprus Investment Firm ("CIF""), which is regulated and authorized by the Cyprus Securities and Exchange Commission ("CySEC") to a third-party. It will explore whether any regulatory approvals of any kind may be required in Cyprus for the outsourcing.

Based on Article 17(5)(a) of the Law which provides for the provision of investment services, the exercise of investment activities, the operation of regulated markets and other related matters, Law 87(I)/2017, "a CIF must ensure, when relying on a third party for the performance of operational functions which are critical for the provision of continuous and satisfactory service to clients and the performance of investment activities on a continuous and satisfactory basis, that it takes reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to materially impair the quality of the CIF's internal control, and the ability of the Commission to monitor the CIF's compliance with all its obligations."

Taking into account the provisions of the Law, although the Law gives the authority to CIFs to outsource critical functions, a CIF, when outscoring critical functions for the provision of continuous and satisfactory service to clients, should take reasonable measures to avoid undue additional operational risk. In addition, CIFs should avoid outsourcing important operational functions when those services are impacting the quality of their services.

It is important to mention that the CySEC Circular 604 on EBA Guidelines on outsourcing (EBA/GL/2019/02) 13 October 2023 states that CySEC has adopted the EBA Guidelines under Section 29 of the Prudential Supervision of Investment Firms Law: "CySEC has adopted the Guidelines under section 29 of the Prudential Supervision of Investment Firms Law of 2021, which transposes Article 36 of the Directive (EU) 2019/20341 (the "IFD") and under Article 97 of Directive (EU) 2013/36/EU (CRD), by incorporating them into its supervisory practices and regulatory approach."

The EBA Guidelines define outsourcing as "an arrangement of any form between an institution, a payment institution or an electronic money institution and a service provider by which that service provider performs a process, a service or an activity that would otherwise be undertaken by the institution, the payment institution or the electronic money institution itself."

Pursuant to Article 73 of the EBA Guidelines, ''institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct.'' Furthermore, according to Article 84, ''without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution''. Lastly, as provided in Article 86, ''regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries.''

The EBA Guidelines require CIFs to consider the principle of proportionality when adhering to these guidelines. This principle ensures that governance arrangements, including those related to outsourcing, align with the institution's nature, business model, and the scale and complexity of its operations, thereby effectively meeting the regulatory requirements.

CIFs should identify, assess, monitor and manage all risks from the outsourcing arrangement, should also take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangements, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities.

The use of the term 'critical or important functions' is based on the wording of MiFID II and the Commission Delegated Regulation (EU) 2017/565 supplementing MiFID II. Commission Delegated Regulation (EU) 2017/565 specifies, under Article 30, that 'an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities'. The same approach exists under Directive 2009/138/EC12 (Solvency II), while, in the context of outsourcing, the PSD2 uses 'important function' for the purpose of identifying functions under outsourcing arrangements for which specific requirements apply. Therefore, to embrace all existing legislation and to ensure a level playing field for credit institutions, investment firms, payment institutions and electronic money institutions, the wording used under MiFID II is used within the guidelines.

Functions essential to the activities of core business lines or critical operations should be deemed critical or important under the EBA guidelines. However, if a CIF's assessment determines that a failure or improper provision of the outsourced function would not negatively impact the operational continuity of the core business line or critical function, they may be considered otherwise. It is important to be mentioned that EBA guidelines state that CIFs, taking into account the principle of proportionality, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties.

Outsourcing critical or important functions to service providers in third countries must include additional safeguards. These measures ensure that such outsourcing neither significantly increases risk nor hinders the ability of competent authorities to effectively supervise CIFs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.