August 20, 2020

The Way Fintech Startups Buy SaaS is About to Change Forever

Security & Compliance

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.

By 31 December 2021, almost every financial institution in the UK and Europe will have to comply with the new Outsourcing Guidelines passed by the European Banking Authority. This means that most regulated fintech companies will have to introduce risk management and compliance processes to manage the SaaS they use and many other things they outsource by next year.

Until now, fintech startups have had an advantage over incumbents when it comes to embracing new technology and tools. Fintech startups have been able to decentralise SaaS selection to the people that would use it just like a normal tech company might, whereas incumbent banks have had to navigate lengthy and costly centralised procurement.

These new regulatory guidelines recognise the increasing systemic importance of companies like Monzo, Revolut and N26 and levels the playing field for the way different regulated financial services companies select and manage the SaaS they use. The new guidelines mean that, for the first time, fintech startups will need to have processes and controls to govern the way SaaS is brought into the business, how it is monitored while it’s in the business and MUCH more if it’s critical or important to the business.

Is this new?

Yes, and no. The new guidelines replace the 2006 Guidelines on Outsourcing which predated the emergence of fintech and cloud software. The new guidelines expand the requirements beyond banks and specifically cite both fintech and cloud.

Who and what is in scope of the Outsourcing Guidelines?

The new Outsourcing Guidelines now apply to all financial institutions that are:

  • Banks
  • Investment firms subject to Directive (EU) 2013/36 IV (Capital Requirements Directive)
  • Payment institutions, including Authorised Payment Institutions (API) and Payment Initiation Service Providers (PISP)
  • Electronic money institutions

The most common licenses used by fintech startups are E-Money Licenses, PISPs or APIs, either directly through licenses they hold, or indirectly through Agent relationships with directly licensed partners and therefore fall within the scope of the regulatory guidelines.

The Guidelines came into force on 30 September 2019. Any contracts with cloud software providers entered into, reviewed, or amended by after that date must comply with the Guidelines and all existing cloud software vendors need to be reviewed in line with the Guidelines by 31 December 2021.

What do fintech startups have to do to comply with the Outsourcing Guidelines?

Train the team

The EBA Outsourcing Guidelines means that the way fintech companies buy software must change. All SaaS needs to go through a process before it is bought, whether it is a tool used by developers, the way you offer support to customers or something that it is critical to payment flows. The process for each is different, depending on the criticality or importance of each to your business, but governance, control and documentation are essential for all.

Maverick buying, especially if those undocumented tools cause future breaches or data security issues, is now a regulatory risk that could result in regulatory fines or, in extreme cases, loss of license. The risk applies irrespective of the cost of the software, free trial periods or what the software is used for. Therefore, it is essential that all team members are aware of the need to: 

  • Inform compliance or IT of SaaS they intend to buy before they subscribe to it
  • Only subscribe to approved SaaS
  • Ensure that all SaaS is documented centrally

Establish a Process

The EBA Outsourcing Guidelines define an 8-step process that you have to follow to be compliant. 

  1. The SaaS Business Case - the functional and non-functional requirements need to be identified and documented, along with the reason that third party software needs to be used to satisfy those requirements, rather than an in-house solution or manual process.
  2. Risk Assessment - before software entering the organisation, companies need to perform a risk assessment of the SaaS tool across more than 30 dimensions specified by the guidelines. This assessment should include an understanding of where data is being stored, the sensitivity of data being shared and the impact of vendor outages on your business continuity. This risk assessment culminates in an assessment of the criticality and importance of the SaaS product, which may trigger further diligence requirements, such as an assessment of reputational risk and the financial health of the SaaS vendor.
  3. Contract Review - The Guidelines set minimum requirements for all contracts with SaaS vendors, including operational and security incident handling procedures including escalation and reporting and more. If a SaaS vendor is critical or important, there are more onerous terms that need to be included in the contract, including access to audits and more.
  4. Exit Plan - where a SaaS product is identified as critical or important, the regulation requires you to have a documented exit plan that can be implemented should you need to change vendor. 
  5. Approval - Once you have completed the above, the SaaS purchase can be approved and completed. 
  6. The SaaS Register - The Outsourcing Guidelines require that companies store details about all SaaS is stored on a central register that includes specific information about the Vendor, including contact information, outcome of the risk assessment, contractual start/finish dates, notice periods and more. 
  7. Periodic Reviews - Having completed the process above and approved the software, compliance, or IT need to periodically renew the risk assessment to ensure that the risk profile, criticality or importance has not changed. These reviews may be annual, or more frequent depending on the level of risk.

What is the easiest way to comply with the guidelines? 

We recommend that you start by reading and understanding the guidelines, so that you can design a process and register that meets the regulatory requirements. Alternatively, consider reaching out to schedule a demo of Cledara to see how Cledara can embed compliance into your software purchasing process with inbuilt guided risk assessments that meet all the requirements of the Outsourcing Guidelines, automatic generation of the SaaS Register and more.



Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more