1. The FCA says that COVID and Brexit shouldn’t be blockers for companies to comply with EBA Guidelines
2. The hard deadline remains December 31st of 2021
3. Compliance with the regulations is perfectly achievable — it’s just a matter of having the right process.
The PRA and FCA’s view about the EBA guidelines
Last week was a shaky one for UK compliance professionals.
Early in the week, the Prudential Regulation Authority (PRA) publicly stated to the financial institutions it oversees that it does not expect them to meet the EBA's Guidelines for Outsourcing Arrangements at the end of this year, which directly contradicts the European Banking Authority’s (EBA) proposed timetable.
EBA regulators gave financial institutions a two-year period to comply with the regulation, starting in 2019 and ending the 31st of December of this year, when the European institution set a hard deadline for businesses to mandatorily comply with their guidelines.
Despite that, the PRA leaned on “the disruption and reprioritisation caused by the COVID-19 pandemic and changes to the UK, EU, and global regulatory landscape in this area” to push the to deadline to March 2022, causing confusion among compliance professionals in the UK.
In response to the PRA’s directions, the Financial Conduct Authority (FCA) publicly re-affirmed that regulated entities in the UK must meet the EBA’s hard deadline at the end of 2021, despite Brexit and the pandemic.
As the law firm covering the matter, Pinsent Masons noted, the FCA confirmed (referencing the Guidelines for Outsourcing Arrangements) that they had "notified the EBA that we will comply with the guidelines", including "the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019".
In other words, COVID and Brexit shouldn’t be an excuse for companies to meet the Guidelines, in FCA’s view.
The EBA Guidelines
Let's go through the guidelines at a high level.
This regulation, applying to banks and most financial institutions, aims to change the way these companies purchase and handle software. Banks and most regulated fintech companies will now have to implement risk management and compliance processes to handle the cloud software they use, as well as a variety of other services they outsource.
Although all outsourced software will require compliance, there will be certain types of software that will require deeper diligence, specifically the ones that meet the definition of “critical or important” under MiFID II.
In plain words, an outsourced service is considered “critical or important” when the failure of the technology in question results in a disruption to your business, a failure to provide your services or the inability to support your customers.
We recently wrote a detailed blog on how to spot critical or important software as well as a detailed analysis of the EBA guidelines from our compliance team.
These should give you a handle on how the guidelines work and allow you to start designing your action plan to tackle them effectively and efficiently.
Tackle the uncertainty with a clear process
As Pinsent Masons states, many entities in the UK are regulated by both the FCA and PRA. Given the uncertainty that these regulators’ differing viewpoints creates, we wanted to arm you with actionable advice to inform your action plan, so the deadlines don’t catch you by surprise.
It’s all about process. We recommend that you design and integrate a process to manage the IT risk and compliance into every single software tool your employees use. This involves, first and foremost, identifying every SaaS tool used by your employees, and establishing a process for future approving purchases, to avoid any shadow IT flying under the radar.
Once you have control of what software is being used in your company, the rest of the plan flows smoothly, it's just a matter of completing a compliance risk assessment for every SaaS tool, which will help you meet EBA’s requirements, regularly updating it and maintaining a SaaS Register.
If you’re not sure where to start, we have already laid out a 7-step process to ensure you never miss a deadline and always have a system of record to easily demonstrate compliance to your auditors.
And if you want a tool that does all of this in one place - surfacing, purchasing processes and integrated compliance - make sure you check out Cledara.
Suggestions and stay in the know!
This post was inspired by questions from people like you. We love receiving new and interesting questions that help us think about data in new ways. If you found this post interesting and would like to keep yourself updated on compliance for fintech companies, subscribe to our newsletter by entering your email below!