May 6, 2021

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

Security & Compliance

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.

Key takeaways

1. The FCA says that COVID and Brexit shouldn’t be blockers for companies to comply with EBA Guidelines

2. The hard deadline remains December 31st of 2021

3. Compliance with the regulations is perfectly achievable — it’s just a matter of having the right process.

The PRA and FCA’s view about the EBA guidelines**

Last week was a shaky one for UK compliance professionals.

Early in the week, the Prudential Regulation Authority (PRA) publicly stated to the financial institutions it oversees that it does not expect them to meet the EBA's Guidelines for Outsourcing Arrangements at the end of this year, which directly contradicts the European Banking Authority’s (EBA) proposed timetable.

EBA regulators gave financial institutions a two-year period to comply with the regulation, starting in 2019 and ending the 31st of December of this year, when the European institution set a hard deadline for businesses to mandatorily comply with their guidelines.

Despite that, the PRA leaned on “the disruption and reprioritisation caused by the COVID-19 pandemic and changes to the UK, EU, and global regulatory landscape in this area” to push the to deadline to March 2022, causing confusion among compliance professionals in the UK.

In response to the PRA’s directions, the Financial Conduct Authority (FCA) publicly re-affirmed that regulated entities in the UK must meet the EBA’s hard deadline at the end of 2021, despite Brexit and the pandemic.

As the law firm covering the matter, Pinsent Masons noted, the FCA confirmed (referencing the Guidelines for Outsourcing Arrangements) that they had "notified the EBA that we will comply with the guidelines", including "the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019".

In other words, COVID and Brexit shouldn’t be an excuse for companies to meet the Guidelines, in FCA’s view.

The EBA Guidelines**

Let's go through the guidelines at a high level.

This regulation, applying to banks and most financial institutions, aims to change the way these companies purchase and handle software. Banks and most regulated fintech companies will now have to implement risk management and compliance processes to handle the cloud software they use, as well as a variety of other services they outsource.

Although all outsourced software will require compliance, there will be certain types of software that will require deeper diligence, specifically the ones that meet the definition of “critical or important” under MiFID II.

In plain words, an outsourced service is considered “critical or important” when the failure of the technology in question results in a disruption to your business, a failure to provide your services or the inability to support your customers.

We recently wrote a detailed blog on how to spot critical or important software as well as a detailed analysis of the EBA guidelines from our compliance team.

These should give you a handle on how the guidelines work and allow you to start designing your action plan to tackle them effectively and efficiently. 

Tackle the uncertainty with a clear process**

As Pinsent Masons states, many entities in the UK are regulated by both the FCA and PRA. Given the uncertainty that these regulators’ differing viewpoints creates, we wanted to arm you with actionable advice to inform your action plan, so the deadlines don’t catch you by surprise.

It’s all about process. We recommend that you design and integrate a process to manage the IT risk and compliance into every single software tool your employees use. This involves, first and foremost, identifying every SaaS tool used by your employees, and establishing a process for future approving purchases, to avoid any shadow IT flying under the radar.

SaaS Purchasing for Fintech

Once you have control of what software is being used in your company, the rest of the plan flows smoothly, it's just a matter of completing a compliance risk assessment for every SaaS tool, which will help you meet EBA’s requirements, regularly updating it and maintaining a SaaS Register.

If you’re not sure where to start, we have already laid out a 7-step process to ensure you never miss a deadline and always have a system of record to easily demonstrate compliance to your auditors.

And if you want a tool that does all of this in one place - surfacing, purchasing processes and integrated compliance - make sure you check out Cledara. 

Suggestions and stay in the know!

This post was inspired by questions from people like you. We love receiving new and interesting questions that help us think about data in new ways. If you found this post interesting and would like to keep yourself updated on compliance for fintech companies, subscribe to our newsletter by entering your email below!



Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more