Exciting developments are on the horizon for the Romanian banking community, as efforts are underway to streamline the framework regulating outsourcing arrangements.
The National Bank of Romania ("NBR") has introduced a new regulation (the "Draft Regulation"), which is up for public consultation on the NBR's website. This proposed regulation aims to transpose a wider set of obligations for credit institutions in this respect.
The initiative will likely be received warmly, as it unifies the currently fragmented legal framework that credit institutions need to observe when dealing with outsourcing matters. This includes Regulation No. 5/2013 on prudential requirements for credit institutions and the additional (and more detailed) obligations set out under the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02 dated 25 February 2019).
The Draft Regulation tackles the following key points:
1. The outsourcing governance framework, focusing on aspects such as outsourcing policies, business continuity plans regarding the outsourced functions, internal audit function for the outsourcing arrangements, and documentation requirements.
In terms of amendments, the Draft Regulation introduces a wider definition for the "outsourced function", clarifying that it can also cover functions not previously carried out by the credit institution. It also provides for several alternative criteria helping credit institutions to assess whether the function to be outsourced qualifies as critical or important. Such a thorough prior assessment is important, as critical and important functions (as per MiFID II) are subjected to an additional set of requirements in the context of outsourcing.
2. The actual outsourcing process, covering things like risk assessment of outsourcing arrangements, the credit institution's preliminary due diligence of the service provider, mandatory provisions to be included under the agreement (such as rules for sub-outsourcing of critical and important functions, security of data and systems provisions, access, information and audit rights and termination rights) and the exit strategies that banks need to implement.
According to the current form of the Draft Regulation, most of the new obligations will become applicable within three months as of the entry into force of the new provisions. Nevertheless, the NBR seems to place special importance on cloud outsourcing, which is usually more risk-prone and exposed to higher security, data processing and operational threats. As such, the NBR intends to apply a stricter regime. The documentation requirements, i.e. the obligation to maintain a register of information on such outsourcing arrangements, will become applicable immediately as of the entry into force of the Draft Regulation.
This comprehensive legal framework comes at the right time. It paves the way for the entry into force of DORA (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector, and bolsters the emphasis on adopting a more harmonised approach concerning key services provided by third parties to financial institutions. Public consultation on the Draft Regulation will end soon. It remains to be seen what final form it will take and if the NBR will decide to add more "local" flavour to the draft.
By Francesca Buta, Attorney at Law, Schoenherr