The growth of fintech shall deal with stringent banking outsourcing regulations which might put burdensome obligations on providers in Italy.
Given the potential impact of outsourcing services in the banking sector, the Bank of Italy issued very specific rules on the contents of outsourcing agreements and obligations that are both on banks and suppliers. These obligations together other general obligations might create a demanding environment for providers. And this happens at the time when Fintech is rapidly growing.
I already discussed about the interactions between Fintech and Internet of Things technologies also in the light of the upcoming implementation of the so called PSD2 European Directive, about the liability regime applicable to blockchain technologies, the most relevant issues in negotiating an outsourcing agreementand insurance outsourcing. But when it comes to banking outsourcing also relating to Fintech technologies, the following shall be taken into account:
Scope of banking outsourcing regulations
The regulations apply only to the outsourcing of ‘important company functions‘ which are those that have a relevant impact on the business of a bank and include the outsourcing of for instance the back office and the information system.
Compulsory contents of Fintech outsourcing agreements
The Bank of Italy regulations provide for minimum clauses that need to be addressed in outsourcing agreements relating to information systems and those include
- the obligation on the bank to
- prove that the supplier is a ‘qualified outsourcer’ which might create issues in case of Fintech start ups;
- keep control and responsabiliy on outsourced activities; and
- keep internal technical and managerial competences to be able to insource the outsourced activity if necessary;
- the obligation on the supplier to
- comply with the security policy of the bank and with privacy laws;
- ensure that at all times it is able to provide the required service and to notify the bank if it is no longer able to do so; and
- be subject to the notification obligations towards banking authoritiies and their potential audits; and
- the obligation to regulate within the contract
- data, software and technical documentation ownership with the obligation on the supplier to destroy in any case the bank’s customer data in case of termination of the agreement;
- management of security breaches;
- service levels;
- termination events in case of supplier’s inability to provide the requested service or breach of the service levels;
- disaster recovery and back up systems, including continuity plans; and
- migration obligations in case of termination of the agreement.
Privacy related obligations
I have already discussed about the impact of the new EU Data Protection Regulation on technology suppliers. But, when it comes to banking outsourcing, the additional tracking and alert obligations that I had addressed in this blog postbecome also relevant.
Sanctions against outsourcers
In addition to the privacy related sanctions that under the new EU Data Protection Regulation will be also against outsourcers, banking regulations introduce sanctions from EUR 30,000 up to 10% of the turnover of the outsourcer. This is a peculiarity as no direct sanctions against outsourcers were provided in the past.
It will be interesting to see the impact of these regulations on Fintech deals.