An activity that could cause significant consequences if a Third Party fails to meet expectations; could have impact on the Outsourcer’s regulatory obligations; significant violations of licensing terms caused by third parties; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on an organization’s operations if the organization has to find an alternate third party or if the outsourced activity has to be brought in-house. A critical activity could enable specific incremental oversight processes. Retrieved and adapted from OCC Bulletin 2013-29. The European Banking Authority (EBA) defines critical or important functions in section 29. Institutions and payment institutions should always consider a function as critical or important in the following situations: 34 a. where a defect or failure in its performance would materially impair: i. their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; ii. their financial performance; or iii. the soundness or continuity of their banking and payment services and activities; b. when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; c. when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation 35 by a competent authority, as referred to in Section 12.1.
Retrieved from: EBA Guidelines on Outsourcing Arrangements, February 2019.