Polish law creates new rules on banking outsourcing

In September 2023, Polish legislation amending the nation’s Banking Law and the rules on banking outsourcing came into force. These changes were introduced by the Act of 16 August 2023 amending certain acts with a view to ensuring the development of the financial market and the protection of investors in that market.

The amendment underscores how banking outsourcing, situations where a bank outsources certain tasks related to banking activities (e.g. IT services, including cloud computing) to another undertaking (i.e. outsourcer), is becoming increasingly popular internationally, and in Poland is subject to strict regulation and limitations, which is important not only for banks, but also for the providers, particularly the technology providers in IT and cloud computing with whom they cooperate.

The changes address issues of particular importance in the banking sector, such as the rules of liability for damages assumed by outsourcers or the permissibility of creating ‘outsourcing chains’. Importantly, these changes, which were expected by the market, ease previous restrictions. As a result, the digitalisation of the banking sector in Poland is expected to continue in step with checks to ensure an appropriate level of security for bank customers.

Rules of the provider’s liability

Under the previous provisions of the Banking Law, it was not permissible to contractually exclude or even limit the outsourcer’s liability towards the bank for damages caused to bank customers for the non-performance or improper performance of the outsourcing contract. This solution raised serious objections, especially since it is the market standard in IT industry to contractually limit the liability for damages assumed by technology providers. As a result, this could have led to a weakening of interest in the Polish market from international providers, for whom unlimited liability represented too great a risk.

Once the changes have been introduced, it is now permissible to limit the outsourcer’s liability to the bank, on a basis contractually defined by the parties.  However, this change has not taken place ‘without cost’.  According to the new solution, the bank is obliged to put in place “adequate and effective arrangements to secure the coverage of possible costs related to the indemnification of customer claims”.  The bank can ensure this, for example, by introducing provisions in the outsourcing contract setting out unlimited liability of the provider, but on condition that the provider agrees to this. This can also be ensured by the bank in other ways, such as insurance or a bank guarantee.

Unrestricted outsourcing chain

Changes to the length of the outsourcing chain is also very important.  Under the previous regulatory framework, interpreted restrictively by the Polish Financial Supervision Authority (PFSA), it was permissible for a bank to outsource certain activities (services) to a provider and for that provider to further outsource them to another provider.  The Polish regulator, however, did not allow further sub-outsourcing of services, which is quite common in the current technological and business reality.

Following the amendments, the Banking Law allows further outsourcing of the “performance of activities” to a further entity (i.e. a further outsourcer) and to further entities in the outsourcing chain. The amendments align the provisions of the Banking Law with the guidelines of the European Banking Authority (EBA) and, above all, make the previously rigid legal framework more flexible.  Following their introduction, each case of sub-outsourcing and further sub-outsourcing requires the bank’s written consent, which may take the form of specific consent for a identified sub-outsourcer or general consent.  In the latter case, the outsourcer is obliged to inform the bank of intended changes concerning the addition or substitution of other sub-outsourcers, also giving the bank the opportunity to object to such changes.

Notifying the Polish authority instead of authorisation

The Act of 16 August 2023 also abolished the requirement to obtain a permit from the PFSA for ‘foreign outsourcing’ (i.e. the outsourcing of services by a bank to a non-EU undertaking or to an EU outsourcer who performs its services outside the EU).  In place of a permit, the new regulations introduce an obligation to notify the PFSA of the intention to enter into a ‘foreign outsourcing’ agreement. At the same time, the PFSA may object to the conclusion of such an agreement, e.g. in a situation where the law in force in a third country prevents the exercise of authority’s effective supervision.

The new solutions, however, introduce far-reaching formal requirements to be met by the bank. The list of documents and information that the PFSA may expect from the bank (and, consequently, the bank from its outsourcing partners) includes:

• documents relating to the outsourcer’s business activities (e.g. its annual financial statements);
• criminal record information on natural persons who act as members of the outsourcer’s management or supervisory body;
• a statement by the outsourcer that there are no proceedings pending against it which may adversely affect its financial position;
• a declaration by the bank’s management board that the laws in force in the country where the outsourced activities are to be performed do not prevent the PFSA from exercising effective supervision.

PFSA’s cloud guidelines

The changes introduced should accomplish the legislator’s stated objectives: to create conditions for more effective and flexible banking outsourcing in Poland. A lot, however, will depend on the PFSA, which supervises the implementation of the new rules and also has the task of updating and clarifying the soft-law rules (guidelines) for the use of cloud services by banks (and other financial sector entities). Given that the draft amendments (or the explanatory memorandum) do not refer to the PFSA’s guidelines, but to those of the EBA, even more significant changes are likely still to come. These changes do not exclude the abandonment of local Polish guidelines and the general ‘national approach’, replacing them with a European approach that takes EBA guidelines into account.

For more information on Poland’s new banking outsourcing rules and the Polish banking sector, contact your CMS client partner or CMS experts.