41. The management body of an institution or payment institution [See also the EBA guidelines on the security measures for operational and security risks of payment services under PSD2, available.] that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA’s Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance.
42. The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and proc
…