Please note, your browser is out of date.
For a good browsing experience we recommend using the latest version of Chrome, Firefox, Safari, Opera or Internet Explorer.

EBA Guidelines on Outsourcing


On February 25th of 2019 the European Banking Authority (EBA) published revised guidelines on outsourcing arrangements.

These guidelines focus significantly on governance and are set to operate alongside the EBA's guidelines on internal governance due to the fact that outsourcing is one of the most common aspects of institutions’ governance agreements. The guidelines should also be read in conjunction with the EBA’s guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP), the EBA’s guidelines on information and communication technology (ICT) risk assessment under the SREP and the EBA’s guidelines on the information to be provided for the authorisation of payment institutions.

Given the ever-increasing trend amongst institutions of outsourcing activities as a means to reduce costs and to increase efficiency, namely in IT, the guidelines establish a harmonised framework for outsourcing arrangements of financial institutions, namely credit institutions and investment firms subjected to the Capital Requirements Directive, as well as payment and electronic money institutions.

In order to uphold a common denominator, the guidelines provide a clear definition of outsourcing that is in line with the one set out in the Commission Delegated Regulation 2017/565, together with detailed criteria to ascertain if an outsourced activity, service, process or function is deemed “critical or important” under MiFID II.

The guidelines also provide a detailed governance framework which should be abided by when outsourcing agreements are entered into. The extensive framework includes requirements that aim to ensure, amongst others, that:

  • there is effective day-to-day management  and oversight by senior management or the management body;
  • there is a sound outsourcing policy and there are sound outsourcing processes;
  • all the risks associated with the outsourcing of critical or important functions are identified, assessed, monitored, managed, reported and, as appropriate, mitigated;
  • there are appropriate plans for the exit from outsourcing arrangements of critical or important function.

The EBA has put forward that outsourcing agreements concerning critical and important functions must set out audit rights, whereas the need to implement audit rights in non-critical outsourcing agreements must be assessed selon le cas under the grandfathering principle of proportionality.

This means that outsourcing contracts must guarantee that “institutions and payment institutions should ensure that the service provider grants them and their competent authorities unrestricted rights of inspection and auditing related to the outsourcing arrangement, to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements”.

The outsourcing agreements should also ensure “access and information rights”,which translates into full access to all relevant business premises, including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider’s external auditors.

Sub-outsourcing agreements are also covered by the Guidelines, as the EBA focused on laying down the terms in which said arrangements may be entered into, the activities that are excluded from sub-outsourcing and the responsibility for overseeing compliance.

On the date of entry into force (September 30th of 2019) these guidelines will repeal the CEBS guidelines on outsourcing that were issued in 2006, as well as the EBA's specific recommendations on cloud outsourcing. Banks will have until December 31st of 2021 to assess their existing outsourcing arrangements, and in doing so consider if a defect or failure in the performance of an outsourced function would materially impair financial performance, regulatory compliance or business continuity.

Michael-Sean Boniface

Related Areas
Finance and Governance
Related Lawyers
Michael-Sean Boniface