On February 25, the European Banking Authority (EBA) published its final report setting out guidelines on outsourcing.

In its report, the EBA updates and replaces the guidelines on outsourcing that the EBA’s predecessor, the Committee of European Banking Supervisors (CEBS), issued in 2006. The CEBS guidelines applied exclusively to credit institutions, but the new EBA guidelines aim to establish a more harmonized framework for all financial institutions that are within scope of the EBA’s mandate, including credit institutions, investment firms and payment institutions.

The guidelines in the EBA’s report set out specific provisions for the governance frameworks of financial institutions within its scope regarding their outsourcing arrangements and the related supervisory expectations and processes. Of significance:

  1. Each financial institution’s management body will remain responsible for that institution and all of its activities at all times. Therefore, the management body will have to ensure that sufficient resources are available to provide appropriate support and ensure the performance of those responsibilities, including overseeing all risks and managing the outsourcing arrangements;
  1. Financial institutions that outsource to service providers located in third countries will be expected to ensure that EU legislation and regulatory requirements will be complied with and that the relevant competent authority is able to effectively supervise financial institutions regarding critical or important functions outsourced to service providers;
  1. The guidelines set out in which arrangements with third parties are considered as outsourcing and detail the criteria for identifying critical or important functions that have a strong impact on a financial institution’s risk profile or on its internal control framework, in which case stricter requirements will apply to those particular outsourcing arrangements;
  1. Competent authorities will have to effectively supervise financial institutions’ outsourcing arrangements, including identifying and monitoring the concentration of risk at individual service providers and assessing whether such concentrations could pose a risk to the financial system’s stability; and
  1. The EBA has integrated its 2017 recommendations on outsourcing to cloud service providers into its new guidelines and aim at overcoming the high level of uncertainty regarding supervisory expectations on outsourcing to such providers.

The EBA’s guidelines will become effective on September 30. The CEBS’ 2006 guidelines and the EBA’s 2017 recommendations on outsourcing to cloud service providers will be repealed on the same date.

The EBA’s final report is available here.