Skip to main content

New EBA guidelines Outsourcing

New EBA Guidelines Outsourcing: What should be considered? According to the guidelines, outsourcing is an agreement between a credit institution, an e-money institution or a payment institution and an outsourcing company. The latter is also called a “service provider”. Under this agreement, the outsourcing company performs all or part of a process, service or activity that the institution would otherwise perform itself.

New EBA guidelines Outsourcing
When is it an outsourcing?

When assessing outsourcing arrangements, institutions and payment institutions shall determine whether an arrangement with a third party falls within the definition of outsourcing or does not constitute outsourcing.

This assessment should take into account whether the function (or part of it) outsourced to a service provider is performed by the service provider on a recurring or ongoing basis and whether that function (or part of it) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed that function itself in the past.

Distinction between outsourcing and external procurement

What do you have to consider when differentiating between outsourcing and external procurement according to MaRisk? In the following article you will find answers to the following 14 questions regarding the delimitation of outsourcing and external procurement according to MaRisk:

  1. Which outsourced activities and processes are to be included according to § 25b KWG?
  2. No outsourcing within the meaning of § 25b KWG
  3. Requirements of the Audit Report Ordinance for reporting on outsourcing management
  4. Definition of outsourcing according to MaRisk
  5. Other institution-typical services – definition according to MaRisk
  6. Examples of: No outsourcing – Other outsourcing of services
  7. Does Depot A management with special funds constitute outsourcing?
  8. Are the risk ratios provided by KVGs to be classified as outsourcing?
  9. EBA guidelines with catalogue on services that do not constitute outsourcing
  10. Examples re: outsourcing – No classification as other third-party procurement
  11. Outsourcing management must be mapped in the strategy
  12. Outsourcing and concentration risks
  13. Minutes of the special meeting of the MaRisk expert committee on 15.03.2018 in Bonn (BaFin) Topic: Outsourcing
  14. Stricter requirements of the EBA Guidelines on outsourcing arrangements February 2019
Guidelines for the supervisory assessment

Which audit criteria apply to the supervisory assessment of outsourcing controlling? Outsourcing: The EBA guidelines on outsourcing provide binding guidelines for the supervisory assessment. As part of their assessment, supervisors should consider the following 7 risks in particular:

  1. Operational risks associated with the outsourcing arrangement;
  2. reputational risks;
  3. the “step-in risk”, due to which the rescue of a service provider by the institution may be necessary, in the case of significant institutions;
  4. Concentration risks within the institution, including on a consolidated basis, arising from multiple outsourcing arrangements with a single service provider or closely related service providers or multiple outsourcing arrangements in the same business line;
  5. concentration risks at the sector level, e.g. where several institutions or payment institutions use a single service provider or a small group of service providers;
  6. the extent to which the outsourcing institution or payment institution controls the service provider or has the ability to influence its actions, the mitigation of risks that may be associated with a higher level of controls, and whether the service provider falls under the consolidated supervision of the group; and
    conflicts of interest between the institution and the service provider.
  7. Where concentration risks are identified, competent authorities should monitor the evolution of these risks and assess both their potential impact on other institutions and payment institutions and the stability of the financial market. Outsourcing: Guidelines on supervisory assessment require that competent authorities also inform the resolution authority of new potentially critical functions identified in the course of this assessment.
Governance arrangements + Third Party Risk

Institutions and payment institutions should, taking into account the principle of proportionality in accordance with Section 1, identify, assess, monitor and manage all risks to which they are or may be exposed as a result of arrangements with third parties. This shall be done irrespective of whether these arrangements are outsourcing arrangements or not.

The risks, in particular operational risks, of all arrangements with third parties, including those referred to in paragraphs 26 and 28, should be assessed in accordance with Section 12.2. of the EBA Guidelines on Outsourcing.

Institutions and payment institutions shall ensure that they comply with all the requirements laid down in Regulation (EU) 2016/679, including as regards third-party agreements and outsourcing arrangements.


As regards critical or essential functions, institutions and payment institutions shall ensure that the service provider has

  • has the business reputation
  • appropriate and sufficient skills,
  • expertise,
  • capacity and resources (e.g. human and financial resources, IT resources),
  • organisational structure and
    where applicable, the necessary regulatory authorisation(s) or registration(s) to perform the critical or essential function in a reliable and professional manner.

This is the only way to ensure that the service provider is able to fulfil its obligations during the term of the draft contract.

Use of key performance indicators

Institutions and payment institutions should exercise due skill, care and diligence in monitoring and managing outsourcing arrangements.

Institutions shall regularly update their risk assessment and periodically report to the management body on the risks identified in relation to the outsourcing of critical or essential functions.

Institutions and payment institutions shall monitor and manage their internal concentration risks arising from outsourcing arrangements. The management can be carried out using the EBA Guidelines Outsourcing: Use of Key Performance Indicators.

New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing also regulate the principle of proportionality. This principle applies to the compliance of institutions with the requirements for outsourcing as well as to the monitoring of compliance by supervisory authorities. For the application of the proportionality principle, the criteria developed by the EBA within the framework of the guidelines on internal governance can be used.

In addition, requirements are formulated for central outsourcing solutions within a group or a cross-guarantee system. Examples are a risk analysis, group-wide monitoring and control of outsourcing as well as an outsourcing register at group level. In this case, too, the individual institution remains responsible for compliance with the outsourced banking supervisory requirements. Thus, corresponding rights to information and reporting obligations must be established.

Institutions that have received an exemption from the supervisory authorities (“waiver”) only have to comply with the requirements at the level of the parent company (the central organisation).

Governance framework + New EBA guidelines Outsourcing

New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing specify basic requirements for the outsourcing of processes, services or activities to an outsourcing company.

The outsourcing of functions does not lead to the delegation of management responsibility. The latter remains fully responsible and legally liable for the outsourced areas. In addition, it must adopt a written “Outsourcing Policy” at the level of the institution as well as at the group level and ensure its implementation. Institutions must have an internal organisation with clearly assigned responsibilities and sufficient resources to ensure adequate governance and monitoring of outsourcing arrangements.

In addition, an “outsourcing function” or, alternatively, the appointment of a senior manager with a direct link to the management is required. The guidelines also contain comprehensive requirements for dealing with conflicts of interest that may arise in connection with outsourcing. If material conflicts of interest arise between group companies in the case of intra-group outsourcing, appropriate measures must be taken to manage these conflicts.

If the internal control function is outsourced (internal audit, risk control and compliance function), the institution should exercise appropriate oversight and be able to adequately manage risks arising from the outsourcing of critical functions.

In addition, comprehensive requirements are placed on business continuation plans and on the internal audit of the outsourcing institution. The documentation requirements are significantly higher than the requirements of MaRisk. Thus, the institutions must keep a detailed outsourcing register with all outsourcing agreements in a common database format at the institution and group level. The institutions must regularly make this available to the supervisory authorities as part of the SREP. However, under certain conditions, it can also be kept centrally at the group level.

Outsourcing process – New EBA Guidelines Outsourcing: What needs to be considered?

New EBA Guidelines Outsourcing: What needs to be considered? The EBA guidelines specify detailed requirements for the risk analysis to be carried out in advance of the outsourcing if it has been classified as a critical/significant function or as other outsourcing. In this context, the outsourcing of certain functions, e.g. the operational activities of the internal control functions, should always be classified as critical or significant. The guidelines contain concrete specifications of assessment criteria which the institutions must at least take into account in the classification.

For example, when conducting due diligence on the outsourcing entity, institutions must assess whether the outsourcing entity has sufficient and appropriate capabilities, capacity, resources, organisational structures and, where applicable, the necessary approvals. In addition, before entering into the outsourcing agreement, institutions should identify, assess, monitor and communicate all associated risks. The principle of proportionality must be applied here.

There are also comprehensive requirements for all outsourcing agreements. Institutions must have the necessary rights granted to them in the outsourcing agreement in the event of further outsourcing, termination rights as well as access, information and audit rights. The requirements for monitoring the outsourced activities, processes and services are also regulated. Under certain conditions, centralisation at group level is possible.

Finally, specifications on information security, also in connection with cloud services and exit strategies are determined. Institutions should notify the planned outsourcing of critical or significant functions to the supervisory authority in good time in advance.

Guidelines on outsourcing adressed to competent authorities + New EBA guidelines Outsourcing

New EBA Guidelines Outsourcing: What needs to be considered? The EBA Guidelines on Outsourcing also address the competent supervisory authorities. The supervisor should carry out the risk assessment of outsourcing at least within the framework of the supervisory review and evaluation process (SREP). In addition to operational risk, reputational risk and concentration risks, the so-called step-in risk and possible conflicts of interest between service provider and institution should also be considered. For this purpose, the supervisory authority can use the outsourcing register submitted to it by the institutions, as well as demand information that goes beyond the register.

According to the draft, the requirements of the guidelines for new outsourcing projects, including outsourcing to cloud service providers, are to apply from 30 June 2019. For existing outsourcing arrangements, the new documentation requirements can be implemented in the course of the rotational adjustments to the arrangements. However, they must be completed by 31 December 2020 at the latest.