Skip to main content

EBA Guidelines on outsourcing arrangements


Financial institutions have been increasingly interested in outsourcing business activities in order to reduce costs and improve their flexibility and efficiency. In the context of digitalisation and the increasing importance of new financial technology (fintech) providers, financial institutions are adapting their business models to embrace such technologies. Outsourcing is also relevant in the context of gaining or maintaining access to the EU’s financial market.

Institutions should be able to effectively control and challenge the quality and performance of outsourced functions and be able to carry out their own risk assessment and ongoing monitoring. On the other hand, Competent authorities are required to effectively supervise financial institutions’ outsourcing arrangements, including identifying and monitoring risk concentrations at individual service providers and assessing whether or not such concentrations could pose a risk to the stability of the financial system. To identify such risk concentrations, Competent authorities should be able to rely on comprehensive documentation on outsourcing arrangements compiled by financial institutions.

In order to make it easier for competent authorities to effectively supervise outsourcing arrangements, the EBA has updated the Committee of European Banking Supervisors (CEBS) guidelines on outsourcing. The aim is to establish a more harmonised framework for all financial institutions that are within the scope of the EBA’s mandate, namely credit institutions and investment firms subject to CRD IV, as well as payment and electronic money institutions.

The guidelines include requirements that aim to ensure:

a.   effective day-to-day management and oversight by the management body of outsourced functions and services;

b.   a sound outsourcing policy and processes that reflect the institution’s strategy and risk profile;

c.    proper identification of critical or important functions and suitability of potential service providers;

d.   protection of customer data across the whole institution, including the outsourced functions;

e.   competent authorities remain able to effectively supervise institutions.

The guidelines will enter into force on 30 September 2019, with the 2006 guidelines on outsourcing being repealed at the same time.

For more details on the key aspects of the EBA guidelines on outsourcing arrangements, please refer to the attached briefing note.

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey