Outsourcing risk management in an increasingly complex fintech landscape

Across the financial services industry, organisations are increasing their reliance on outsourcing arrangements. For instance, data shared by the European Central Bank recently demonstrated that the share of administrative expenses spent by banks on all outsourcing services had increased from 6.8% to 7.2% in 2023. Outsourcing of ICT services, especially cloud services, continued to grow.

The payments sector is no exception. As fintech players increasingly rely on outsourced services for innovation and efficiency, managing outsourcing risk has become a critical priority to ensure security, regulatory compliance, and operational resilience.

The EAA has been transposed into Maltese law and will come into force on 28 June 2025.

Why managing outsourcing risk is so important

There are multiple reasons why outsourcing risk should be a top priority for your business:

1. Scale and complexity: Outsourcing arrangements are growing in scale and complexity, with an increasing percentage of critical operations being managed by third-party providers, often located in different countries.
2. Cyber and privacy risks: Cyber risks are growing, raising concerns about the confidentiality, integrity and availability of data, including the protection of sensitive personal data.
3. Business continuity: Outsourcing adds a layer of operational risk, with new regulations like the Digital Operational Resilience Act (DORA) emphasising the need for robust business continuity plans and close management of third-party arrangements.
4. Concentration risk: Outsourcing to a limited number of large service providers can concentrate risk in a small number of companies, which also leads to systemic risk in the financial services industry.
5. Geopolitical factors and supply chain risks: Geopolitical factors and supply chain risks continue to expose vulnerabilities in certain categories of outsourcing arrangements.

As a result of these concerns, European regulators are intensifying efforts to create a more comprehensive and structured framework around outsourcing risks, aiming to protect consumers, safeguard data, and maintain financial and operational stability in the face of increasing global interconnectedness.

Outsourcing risk in the spotlight of the revised MFSA FIR/03 Rulebook

Robust outsourcing risk management is a core component of the MFSA FinTech Supervision Function’s recently updated FIR/03 Rulebook, demonstrating the importance being given by the regulator to this space.

The FIR/03 Rulebook focuses on a number of core principles of outsourcing, including:

• Identifying outsourcing arrangements: Firms should have a process for identifying whether an arrangement constitutes outsourcing, and whether that outsourcing arrangement is “critical or important” in nature.
• Governance and oversight: Firms should have robust internal processes to monitor outsourcing arrangements and manage their underlying risks, as well as to ensure outsourced functions are and will remain compliant with regulatory requirements.
• Adequate documentation: Outsourcing arrangements should be well documented. Firms should have an outsourcing policy that is well embedded across the organisation, monitor all outsourcing arrangements centrally through an outsourcing register, and ensure all such arrangements are supported by comprehensive contractual agreements.
• Robust risk management: Organisations should seek to identify and assess all the relevant risks of the outsourcing arrangement, to understand whether outsourcing arrangements add new risks or amplify existing risks to the business.
• Outsourcing lifecycle management: Effective management of an outsourcing arrangement is not just about selecting and onboarding a new external provider, but about monitoring the outsourcing arrangement through the entire outsourcing lifecycle.
• Operational resilience: Organisations will need to understand how the disruption of an outsourced arrangement would impact their processes, how they will manage such disruption, and ensure that the external service provider has adequate business continuity arrangements.
• Effective supervision: Regulated entities are expected to ensure that the MFSA is able to exercise effective supervision over the outsourced function.

Outcomes of the MFSA’s thematic review of outsourcing arrangements

The MFSA recently carried out a thematic review on outsourcing and other third-party arrangements and communicated its findings in a Dear CEO Letter. The publication provided practical guidance on common shortcomings and how to remediate them. Here are some of the salient points raised:

• Identifying outsourcing arrangements: Firms are expected to understand the difference between third-party supplier relationships, outsourcing arrangements, and critical or important outsourcing. Furthermore, outsourcing of internal control functions (i.e., Compliance, Risk and Internal Audit) are explicitly considered critical or important.
• Intragroup outsourcing arrangements: Firms should not apply a lower level of review and scrutiny to intragroup outsourcing; such arrangements should still be assessed for potential risks and conflicts of interest, and be supported by contractual arrangements and oversight.
• Time commitment: Third-party service providers should be able to demonstrate an ability to dedicate adequate time for the delivery of outsourced services or functions.
• Governance and oversight: The MFSA noted numerous weaknesses, such as the Compliance function (i.e., the second line of defence) having direct oversight of the “independent” Internal Audit function, or the Internal Audit function having direct responsibility for operational roles like the IT function.
• Conflicts of interest: The MFSA also noted numerous weaknesses in recognising and managing potential conflicts, such as board members providing compliance or internal audit services to the same entity, or weak conflict management of intra-group arrangements.
• Adequate documentation: Numerous weaknesses (and good practices) have been highlighted around managing documentation, including outsourcing policies that are regularly reviewed and approved by the board of directors, sound contractual arrangements governing outsourcing arrangements, and a well-documented outsourcing register.
   

How Deloitte can help

Our FinTech team, comprising industry specialists, can help you to understand and navigate these evolving operational challenges and regulatory expectations, and to make sense of them within the broader regulatory landscape. We can support you with:

• Completion of an independent assessment of your outsourcing processes and practices;
• Review and classification of outsourcing arrangements;
• Completion of an outsourcing risk analysis and supporting documentation for notification to the MFSA in cases of outsourcing of critical or important operational functions;
• Development of outsourcing policies and procedures and documentation of the outsourcing register;
• Provision of assistance to the internal audit function in completing a review of outsourced activities; and
• Ongoing advisory support in the interpretation of regulatory requirements around outsourcing.