Across the financial services industry, organisations are increasing their reliance on outsourcing arrangements. For instance, data shared by the European Central Bank recently demonstrated that the share of administrative expenses spent by banks on all outsourcing services had increased from 6.8% to 7.2% in 2023. Outsourcing of ICT services, especially cloud services, continued to grow.
The payments sector is no exception. As fintech players increasingly rely on outsourced services for innovation and efficiency, managing outsourcing risk has become a critical priority to ensure security, regulatory compliance, and operational resilience.
The EAA has been transposed into Maltese law and will come into force on 28 June 2025.
There are multiple reasons why outsourcing risk should be a top priority for your business:
As a result of these concerns, European regulators are intensifying efforts to create a more comprehensive and structured framework around outsourcing risks, aiming to protect consumers, safeguard data, and maintain financial and operational stability in the face of increasing global interconnectedness.
Robust outsourcing risk management is a core component of the MFSA FinTech Supervision Function’s recently updated FIR/03 Rulebook, demonstrating the importance being given by the regulator to this space.
The FIR/03 Rulebook focuses on a number of core principles of outsourcing, including:
The MFSA recently carried out a thematic review on outsourcing and other third-party arrangements and communicated its findings in a Dear CEO Letter. The publication provided practical guidance on common shortcomings and how to remediate them. Here are some of the salient points raised:
Our FinTech team, comprising industry specialists, can help you to understand and navigate these evolving operational challenges and regulatory expectations, and to make sense of them within the broader regulatory landscape. We can support you with: