eba finalizes outsourcing guidelines


EBA finalizes outsourcing guidelines

26 February 2019

Regulatory News Alert

On 25 February, the European Banking Authority (EBA) published its revised guidelines on outsourcing arrangements. It sets out the specific provisions for the outsourcing governance frameworks applicable to financial institutions that are subject to capital requirements, as well as to payment providers. These guidelines cover outsourcing in its broadest sense, hence including cloud outsourcing.

Applicable from June 2019, the guidelines incorporate the most recent digitalization efforts and the latest financial technology as proposed by Fintech solutions.

It aims to provide a single, principle-based approach to outsourcing consistently across the key financial regulations: Payments Services Directive (PSD2), Markets in Financial Instruments Directive (MiFID II) and Commission's Delegated Regulation (EU) 2017/565 (MIFID II governance delegated regulation).

The EBA guidelines clarify:

  • Which arrangements are considered outsourcing
  • There are three degrees of outsourcing: critical, important and “other”, a concept already envisaged under MIFID rules, with NCA prior approval for the most critical outsourcing
  • The management body of each financial institution remains responsible for itself and its activities at all times
  • The institution should ensure sufficient resources are available to appropriately support and perform its responsibilities
  • The institution oversees all risks and manages the outsourcing arrangements
  • Outsourcing cannot lead to the creation of empty shells
  • There must be a sound and robust policy and process applicable to any outsourcing including for cloud arrangements (notably preventing inappropriate use of personal data)
  • A key new requirement is the need to prepare and maintain a register of all outsourcing relations (activity, contract; provider, nature of data…)
  • Finally, there must be so called exit plan or contingency and remediation mechanisms in place, were the outsourcing arrangements cease to function.

The fundamental idea is that the focus should be on substance and, just as for the CSSF 18/698 Circular on ManCo and AIFM, the overarching principle is that when a firm has responsibilities, it shall be able to abide by them, and deliver.

The release of these guidelines is rather timely notably for its provisions vis-à-vis third countries. It recalls that financial institutions shall comply with applicable EU legizlations, in particular regarding critical or important functions outsourced to service providers outside the EU.

Where there are clear expectations for institutions, the paper also addresses the National Competent Authorities’ (NCA) monitoring activities and powers to mitigate concentration risks and ensure that outsourcing is completely assessed and documented. In due time, this may lead to some on-site visits.

PDF - 69kb

How Deloitte can help ?

Deloitte can help you in the design of your outsourcing arrangements and optimization; by evidencing current situations, potential gaps or breaches, and by setting up the appropriate models to optimize your resources in line with these new rules.

With its regulatory watch service, Deloitte can help you to stay on top of industry news, preparing your organization for the future.


Simon Ramos
Partner – IM Advisory & Consulting 
Tel : +352 45145 2702

Xavier Zaegel
Partner – Capital Markets/Financial Risk Leader
Tel : +352 45145 2748

Jean-Philippe Peters
Partner – Risk & Capital Management
Tel : +352 45145 2276

Stéphane Hurtaud
Partner – Information & Technology 
Tel : +352 45145 4434

Benoit Sauvage
Senior Manager – RegWatch, Strategy 
& Consulting
Tel : +352 45145 4220


Did you find this useful?