EBA guidelines on outsourcing
Financial institutions in the EU must align their outsourcings with the new obligations of the European Banking Authority (EBA) as of
30 September 2019 (EBA/GL/2019/02).
Who is affected
- Financial services providers
- Payment service providers (NEW!)
- Electronic money institution (NEW!)
- Outsourcing providers
Banks and financial services providers in Germany should already meet the existing requirements as defined by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”).
Payment service providers and electronic money institutions – and thus also their outsourcing providers – now become subject to concrete obligations on outsourcing for the first time.
The new obligations are similar to the existing BaFin requirements for banks and financial services providers (MaRisk), but go beyond them.
Changes relate in particular to the areas of governance, risk management and contract management. This includes e.g.:
- Newly required risk assessment for other external purchases (procurement)
- Newly required identification and assessment of conflicts of interest
- Increased documentation requirements
- New consent requirement for outsourcing to third countries
- New pre-outsourcing analysis for planned outsourcings
- Newly required detailed due diligence regarding outsourcing providers
- Stricter minimum requirements for outsourcing contracts
- Stronger focus on IT security, especially for cloud services
- Increased control obligation for internal audit
When do the changes apply
- The new obligations apply to outsourcing contracts concluded or amended as from 30 September 2019.
- For previously concluded contracts, the new obligations apply from 31 December 2021.
How should affected companies react
Affected companies should use a gap analysis to identify and promptly close potential gaps with regard to the new obligations.
In any case, written rules, outsourcing processes and contracts need to be adapted.