Outsourcing: New Obligations as of Autumn 2019

EBA guidelines on outsourcing

Financial institutions in the EU must align their outsourcings with the new obligations of the European Banking Authority (EBA) as of
30 September 2019 (EBA/GL/2019/02).

Who is affected

  • Banks
  • Financial services providers
  • Payment service providers (NEW!)
  • Electronic money institution (NEW!)
  • Outsourcing providers

Banks and financial services providers in Germany should already meet the existing requirements as defined by the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, “BaFin”).

Payment service providers and electronic money institutions – and thus also their outsourcing providers – now become subject to concrete obligations  on outsourcing for the first time.

What changes

The new obligations are similar to the existing BaFin requirements for banks and financial services providers (MaRisk), but go beyond them.

Changes relate in particular to the areas of governance, risk management and contract management. This includes e.g.:

  • Newly required risk assessment for other external purchases (procurement)
  • Newly required identification and assessment of conflicts of interest
  • Increased documentation requirements
  • New consent requirement for outsourcing to third countries
  • New pre-outsourcing analysis for planned outsourcings
  • Newly required detailed due diligence regarding outsourcing providers
  • Stricter minimum requirements for outsourcing contracts
  • Stronger focus on IT security, especially for cloud services
  • Increased control obligation for internal audit

When do the changes apply

  • The new obligations apply to outsourcing contracts concluded or amended as from 30 September 2019.
  • For previously concluded contracts, the new obligations apply from 31 December 2021.

How should affected companies react

Affected companies should use a gap analysis to identify and promptly close potential gaps with regard to the new obligations.

In any case, written rules, outsourcing processes and contracts need to be adapted.

Briefing Regulatory Focus Vol. 1 (english) | Briefing Fokus Regulatorik Vol. 1 (deutsch)

Autoren des Blogbeitrags

Dr. Markus  Lange
Dr. Markus  Lange

Bank-, Versicherungs- und Investmentrecht

Marc  Pussar
Marc  Pussar

Bank-, Versicherungs- und Investmentrecht

Teile diesen Beitrag auf