Outsourcing and Its Risks Are a Top Priority for the European Central Bank’s Supervisory Agenda – Tech & Sourcing @ Morgan Lewis
The European Central Bank (ECB) has published data showing that banks are increasingly using third-party providers to support their critical functions. However, more than 10% of outsourcing contracts covering critical functions are not compliant with the relevant regulations. During a key year for EU financial institutions and their critical service providers—with implementation projects for the Digital Operational Resilience Act (DORA) well underway—the ECB signals that outsourcing and resiliency, particularly risks associated with cloud outsourcing and concentration risks, will be a top priority on its supervisory agenda.
Background
Since 2022, the ECB has annually collected registers of outsourcing arrangements from supervised banks, which must be submitted pursuant to the EBA Guidelines on Outsourcing Arrangements (the Guidelines). As well as general information on each outsourcing (intra-group and external), the register collects data on the criticality of outsourced functions, budget allocations, reliance on providers outside of the European Union, and whether outsourcing contracts involve the processing of personal data. The latest data, collected in 2023, was provided by 109 financial institutions.
The Guidelines contain various requirements in respect of banks’ outsourcing arrangements, including governance and oversight, due diligence assessments, business continuity, and resiliency planning and exit planning. Outsourcing contracts that support critical or important functions are treated with greater priority by the Guidelines and must include mandatory provisions around access and audit rights, performance standards, subcontracting, business continuity, termination rights, cooperation with authorities, and compliance with appropriate information security standards and other policies. These requirements should be well known to EU financial institutions.
Key Figures
- Overall, the ECB notes that the number of outsourcing contracts increased markedly in recent years and so too has allocated budgets for outsourcing strategies, especially for the outsourcing of critical functions. Cloud services are on the rise from 2022—almost all significant institutions use cloud services and most of the providers are located outside the European Union.
- More than 60% of critical outsourcing contracts were intra-group—a reminder that it is not just banks’ external outsourcing contracts that must comply with the Guidelines.
- On average, each bank had 98 external contracts for critical functions and 57 external providers supporting critical functions. However, the data varied significantly, from a minimum of two contracts and one provider to a maximum of 1,512 contracts and 936 providers, suggesting either a wide divergence of approach or significant outliers.
- Of a total €25.2 billion allocated toward critical external service providers, nearly 40% (or €9.8 billion) was allocated to information and communication technology (ICT) services. Other sizeable categories include administrative services, customer services, and payment services.
- While more than 30% of banks’ total outsourcing budgets is concentrated on 10 providers, the ECB stated that this is comparable with the prior year’s data.
- Around 12% of all critical outsourcing contracts (intra-group and external) were reported to not be compliant with the Guidelines. Of those noncompliant contracts, over the last three years 20% have not been subject to a proper risk assessment and 60% have not been audited. The ECB cites this as a clear sign that the banks concerned are not giving sufficient consideration to their outsourcing risks, and the ECB will follow up with those banks. It is worth highlighting that 12% represents reported noncompliance provided by the banks—the percentage of actual noncompliance is likely to differ.
- As to why contracts were deemed critical, 20% of external critical contracts were considered impossible to reintegrate and 5% impossible to substitute. This adds further weight to the ECB’s warning that banks should undertake proper risk assessments and have sufficient audit and access rights to oversee such critical service providers.
- Of the 109 financial institutions within scope, around 50% had critical functions that were dependent on services from the United Kingdom and around 42% from the United States. In addition, most of the top 10 outsourcing providers are headquartered outside of the European Union (mainly in the United States). These are noteworthy statistics considering that under DORA and the UK critical third parties regime, which is under consultation, EU and UK supervisory authorities, respectively, will expand their oversight (directly or indirectly) to certain critical service providers, whether located in the respective territory or overseas.
Looking Ahead
The publication of this data is a timely reminder that outsourcing risks and operational resilience are key supervisory priorities in the European Union. From January 2025 the expanded scope of data reporting requirements under DORA, which applies to a broad range of ICT services (whether or not outsourcing), will provide EU supervisory authorities with even greater oversight of operational resiliency risks within individual institutions and across the sector.
The ECB’s publication is also a warning that as EU banks and critical service providers come to negotiate outsourcing contracts, or contracts for ICT services, the parties should be cognizant that their arrangements, including compliance with mandatory contractual provisions (among other items), will be scrutinized by the ECB and likely other supervisory authorities.