Opinion
Outsourcing on the rise: ECB warns of increased reliance on third party providers
In the February 2024 edition of the ECB Supervisory Newsletter the ECB presented the analysis of the 2023 data collected from significant banks’ outsourcing registers. The analysis reveals banks’ increasing reliance on third-party service providers, particularly as regards IT-related services
Outsourcing is a common practice in the banking sector, where banks rely on external providers to perform certain services or functions that are not part of their core business. Outsourcing has many advantages and can help banks reduce costs, increase flexibility, and improve efficiency, but it also comes with significant risks that need to be assessed and managed carefully.
The ECB has collected banks’ outsourcing registers since 2022 as mandated by the EBA Guidelines on outsourcing arrangements. The ECB notes that the number of outsourcing contracts has significantly increased since then, particularly for critical functions. At the same time deficiencies in outsourcing risk management persist.
What are the outsourcing risks for banks?
Outsourcing risks are the potential negative consequences that may arise from the failure or disruption of the services or functions provided by external providers. These risks can affect the banks' operational resilience, business continuity, reputation, and ability to comply with regulatory requirements.
Some of the main outsourcing risks identified by the ECB are:
- Concentration risk: This is the risk of relying on a limited number of providers, especially for critical functions. According to the data collected, 30% of the total outsourcing budgets of significant banks is concentrated on just ten providers, most of them headquartered in the US.
- Business continuity risk: This is the risk that the outsourcing of important functions, that cannot easily or quickly be replaced, will lead to service disruptions. The 2023 data shows that 50% of outsourcing contracts concern time-critical activities, 20% cannot be reintegrated and 5% cannot even be substituted by other providers.
- Location risk: This is the risk of outsourcing services or functions to providers that operate in a non-EU jurisdiction. More than half of supervised banks use non-EU providers and about 22% of critical functions and extra-group services are outsourced to non-EU countries. On a related point the ECB notes that cloud-outsourcing has significantly increased with almost all banks using cloud services, with most providers located outside of the EU.
- Data protection risk: Against the background of the EU’s strict data protection rules under GDPR, the ECB notes that 70% of all outsourcing contracts involve processing of personal data and over 70 banks outsource such services to non-EU jurisdictions with often less strict data protection regimes.
Increased outsourcing necessitates sound risk management
This content was originally published by Allen & Overy before the A&O Shearman merger
Related capabilities