Outsourcing on the rise: ECB warns of increased reliance on third party providers

Published Date
Mar 7, 2024
Related people
In its recent Supervisory Newsletter the ECB highlights the jump in the number of outsourcing contracts as banks have increased their reliance on non-EU providers for IT-related services. Banks’ management of outsourcing risks and compliance with regulatory requirements will remain a key area of focus, particularly in light of the approaching application date for the Digital Operational Resilience Act (DORA) in January 2025. 

In the February 2024 edition of the ECB Supervisory Newsletter the ECB presented the analysis of the 2023 data collected from significant banks’ outsourcing registers. The analysis reveals banks’ increasing reliance on third-party service providers, particularly as regards IT-related services

Outsourcing is a common practice in the banking sector, where banks rely on external providers to perform certain services or functions that are not part of their core business. Outsourcing has many advantages and can help banks reduce costs, increase flexibility, and improve efficiency, but it also comes with significant risks that need to be assessed and managed carefully. 

The ECB has collected banks’ outsourcing registers since 2022 as mandated by the EBA Guidelines on outsourcing arrangements. The ECB notes that the number of outsourcing contracts has significantly increased since then, particularly for critical functions. At the same time deficiencies in outsourcing risk management persist.

What are the outsourcing risks for banks?

Outsourcing risks are the potential negative consequences that may arise from the failure or disruption of the services or functions provided by external providers. These risks can affect the banks' operational resilience, business continuity, reputation, and ability to comply with regulatory requirements.

Some of the main outsourcing risks identified by the ECB are:

  • Concentration risk: This is the risk of relying on a limited number of providers, especially for critical functions. According to the data collected, 30% of the total outsourcing budgets of significant banks is concentrated on just ten providers, most of them headquartered in the US.
  • Business continuity risk: This is the risk that the outsourcing of important functions, that cannot easily or quickly be replaced, will lead to service disruptions. The 2023 data shows that 50% of outsourcing contracts concern time-critical activities, 20% cannot be reintegrated and 5% cannot even be substituted by other providers.
  • Location risk: This is the risk of outsourcing services or functions to providers that operate in a non-EU jurisdiction. More than half of supervised banks use non-EU providers and about 22% of critical functions and extra-group services are outsourced to non-EU countries. On a related point the ECB notes that cloud-outsourcing has significantly increased with almost all banks using cloud services, with most providers located outside of the EU.
  • Data protection risk: Against the background of the EU’s strict data protection rules under GDPR, the ECB notes that 70% of all outsourcing contracts involve processing of personal data and over 70 banks outsource such services to non-EU jurisdictions with often less strict data protection regimes.

Increased outsourcing necessitates sound risk management

In line with its supervisory priorities the ECB confirms that it is strongly committed to ensuring that banks have robust operational resilience frameworks and are actively tackling vulnerabilities. The ECB will further monitor all of a bank’s outsourcing arrangements with a focus on specific aspects such as cloud outsourcing and concentration risk.   
The ECB considers that many banks are not managing outsourcing risk appropriately. The ECB’s investigation revealed that over 10% of outsourcing contracts fall short of regulatory requirements, and of these 20% have not been risk-assessed in the past three years and 60% have not been subject to an audit.
The application of the Digital Operational Resilience Act (DORA) from January 2025 will give supervisors a further oversight tool, not only of banks’ IT-related outsourcing but also over the critical providers of IT services themselves.
Outsourcing will remain an area of keen supervisory focus going forward, especially with the forthcoming application of DORA. Banks need to make sure that they appropriately assess and manage their existing outsourcing contracts and ensure that IT-related outsourcing complies with the new DORA requirements by the go-live date in mid-January 2025. 

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger