Search
Contact
08.05.2019 | KPMG Law Insights

New guidelines for outsourcing to service providers in the financial industry

New guidelines for outsourcing to service providers in the financial industry

To increase their effectiveness and reduce costs, companies in the financial sector are outsourcing functions and activities. The new EBA guidelines partially establish new rules for both external and internal outsourcing. For the institutions, this means a significantly increased effort, especially for analysis, control and documentation.

The European Banking Authority (EBA) published the new guidelines on outsourcing, or EBA guidelines, on February 25, 2019. The regulatory treatment of outsourcing includes, in particular, requirements for the governance framework, the preliminary analysis and the outsourcing agreement, sub-outsourcing as well as information requirements vis-à-vis the banking supervisory authority.

Previously, there were only far less detailed regulatory requirements for outsourcing of institution-typical services throughout Europe: The predecessor guidelines from 2006 contained only a few basic principles, which are applied for the German banking industry primarily in General Part 9 (AT 9) of the Minimum Requirements for Risk Management (MaRisk).

The new EBA guidelines use the existing rules as a basis, but these have been significantly expanded and supplemented by very detailed requirements for outsourcing, some of which are new or more stringent. In addition, they now also include requirements from the EBA for the procurement of cloud services, which have been in place since last year. So much more regulation is also reflected in the size: the future EBA guidelines cover more than 30 pages, while AT 9 of MaRisk still took up around three pages.

 

The central new regulations

  1. Scope extended

The new EBA guidelines apply not only to credit and financial services institutions, but also to payment and e-money institutions. This was the first time that regulatory supervision of outsourcing activities was extended at European level to companies that are not subject to the German Banking Act (Kreditwesengesetz) but to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).

 

  1. Introduction of new terms

MaRisk previously distinguished between the categories of material and non-material outsourcing; the EBA guidelines now introduce the concept of outsourcing a “critical or important function”. There are clear criteria for determining which activities are considered critical or important. In the future, many requirements will only apply to the outsourcing of critical or important functions; some of the rules will also apply to other outsourcing.

 

  1. No fundamental privileging of intra-group outsourcing; scope of application for outsourcing worldwide

The guidelines make it clear that, in principle, the regulatory requirements must also be met in the case of intra-group outsourcing and outsourcing within the same institutional protection scheme. In this respect, a stricter standard is even applied in some cases, as possible conflicts of interest in particular must be examined and avoided.

A kind of equivalence principle will apply in the future to outsourcing by European companies in the financial industry to third countries. In particular, cooperation between the supervisory authorities must be ensured in the form of a “Memorandum of Understanding”. The result is that European supervisory rules must be observed by outsourcing companies domiciled in third countries.

 

  1. Documentation requirements extended

In the future, institutions will have to keep a central outsourcing register. The EBA Guidelines contain detailed requirements on the information and documentation to be included here.

Also new is the obligation to conduct a comprehensive risk analysis and assessment, including a review (“due diligence”) of the outsourcing company in advance of outsourcing. Due diligence refers to the reputation, professional qualifications and economic strength of the service provider as well as its ethical and social behavior.

 

  1. Sub-outsourcing more strictly regulated

Institutions will be required to monitor sub-outsourcing companies to a greater extent than before. Subcontractors, for example, must already be checked by the outsourcing company as part of the above-mentioned due diligence. Furthermore, the originally contracted service provider must inform the outsourcing company in advance of any planned sub-outsourcing. In certain cases, a right of objection or consent must be stipulated in the outsourcing agreement.

 

Little time for complex implementation

At September 30, 2019, the new guidelines will come into force. Contracts concluded, amended or reviewed as of that date shall be subject to the new regulation from the beginning. Institutions that have completed their outsourcing by December 31, 2021 have not reviewed accordingly, must inform the competent supervisory authority and explain what measures they will take for further adjustment. This transitional arrangement raises some questions for existing outsourcing agreements: For example, the question arises whether any amendment to an outsourcing agreement already makes the new EBA Guidelines applicable. In practice, for example, service level agreements of outsourcing contracts are constantly adjusted. If this were to result in the new rules being applied, then a very large number of existing outsourcing agreements would probably have to be reviewed to ensure that they comply with the new EBA guidelines.

The implementation of the EBA guidelines means a considerable effort that companies in the financial industry should not underestimate, as they will have to analyze their outsourcing processes, internal guidelines and contractual documents and amend them in line with the new set of rules. As a result, the effort required for analysis, control and documentation will increase significantly in the case of outsourcing.

Explore #more

02.07.2026 | KPMG Law Insights

Registered mail with return receipt no longer provides proof of delivery—here are some alternatives

Registered mail with return receipt requested, when used as part of electronic documentation, no longer constitutes prima facie evidence of a document’s receipt. The Hamburg…

02.07.2026 | Deal Notifications

KPMG Law advises the Prinzhorn Group on the acquisition of Stora Enso’s German facilities

KPMG Law Rechtsanwaltsgesellschaft GmbH (“KPMG Law”) has advised Mosburger GmbH, a company of Dunapack Packaging and part of the Austrian Prinzhorn Group, on the acquisition…

02.07.2026 | In the media

KPMG Law Interview in Focus Business: EmpCo Is Coming: Sustainability Marketing Becomes a Top Priority

Stricter EU rules set clearer boundaries for climate pledges and social claims. KPMG Law expert Manuela Meyer explains which claims must be verified and how…

29.06.2026 | KPMG Law Insights

Embedding Digital Sovereignty in the Enterprise – Legal Requirements for IT Systems

Digital sovereignty is an important strategic success factor, and many measures are also required by law. Through legislation such as the Data Act, NIS-2, the…

26.06.2026 | KPMG Law Insights

New Packaging Implementation Act tightens obligations for companies

  Co-author: Séverine Sieprath, Director of Audit, KPMG AG Wirtschaftsprüfungsgesellschaft   The Packaging Implementation Act (VerpackDG),…

25.06.2026 | In the media

KPMG Law Interview in fvw I Traveltalk: Upcoming EU Package Travel Directive — “For the industry, the real work is just beginning”

After more than two and a half years, the legislative process, including publication, was recently completed. Now the deadline for tour operators and travel agencies…

24.06.2026 | Deal Notifications

KPMG Law advised the shareholders of Zimmermann PV-Steel Group on the sale to Nextpower

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of Zimmermann PV-Steel Group (Zimmermann) on the sale of the company to Nextpower™ (Nasdaq: NXT), a…

23.06.2026 | KPMG Law Insights

Germany is modernizing its arbitration law

On June 10, 2026, the Federal Government presented a draft of the “Act on the Modernization of Arbitration Law.” Its aim is to adapt the…

18.06.2026 | In the media

KPMG Law Guest Article in *Innovative Administration*: Protection in Turbulent Times

Board members of municipal enterprises face personal, unlimited liability, which is further exacerbated by the unique characteristics of the public sector. D&O insurance protects their…

18.06.2026 | In the media

Handelsblatt and Best Lawyers Honor KPMG Law Experts

Best Lawyers has once again identified Germany’s top business lawyers for 2026, exclusively for the Handelsblatt. A total of 31 lawyers from KPMG Law and…

© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll