08.05.2019 | KPMG Law Insights

New guidelines for outsourcing to service providers in the financial industry

New guidelines for outsourcing to service providers in the financial industry

To increase their effectiveness and reduce costs, companies in the financial sector are outsourcing functions and activities. The new EBA guidelines partially establish new rules for both external and internal outsourcing. For the institutions, this means a significantly increased effort, especially for analysis, control and documentation.

The European Banking Authority (EBA) published the new guidelines on outsourcing, or EBA guidelines, on February 25, 2019. The regulatory treatment of outsourcing includes, in particular, requirements for the governance framework, the preliminary analysis and the outsourcing agreement, sub-outsourcing as well as information requirements vis-à-vis the banking supervisory authority.

Previously, there were only far less detailed regulatory requirements for outsourcing of institution-typical services throughout Europe: The predecessor guidelines from 2006 contained only a few basic principles, which are applied for the German banking industry primarily in General Part 9 (AT 9) of the Minimum Requirements for Risk Management (MaRisk).

The new EBA guidelines use the existing rules as a basis, but these have been significantly expanded and supplemented by very detailed requirements for outsourcing, some of which are new or more stringent. In addition, they now also include requirements from the EBA for the procurement of cloud services, which have been in place since last year. So much more regulation is also reflected in the size: the future EBA guidelines cover more than 30 pages, while AT 9 of MaRisk still took up around three pages.


The central new regulations

  1. Scope extended

The new EBA guidelines apply not only to credit and financial services institutions, but also to payment and e-money institutions. This was the first time that regulatory supervision of outsourcing activities was extended at European level to companies that are not subject to the German Banking Act (Kreditwesengesetz) but to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).


  1. Introduction of new terms

MaRisk previously distinguished between the categories of material and non-material outsourcing; the EBA guidelines now introduce the concept of outsourcing a “critical or important function”. There are clear criteria for determining which activities are considered critical or important. In the future, many requirements will only apply to the outsourcing of critical or important functions; some of the rules will also apply to other outsourcing.


  1. No fundamental privileging of intra-group outsourcing; scope of application for outsourcing worldwide

The guidelines make it clear that, in principle, the regulatory requirements must also be met in the case of intra-group outsourcing and outsourcing within the same institutional protection scheme. In this respect, a stricter standard is even applied in some cases, as possible conflicts of interest in particular must be examined and avoided.

A kind of equivalence principle will apply in the future to outsourcing by European companies in the financial industry to third countries. In particular, cooperation between the supervisory authorities must be ensured in the form of a “Memorandum of Understanding”. The result is that European supervisory rules must be observed by outsourcing companies domiciled in third countries.


  1. Documentation requirements extended

In the future, institutions will have to keep a central outsourcing register. The EBA Guidelines contain detailed requirements on the information and documentation to be included here.

Also new is the obligation to conduct a comprehensive risk analysis and assessment, including a review (“due diligence”) of the outsourcing company in advance of outsourcing. Due diligence refers to the reputation, professional qualifications and economic strength of the service provider as well as its ethical and social behavior.


  1. Sub-outsourcing more strictly regulated

Institutions will be required to monitor sub-outsourcing companies to a greater extent than before. Subcontractors, for example, must already be checked by the outsourcing company as part of the above-mentioned due diligence. Furthermore, the originally contracted service provider must inform the outsourcing company in advance of any planned sub-outsourcing. In certain cases, a right of objection or consent must be stipulated in the outsourcing agreement.


Little time for complex implementation

At September 30, 2019, the new guidelines will come into force. Contracts concluded, amended or reviewed as of that date shall be subject to the new regulation from the beginning. Institutions that have completed their outsourcing by December 31, 2021 have not reviewed accordingly, must inform the competent supervisory authority and explain what measures they will take for further adjustment. This transitional arrangement raises some questions for existing outsourcing agreements: For example, the question arises whether any amendment to an outsourcing agreement already makes the new EBA Guidelines applicable. In practice, for example, service level agreements of outsourcing contracts are constantly adjusted. If this were to result in the new rules being applied, then a very large number of existing outsourcing agreements would probably have to be reviewed to ensure that they comply with the new EBA guidelines.

The implementation of the EBA guidelines means a considerable effort that companies in the financial industry should not underestimate, as they will have to analyze their outsourcing processes, internal guidelines and contractual documents and amend them in line with the new set of rules. As a result, the effort required for analysis, control and documentation will increase significantly in the case of outsourcing.

Explore #more

27.05.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

22.05.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.