08.05.2019 | KPMG Law Insights

New guidelines for outsourcing to service providers in the financial industry

New guidelines for outsourcing to service providers in the financial industry

To increase their effectiveness and reduce costs, companies in the financial sector are outsourcing functions and activities. The new EBA guidelines partially establish new rules for both external and internal outsourcing. For the institutions, this means a significantly increased effort, especially for analysis, control and documentation.

The European Banking Authority (EBA) published the new guidelines on outsourcing, or EBA guidelines, on February 25, 2019. The regulatory treatment of outsourcing includes, in particular, requirements for the governance framework, the preliminary analysis and the outsourcing agreement, sub-outsourcing as well as information requirements vis-à-vis the banking supervisory authority.

Previously, there were only far less detailed regulatory requirements for outsourcing of institution-typical services throughout Europe: The predecessor guidelines from 2006 contained only a few basic principles, which are applied for the German banking industry primarily in General Part 9 (AT 9) of the Minimum Requirements for Risk Management (MaRisk).

The new EBA guidelines use the existing rules as a basis, but these have been significantly expanded and supplemented by very detailed requirements for outsourcing, some of which are new or more stringent. In addition, they now also include requirements from the EBA for the procurement of cloud services, which have been in place since last year. So much more regulation is also reflected in the size: the future EBA guidelines cover more than 30 pages, while AT 9 of MaRisk still took up around three pages.


The central new regulations

  1. Scope extended

The new EBA guidelines apply not only to credit and financial services institutions, but also to payment and e-money institutions. This was the first time that regulatory supervision of outsourcing activities was extended at European level to companies that are not subject to the German Banking Act (Kreditwesengesetz) but to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).


  1. Introduction of new terms

MaRisk previously distinguished between the categories of material and non-material outsourcing; the EBA guidelines now introduce the concept of outsourcing a “critical or important function”. There are clear criteria for determining which activities are considered critical or important. In the future, many requirements will only apply to the outsourcing of critical or important functions; some of the rules will also apply to other outsourcing.


  1. No fundamental privileging of intra-group outsourcing; scope of application for outsourcing worldwide

The guidelines make it clear that, in principle, the regulatory requirements must also be met in the case of intra-group outsourcing and outsourcing within the same institutional protection scheme. In this respect, a stricter standard is even applied in some cases, as possible conflicts of interest in particular must be examined and avoided.

A kind of equivalence principle will apply in the future to outsourcing by European companies in the financial industry to third countries. In particular, cooperation between the supervisory authorities must be ensured in the form of a “Memorandum of Understanding”. The result is that European supervisory rules must be observed by outsourcing companies domiciled in third countries.


  1. Documentation requirements extended

In the future, institutions will have to keep a central outsourcing register. The EBA Guidelines contain detailed requirements on the information and documentation to be included here.

Also new is the obligation to conduct a comprehensive risk analysis and assessment, including a review (“due diligence”) of the outsourcing company in advance of outsourcing. Due diligence refers to the reputation, professional qualifications and economic strength of the service provider as well as its ethical and social behavior.


  1. Sub-outsourcing more strictly regulated

Institutions will be required to monitor sub-outsourcing companies to a greater extent than before. Subcontractors, for example, must already be checked by the outsourcing company as part of the above-mentioned due diligence. Furthermore, the originally contracted service provider must inform the outsourcing company in advance of any planned sub-outsourcing. In certain cases, a right of objection or consent must be stipulated in the outsourcing agreement.


Little time for complex implementation

At September 30, 2019, the new guidelines will come into force. Contracts concluded, amended or reviewed as of that date shall be subject to the new regulation from the beginning. Institutions that have completed their outsourcing by December 31, 2021 have not reviewed accordingly, must inform the competent supervisory authority and explain what measures they will take for further adjustment. This transitional arrangement raises some questions for existing outsourcing agreements: For example, the question arises whether any amendment to an outsourcing agreement already makes the new EBA Guidelines applicable. In practice, for example, service level agreements of outsourcing contracts are constantly adjusted. If this were to result in the new rules being applied, then a very large number of existing outsourcing agreements would probably have to be reviewed to ensure that they comply with the new EBA guidelines.

The implementation of the EBA guidelines means a considerable effort that companies in the financial industry should not underestimate, as they will have to analyze their outsourcing processes, internal guidelines and contractual documents and amend them in line with the new set of rules. As a result, the effort required for analysis, control and documentation will increase significantly in the case of outsourcing.

Explore #more

01.12.2023 | PR publications

WiWo: Best of Legal Awards – Philipp Glock Leader of the Year

On Thursday evening, WirtschaftsWoche honored outstanding projects and minds from consulting firms and law firms in Düsseldorf and celebrated the second Best of Professional Night…

29.11.2023 | KPMG Law Insights

Energy transition also opens up business opportunities

The energy industry’s complex, capital-intensive transformation process offers investors and banks a great deal of potential By Lars Christian Mahler and Marc Goldberg for Börsen-Zeitung,…

29.11.2023 | KPMG Law Insights

Guest article in ZURe – AI and the legal department of tomorrow

The current issue of ZURe (p. 48 ff.) contains a guest article by KPMG Partner Sina Steidel-Küster (Regional Director Southwest, Head of Stuttgart office) and…

29.11.2023 | KPMG Law Insights, KPMG Law Insights

Key Facts about the new draft of the “Data Act

On February 23, 2022, the EU Commission presented the new draft of the so-called Data Act, the “Regulation on harmonized rules for fair access to…

21.11.2023 |

Guest article in ZURe on the implementation of CSRD reporting in SMEs

The current issue of ZURe (p. 34 ff.) contains a guest article by Lena Plato (Director Legal & Compliance, FLABEG Automotive Group GmbH), KPMG Law…

20.11.2023 | Press releases

Statement by KPMG Law experts in Handelsblatt on the topic of sustainability cooperation in antitrust law

In the Handelsblatt, KPMG Law expert Jonas Brueckner is quoted in detail on the subject of cooperation in terms of sustainability. Until this summer, there…

15.11.2023 |

Legal 500 – Country Comparative Guide Germany

Gerrit Rixen and Jonas Brueckner provide an overview of the relevant legal regulations in the area of Competition & Litigation in a practical guide on…

14.11.2023 | Press releases

Tax and Law at a glance – New issue of the digital magazine “Talk

“Talk” stands for Tax and Law Compass, because that’s what the digital magazine wants to be: a navigation aid to the legal and tax aspects…

13.11.2023 |

Statement from KPMG Law experts in Brand eins magazine on the use of AI

The business magazine brand eins asked eight experts about the use of AI in the legal sector. “Many business people cannot even begin to estimate…

10.11.2023 | Deal Notifications

KPMG Law and KPMG AG Wirtschaftsprüfungsgesellschaft advise Ziemann Holvrieka on the acquisition of Künzel Maschinenbau

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Ziemann Holvrieka GmbH from Ludwigsburg on the acquisition of the majority of shares…

© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.