Search
Contact
08.05.2019 | KPMG Law Insights

New guidelines for outsourcing to service providers in the financial industry

New guidelines for outsourcing to service providers in the financial industry

To increase their effectiveness and reduce costs, companies in the financial sector are outsourcing functions and activities. The new EBA guidelines partially establish new rules for both external and internal outsourcing. For the institutions, this means a significantly increased effort, especially for analysis, control and documentation.

The European Banking Authority (EBA) published the new guidelines on outsourcing, or EBA guidelines, on February 25, 2019. The regulatory treatment of outsourcing includes, in particular, requirements for the governance framework, the preliminary analysis and the outsourcing agreement, sub-outsourcing as well as information requirements vis-à-vis the banking supervisory authority.

Previously, there were only far less detailed regulatory requirements for outsourcing of institution-typical services throughout Europe: The predecessor guidelines from 2006 contained only a few basic principles, which are applied for the German banking industry primarily in General Part 9 (AT 9) of the Minimum Requirements for Risk Management (MaRisk).

The new EBA guidelines use the existing rules as a basis, but these have been significantly expanded and supplemented by very detailed requirements for outsourcing, some of which are new or more stringent. In addition, they now also include requirements from the EBA for the procurement of cloud services, which have been in place since last year. So much more regulation is also reflected in the size: the future EBA guidelines cover more than 30 pages, while AT 9 of MaRisk still took up around three pages.

 

The central new regulations

  1. Scope extended

The new EBA guidelines apply not only to credit and financial services institutions, but also to payment and e-money institutions. This was the first time that regulatory supervision of outsourcing activities was extended at European level to companies that are not subject to the German Banking Act (Kreditwesengesetz) but to the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG).

 

  1. Introduction of new terms

MaRisk previously distinguished between the categories of material and non-material outsourcing; the EBA guidelines now introduce the concept of outsourcing a “critical or important function”. There are clear criteria for determining which activities are considered critical or important. In the future, many requirements will only apply to the outsourcing of critical or important functions; some of the rules will also apply to other outsourcing.

 

  1. No fundamental privileging of intra-group outsourcing; scope of application for outsourcing worldwide

The guidelines make it clear that, in principle, the regulatory requirements must also be met in the case of intra-group outsourcing and outsourcing within the same institutional protection scheme. In this respect, a stricter standard is even applied in some cases, as possible conflicts of interest in particular must be examined and avoided.

A kind of equivalence principle will apply in the future to outsourcing by European companies in the financial industry to third countries. In particular, cooperation between the supervisory authorities must be ensured in the form of a “Memorandum of Understanding”. The result is that European supervisory rules must be observed by outsourcing companies domiciled in third countries.

 

  1. Documentation requirements extended

In the future, institutions will have to keep a central outsourcing register. The EBA Guidelines contain detailed requirements on the information and documentation to be included here.

Also new is the obligation to conduct a comprehensive risk analysis and assessment, including a review (“due diligence”) of the outsourcing company in advance of outsourcing. Due diligence refers to the reputation, professional qualifications and economic strength of the service provider as well as its ethical and social behavior.

 

  1. Sub-outsourcing more strictly regulated

Institutions will be required to monitor sub-outsourcing companies to a greater extent than before. Subcontractors, for example, must already be checked by the outsourcing company as part of the above-mentioned due diligence. Furthermore, the originally contracted service provider must inform the outsourcing company in advance of any planned sub-outsourcing. In certain cases, a right of objection or consent must be stipulated in the outsourcing agreement.

 

Little time for complex implementation

At September 30, 2019, the new guidelines will come into force. Contracts concluded, amended or reviewed as of that date shall be subject to the new regulation from the beginning. Institutions that have completed their outsourcing by December 31, 2021 have not reviewed accordingly, must inform the competent supervisory authority and explain what measures they will take for further adjustment. This transitional arrangement raises some questions for existing outsourcing agreements: For example, the question arises whether any amendment to an outsourcing agreement already makes the new EBA Guidelines applicable. In practice, for example, service level agreements of outsourcing contracts are constantly adjusted. If this were to result in the new rules being applied, then a very large number of existing outsourcing agreements would probably have to be reviewed to ensure that they comply with the new EBA guidelines.

The implementation of the EBA guidelines means a considerable effort that companies in the financial industry should not underestimate, as they will have to analyze their outsourcing processes, internal guidelines and contractual documents and amend them in line with the new set of rules. As a result, the effort required for analysis, control and documentation will increase significantly in the case of outsourcing.

Explore #more

25.06.2025 | KPMG Law Insights

Business Travel and Assignment in the USA: What you need to know about US immigration

The recent changes in US immigration rules are causing uncertainty worldwide. In particular, since the new US government took office, processes regarding entry into the…

11.06.2025 | KPMG Law Insights

Omnibus IV brings some simplifications, especially in product law

The EU Commission proposed the fourth omnibus package on May 21, 2025. Omnibus IV contains simplifications in relation to numerous product law requirements and…

02.06.2025 | Deal Notifications

KPMG Law and KPMG advise Diehl Defence on the acquisition of e.sigma

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Diehl Defence GmbH & Co. KG (Diehl Defence) on the complete acquisition of…

27.05.2025 | KPMG Law Insights

Cell Phone Inspections at US Border and Beyond: What to Expect

Key facts: U.S. immigration officials monitor public social media data and travelers should be prepared to share details about their personal social media accounts. All…

14.05.2025 | KPMG Law Insights

BGH on customer installations: Decision orders application in line with the directive

In a ruling dated May 13, 2025, the BGH classified the supply infrastructure in the specific case of a residential complex in Zwickau as a…

13.05.2025 | In the media

KPMG Law expert in Spiegel article on energy policy

Dirk-Henning Meier, Senior Manager in the energy law department at KPMG Law, is quoted in a recent article on energy policy in Der Spiegel.…

13.05.2025 | Career, In the media

azur Karriere Magazin – All AI or what?

Artificial intelligence has long since arrived in law firms and legal departments. But dealing with it is a skill that needs to be learned. Many…

13.05.2025 | KPMG Law Insights

Initial experience with the Single-Use Plastics Fund Act: what manufacturers should bear in mind

Beverage cups, foil and plastic cigarette filters litter streets, parks and sidewalks. The cleaning costs are borne by the local authorities. The Disposable Plastics Fund…

07.05.2025 | KPMG Law Insights

Termination of fixed-term rental agreements in the case of pre-leasing

In the case of a pre-leasing, the tenancy only begins at a later date, usually the handover date. In such cases, the contracting parties usually…

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll