The latest ECB Supervision Newsletter¹ details that there is an increasing dependency by supervised banks on third-party providers for critical functions.   

Analysing the 2023 data collected from the outsourcing registers of significant supervised banks, the ECB notes that whilst there are advantages for banks in outsourcing these need to be carefully considered alongside the risks. The ECB summarises that although outsourcing can offer advantages of lower costs, greater flexibility and increased efficiency it can also pose risks that banks should assess thoroughly to limit losses and market disruption and to ensure business continuity and operational resilience.

What does the 2023 ECB outsourcing register data show?

Since 2022, the ECB has been collecting data from the outsourcing registers of all significant institutions within the Single Supervisory Mechanism on an annual basis based on the requirements of the European Banking Authority’s Guidelines on outsourcing arrangements.

From the 2023 data collection, the ECB notes that the number of outsourcing contracts has increased markedly in recent years.  The increased operational reliance of supervised banks on third-party providers necessitates the need for appropriate risk management and supervisory strategies which take into account the growing complexity of supply chains and potential concentration risks.  Supervised banks should have robust systems to tackle vulnerabilities stemming from their increased reliance on outsourcing.  

Underlining the ECB’s supervisory priorities, the ECB confirms that it is strongly committed to building robust operational resilience frameworks to ensure and reinforce the operational resilience of the banking sector. Key considerations such as the criticality of outsourced functions, the possibility to reintegrate or substitute outsourced services and reliance on cloud service providers and providers outside the EU should be closely analysed and monitored.

Additional key ECB observations from the 2023 outsourcing data includes the following:

• Increased budgets for outsourcing of critical functions - the amount budgeted by banks for their outsourcing strategies has increased especially for the outsourcing of critical functions with more than 30% of total outsourcing budgets being concentrated on ten outsourcing providers, most of which are headquartered outside of the EU (mainly in the United States).   The ECB states that this could lead to systemic concentration risks. In addition, more than 80 significant banks outsource critical payment and administrative services, and more than half of the banks outsource some of their lending and investment services.  From all contracts with external providers covering critical functions about 50% concern time-critical activities. Around 20% cannot be reintegrated in the banks in case of issues, and around 5% cannot be substituted, for example, through other providers. 

• Risk controls - the ECB investigated banks’ risk controls and found that more than 10% of contracts covering critical functions are not compliant with the relevant regulations. Over the last three years 20% of these non-compliant contracts have not been subject to a proper risk assessment and 60% have not been audited.

• Location of third–party service providers - the location of third-party service providers’ headquarters and the country from which the services are provided can be another risk driver for banks. A total of 73 significant institutions are using critical services provided from non-EU countries: approximately 22% of all outsourced critical and extra-group services are offered from non-EU countries, predominantly from the United Kingdom and the United States, but also from Switzerland and India.   A related observation is banks’ increasing interest in services provided in the cloud. Almost all significant institutions use cloud services, and most of the providers are located outside the EU. Cloud services account for approximately 15% of all outsourcing contracts.

• Data protection - in view of the EU’s data protection rules, 70% of outsourcing contracts involve the processing of personal data, and more than 70 significant banks outsource such critical functions to providers outside the EU, like the United States, the United Kingdom and Switzerland.

In light of the above, the ECB considers that the banks concerned are not giving sufficient consideration to their outsourcing risks and that outsourcing risk management must improve. The ECB states that ECB Banking Supervision will be assessing how banks are complying with the outsourcing requirements to ensure that the system as a whole remains resilient.

Key takeaways for ECB supervised banks

Given the findings, outsourcing is likely to be a keen area of focus for the ECB going forward.  On that basis it is essential that ECB supervised banks assess and manage their outsourcing risks appropriately. Sound risk assessments will be key to protecting against systemic risks and are also essential to identify idiosyncratic risks, which may become relevant depending on the characteristics of the outsourcing arrangement and the outsourced function.

From January 2025, the application of the Digital Operational Resilience Act (DORA) will provide further means for the oversight of critical providers of IT services and will foster the harmonisation of rules to ensure that the entire financial system remains operationally resilient. In relation to this, the ECB Banking Supervision will continue to monitor outsourcing arrangements with a focus on cloud outsourcing and concentration risks. For an overview of DORA please see this Engage article which is the first in our DORA Engage series.

Why does this matter?

• The ECB’s findings signal that operational resilience and outsourcing remain key supervisory priorities and there will be a continued focus by the ECB going forward on whether firms are compliant with the outsourcing requirements.

• The concentration of critical services such as IT, payment and administrative functions could pose a significant threat to firms and the sector’s stability particularly where services are deemed as not being easily reintegrated – this heightens the risk of systemic collapse in the event of a failure.

• The ECB findings underline the increasing reliance on cloud services, predominantly offered by companies based beyond EU borders, exacerbating the risk landscape by introducing regulatory and compliance uncertainties.

• Internal audit teams will have a critical role in contributing to the analysis and measurement of the outsourcing risk exposure.

How can we help?

• The ECB’s warning signals a call to action for ECB supervised entities including banks but also those in the insurance and asset management sectors to ensure they have carried out a thorough risk assessment of their outsourcing risk management policies, procedures and frameworks particularly in relation to the handling of personal data.  We have strong Financial Services Regulatory, Insurance, Asset Management and GDPR teams with expertise to provide tailored advice to ensure that firms are fully compliant with the operational resilience and GDPR requirements.

• Financial entities should be fully DORA compliant by 17 January 2025.  Our specialist Digital Assets and Blockchain practice together with our Financial Services Regulatory and Technology specialists can provide detailed advice in relation to DORA and what needs to be done to ensure that firms are fully compliant in advance of the 17 January 2025 implementation date.  The UK is also considering how it will regulate “critical third parties” (CTPs) within the UK financial sector.  Our UK Financial Services Regulatory team would be delighted to discuss the proposed requirements for regulating CTPs and what steps firms should take now in advance of the new CTP regime coming into effect. 

We would be happy to discuss the requirements set out above or any of your wider regulatory needs in the EU and the UK so please get in touch if you would like to discuss further.

References

The ECB Supervision Newsletter is published every three months. It highlights and summarises key issues in banking supervision that are of interest to banks and the wider financial sector.