Search for:

The EBA outsourcing guidelines came into effect on 30 September 2019. They are more prescriptive than the previous guidance and have a broader scope, applying to payment and e-money companies for the first time.  All new outsourcing agreements entered into, reviewed or amended after 30 September 2019 should follow the guidelines taking into account questions of proportionality and the nature of each business. With respect to existing outsourcing arrangements, organisations have until their next contract renewal, or 31 December 2021 at the latest, to bring them into line. 

The purpose of the guidelines is to provide greater harmonisation to financial institutions with one set of  rules for all outsourcing arrangements (including cloud outsourcing), whether to third party service providers or intra-group. The guidance replaces previous outsourcing rules published in 2006 by the Committee of European Banking Supervisors, (which applied to credit institutions only) and  integrate the EBA’s cloud outsourcing guidance from July 2018.   Although these guidelines will not be incorporated into UK law, the FCA has said it expects firms to continue to apply them to the extent that they remain relevant post-Brexit.

Who does the guidance apply to?

The revised guidelines apply to the organisations below (“Regulated Institutions”):

  • credit institutions (i.e. banks);
  • certain categories of investment firm, in particular those with permission to hold client money or deal on their own account (broadly, those that are subject to the Capital Requirements Regulation – in the UK, IFPRU firms); and
  • payment and electronic money institutions, which will be caught by the requirements for the first time.

The guidelines do not directly apply to investment firms which are solely authorised to provide the services of arranging, advising, portfolio management or dealing as agent, and which are unable to hold client money or custody assets, although they will continue to be subject to the MiFID outsourcing regime. The guidelines also do not apply to credit intermediaries and certain non-bank creditors (e.g. non-bank consumer lenders), or to registered AISPs under PSD2. In addition, the guidelines do not apply to insurance companies, which are subject to a different set of outsourcing rules (under Solvency II) and which will need to continue to comply with the existing Solvency II and – in the UK – PRA rules  (although note that earlier this year, the EIOPA issued a consultation on draft guidance on the use of cloud services in insurance and reinsurance and the proposed guidance closely mirrors the EBA guidelines), or to insurance intermediaries.

What’s covered?

The EBA defines “outsourcing” as “an arrangement…between a [Regulated Institution] and a service provider by which that service provider performs a process, a service or an activity, or parts thereof that would otherwise be undertaken by the [Regulated Institution] itself”.  Each institution must determine whether an arrangement constitutes “outsourcing” or not. Stricter rules apply to the outsourcing of “critical or important functions” (“critical outsourcing”). The guidelines include criteria to help firms identify critical outsourcing and these are broadly aligned with the definitions under MiFID II, including where a defect or failure in the outsourcing services may materially impair the continuing compliance of firms’ activities and obligations, financial performance, soundness or continuity of services. There are additional requirements for different scenarios e.g., where the outsourcing involves cloud services, the service provider uses sub-contractors, the service provider is located in a third country or where there is a potential concentration risk.


In broad terms, the requirements under the Guidelines for critical and non-critical outsourcing fall into two categories: (i) Governance requirements, which relate to a firm’s preparedness for the entering into and ongoing management of outsourcing arrangements; and (ii) Process requirements, which require specific steps to be taken in connection with a proposed outsourcing.
Governance requirements. These include:

  • Firms must have a written outsourcing policy: the guidelines include specific requirements for governance frameworks, emphasising that regulatory obligations can never be outsourced.  In particular, Regulated Institutions must prepare a written outsourcing policy that documents, amongst other things, management responsibilities, monitoring, record keeping, and exit. Further governance measures are required in respect of conflicts of interest, business continuity and audit.
  • Firms must maintain a written register: firms must record all outsourcing arrangements in a register. Where the outsourcing is a critical outsourcing, or involves cloud outsourcing, additional information needs to be recorded. The register must be made available to the regulator where required.
  • Requirement for cooperation agreement: firms outsourcing to a service provider located in a third country, which will include the UK after Brexit, should ensure from 31 December 2021, that there is a cooperation agreement in place with respect to supervision arrangements (whether a MoU or supervisory college agreement) between their supervisors and the outsourcers’. The FCA entered into a multilateral MoU with EU and EEA supervisors in February this year.

Process requirements. These include:

  • Firms must carry out pre-outsourcing analysis – Regulated Institutions must perform certain activities prior to engaging in an outsourcing, including assessing whether the outsourcing is a critical outsourcing, undertaking appropriate due diligence and identifying relevant risks.
  • Firms have a duty to inform – when a Regulated Institution is planning to enter into a critical outsourcing, it must give the regulator prior notice. This involves providing certain information to the authority, including the reasons why the outsourcing is considered to be critical or important, information about the service provider, and, if a cloud outsourcing, certain information about the proposed agreement.
  • Contractual requirements – the guidelines detail certain contractual requirements for critical outsourcing arrangements.  These are  described at quite a high level, allowing for some flexibility, and many Regulated Institutions would already include many, if not all of these, as a matter of course in their traditional outsourcing agreements (e.g. data privacy and security provisions, service levels and performance monitoring, insurance requirements, business continuity plan testing, appropriate termination rights and exit support).  However, some requirements are more challenging in the context of cloud services, in particular:
    • Sub-contracting – the contract must include provisions on whether or not “sub-outsourcing of critical or important functions” is permitted. If so, additional obligations regarding oversight and risk management will apply, including ensuring that the Regulated Institution has the right to object to any sub-outsourcing (or a right to expressly approve such sub-outsourcing) and a right to terminate the agreement in case of “undue sub-outsourcing” (e.g. where this materially increases the risks to the Regulated Institution or the provider sub-outsources without notification).
    • Audit – the guidelines state that for critical outsourcings, the outsourcing agreement must include the right of “full access to all relevant business premises” and an “unrestricted right” of Regulated Institutions and competent authorities to “get any information needed with regard to the outsourcing and to access and audit the service provider”.  With a nod to the potential challenges with cloud services, the EBA acknowledges that audit rights could be exercised via pooled audits where multiple parties are given access to a provider’s premises on a single visit and that certifications or internal audit reports may satisfy the audit rights requirements, but also states that firms should not solely rely on these reports over time.

What do you need to do?

  • If not in hand already, given that the new guidelines were published in February 2019, Regulated Institutions will need to ensure that their outsourcing governance frameworks are made compliant with the new rules. Firms will also need to update their outsourcing templates and contract checklists to ensure new contracts that they enter into are compliant with the guidelines. There is also the laborious task of identifying, reviewing and maintaining a register of all existing outsourcing agreements and negotiating any required amendments by the applicable renewal dates and in any case by the 31 December 2021 deadline.
  • Service providers to Regulated Institutions should also consider whether their service offerings meet the new requirements. In any event, we expect that the providers will need to brace themselves to receive yet another set of updates to their existing outsourcing agreements over the coming months, following the recent rounds of BRRD and GDPR-related addenda from the banks.

Sue is a partner in Baker McKenzie's IP, Data and Technology team based in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets. Her IP and commercial experience includes drafting, advising on and negotiating a wide range of intellectual property and commercial agreements including IP licences and assignment agreements, long-term supply and distribution agreements. She also assists clients in preparing terms of business and related documentation for new business processes and offerings and coordinating global roll-outs. Sue is also a key member of our transactional practice, providing strategic support on the commercial, technology and intellectual property aspects of M&A transactions and joint ventures, including advising on transitional services agreements and other key ancillary IP and commercial agreements. Sue is ranked as a leading lawyer in Chambers for Information Technology & Outsourcing and Fintech Legal and in Legal500 for Commercial Contracts, IT & Telecoms, TMT and Fintech. Clients say of Sue "Sue is outstanding", "She is a really good and very committed lawyer", "Excellent…. Very capable, wouldn’t hesitate to use on IT/TMT/Outsourcing matters." Sue was named in the Standout 35 of the Women in FinTech Powerlist 2020.


Caitlin McErlane is a partner in Baker McKenzie’s Financial Services & Regulatory Group in the London office. Caitlin's practice focuses on advising a range of global financial institutions on complex and high value regulatory matters. She advises banks, major corporates, payment institutions and asset managers on navigating UK and EU financial services regulation. She has particular experience in advising clients on regulatory implementation projects, day-to-day compliance issues, and regulatory issues arising in the context of large-scale transactions. She also expertise in the areas of banking and wholesale financial markets regulation, in particular in the FX and fixed income space, alongside experience advising market infrastructure providers, including major international exchanges, trading platforms, clearing systems and payment services providers, on a variety of compliance issues. Caitlin is also a member of the Baker's ESG and sustainability taskforce, and advises a range of clients on the drafting and implementation of ESG policies and the implications of becoming a signatory to the UNPRI and the Stewardship Code. Caitlin is an authority on regulatory reforms in the sustainability space and sits on a number of trade association working groups. She has recently been interviewed by Climate Action on her work and is a frequent speaker on the subject.