Don’t Miss the Bus – EBA Guidelines and compulsory implementation.

Banking companies and financial institutions have five months before the deadline to bring legacy outsourcing arrangements into compliance with the European Banking Authority “Guidelines on outsourcing arrangements” (“EBA “). In this article, we set out the background and applicability of EBA for the outsourcing of IT and cloud services and certain clear steps to achieve compliance within this short timeframe.

The EBA Guidelines came into effect on 30 September 2019. These guidelines require financial and payment institutions (Institutions) to include specific provisions in their outsourcing contracts.  are required to bring legacy outsourcing arrangements into compliance with the EBA Guidelines no later than the next contract renewal date, or 31 December 2021 at the latest.

Notwithstanding Brexit, UK regulators notified the EBA that the UK will comply with the EBA Guidelines. However, due to the COVID-19 pandemic, the PRA and FCA have both confirmed they will give firms in the UK until 31 March 2022 to bring legacy outsourcing arrangements into compliance with the UK’s implementation of the EBA Guidelines. Outside the UK, regulators in EU member states have remained committed to the original deadline of 31 December 2021.

As a result, firms are rushing to plan and implement remediation projects across their European operations to bring legacy contracts into compliance with the EBA Guidelines before the deadline. This is a complex task and can be daunting when hundreds of contracts in multiple jurisdictions may be in-scope.

Background of EBA Guidelines :

Directive 2013/36/EU (Capital Requirements Directive; CRD) strengthens the governance requirements for institutions and Article 74(3) CRD gives the EBA the mandate to develop guidelines on institutions’ governance arrangements. Outsourcing is one of the specific aspects of institutions’ governance arrangements. Directive 2014/65/EU (Markets in Financial Instruments Directive; MiFID II) contains explicit provisions regarding the outsourcing of functions in the field of investment services and activities. Directive 2015/2366/EU (Revised Payment Service Directive; PSD2) sets out requirements for the outsourcing of functions by payment institutions.

About outsourcing to service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority can effectively supervise financial institutions, in particular regarding critical or important functions outsourced to service providers.

Outsourcing of important or critical functions, in particular when the service provider is located outside the EU, creates specific risks both for institutions and payment institutions and for their competent authorities and should be subject to appropriate oversight. Any outsourcing that would result in the delegation by the management body of its responsibility, altering the relationship and obligations of the institution or payment institution towards its clients, undermining the conditions of its authorisation, or removing or modifying any of the conditions subject to which the institution’s or payment institution’s authorisation was granted, should not be permitted.

 Application of EBA to IT outsourcing, including fintech and outsourcing to cloud service providers

 Institutions must ensure that personal data are adequately protected and kept confidential. Institutions fall within the scope of application of Regulation (EU) 2016/67917 (General Data Protection Regulation; GDPR) and must comply with it. When outsourcing IT or data services, it is imperative that business continuity and data protection are appropriately considered. Such considerations are not limited to the outsourcing of IT but apply in general.

 Institutions must ensure that they meet internationally accepted information security standards and this also applies to outsourced IT infrastructures and services. Institutions need to have business continuity and contingency arrangements in place to ensure that their material business activities can be performed continuously. Therefore, such arrangements are also required from some service providers, in particular regarding outsourced functions that are critical or important.

The EBA identified differences in national regulatory and supervisory frameworks for cloud outsourcing, e.g. about the information requirements that institutions needed to comply with, and, therefore, in 2017, issued recommendations for outsourcing to cloud service providers. The recommendations were designed to feed into these revised guidelines to ensure that institutions have one single framework for all their outsourcing arrangements. Indeed, several aspects of the recommendations apply in general and are relevant beyond outsourcing to cloud service providers, and those general aspects are reflected in these guidelines. However, where appropriate and relevant, a few specific requirements are applicable exclusively to cloud outsourcing.

The performance and quality of the cloud service provider’s service delivery and the level of operational risk that it may cause to the outsourcing institutions are largely determined by the ability of the cloud service provider to appropriately protect the confidentiality, integrity, and availability of data (in transit or at rest) and of the systems and processes that are used to process, transfer or store those data. Appropriate traceability mechanisms aimed at keeping records of technical and business operations are also key to detecting malicious attempts to breach the security of data and systems. Security expectations should take into account the need, on a risk-based approach, to protect the data and systems.

Cloud service providers often operate a geographically dispersed computing infrastructure that entails the regional and/or global distribution of data storage and processing; therefore, the security and privacy of data and their processing require particular attention. Notwithstanding the requirements included in these guidelines, Union and national laws apply in this respect and, in particular, concerning any obligations or contractual rights referred to in these guidelines, attention should be paid to data protection rules and professional secrecy requirements.

About sub-outsourcing, cloud outsourcing is more dynamic than traditional outsourcing. There is a need for greater certainty about the conditions under which subcontracting can take place, in particular in the case of cloud outsourcing.

The guidelines specify that sub-outsourcing requires ex-ante notification to institutions and payment institutions in the case of outsourcing of critical or important functions. Institutions and payment institutions should always have the right to terminate the contract if planned changes to services, including such changes caused by sub-outsourcing, would hurt the risk assessment of the outsourced services.

Given the above and mandatory compliance date, certain steps may be advised to Institutions, Fintech, and IT service provider companies.

  1. Step 1 – Identify in-scope contracts

In-scope Financial Institutions – do the EBA Guidelines apply to you?

The following arrangements are not “outsourcing”:

  • a function that is legally required to be performed by a service provider (e.g. a statutory audit);
  • market information services (e.g. provision of data by Bloomberg, Moody’s, Standard & Poor’s, Fitch);
  • global network infrastructures (e.g. Visa, MasterCard);
  • clearing and settlement arrangements between clearing houses, central counterparties, settlement institutions, and their members;
  • global financial messaging infrastructures that are subject to oversight by relevant authorities;
  • correspondent banking services; and
  • the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. utilities).


  1. Step 2 – Prioritise

Identify critical contracts – does the contract relate to a critical or important function?

  1. Step 3 – Gap analysis
  2. Step 4 – Amend contracts

Any project to bring legacy contracts into compliance with the EBA Guidelines will be complex. In some projects, there will be many hundreds of agreements in-scope. As a result, appointing the right delivery team with the right legal advisor will be essential to delivering the project efficiently.