EBA Publishes Final Guidelines on Outsourcing Arrangements
The European Banking Authority ("EBA") have issued revised Guidelines on Outsourcing Arrangements, following a consultation period on a draft version of the Guidelines which ended 24 September 2018. The Guidelines enter into force on 30 September 2019 and contain some transitional periods, for example, to allow for firms to implement a register of all outsourcing arrangements.


WHO is subject to the Guidelines? 

The Guidelines apply to credit institutions and investment firms which are subject to the Capital Requirements Directive and to payment institutions and electronic money institutions.

WHEN do the Guidelines enter into force?

The Guidelines will take effect on 30 September 2019 (the Effective Date) and will apply to all outsourcing arrangements entered into, reviewed or amended on or after the Effective Date (with the exception of an outsourced banking or payment activity to a third country service provider which requires a cooperation agreement between competent authorities). 

The EBA Guidelines on Outsourcing Arrangements (the "Guidelines") are significantly more prescriptive than the 2006 CEBS Guidelines.

WHAT are the key reforms? 

  • 'Critical or important functions' assessment: The Guidelines impose stricter requirements on outsourcing arrangements where 'critical or important' functions are being outsourced and the definition of 'critical or important functions' is based on the wording of MiFID II. The Guidelines contain a list of considerations that Firms should consider when determining whether a function is critical or important.
  • Outsourcing arrangement registers: Firms must maintain a comprehensive internal register of all outsourcing arrangements which distinguishes between critical and non-critical outsourced functions. 
  • Sub-outsourcing: Firms must be aware of the degree and nature of sub-outsourcing by their outsourced service providers (OSPs) and include such information in their outsourcing registers. Firms must know certain facts about sub-outsourced activities, such as the location of the sub-outsourced service provider.
  • Focus on FinTech and cloud service providers (CSPs): The Guidelines are particularly concerned with the ability of CSPs to adequately protect data confidentiality and to adhere to relevant data protection regulatory requirements.

Click here or on the image below to read our briefing in full. 

FinReg 09.04.19














Follow us @WilliamFryLaw

Key Contacts

Shane Kelleher Partner

John O'Connor Partner

John Aherne Partner

Related Practice Areas