EBA outsourcing guidelines and location – what you need to know (2022)

Banks and other financial institutions should undertake additional due diligence where the service or data they are outsourcing will be located outside the EU. Firms should in particular assess their arrangements with cloud providers located outside of the EU.

This due diligence can help firms comply with European Banking Authority (EBA) guidance that requires them to specify the location of the services and their data in contracts for critical or important outsourcings.

The EBA's guidelines on outsourcing have applied to all new outsourcing from 30 September 2019. Firms have until December 2021 to update all existing documentation to meet the standards, which address a wide range of issues – including sub-outsourcing.

Among the various new requirements brought in under the EBA's guidelines, firms must ensure the location from which that service "will be performed and/or where the relevant data will be kept and processed, including the possible storage location" is specified in all "critical or important" contracts. The service provider must also notify the firm if it proposes to change the location. This requirement is one of a number of contractual terms that the EBA views as essential for these business critical outsourcing arrangements.

Location is a core concern for the EBA from the point of view of its ability to supervise the outsourced activity. From a data security perspective in particular, the regulatory standards imposed on suppliers in third countries may not meet the robust standards expected of European banks and financial institutions.

It is worth remembering that, while the contractual requirements on location are limited to the "critical or important" outsourcing arrangements, the guidelines' record keeping requirements apply across the board to all outsourcing arrangements firms put in place. Firms must keep a record of the country from which the service is performed, including the location of the data. For that reason, firms should consider including a contractual obligation on a service provider to notify the firm of any change to the location of the services or data in all outsourcing contracts so that the firm's records are kept accurate throughout the outsourcing.

Broad category of data

Firms will already be familiar with requirements to ensure that the location of personal data is clearly defined in a contract under the General Data Protection Regulation (GDPR). However, the EBA guidelines are broader and require the contract to include the location details of all data processed by a supplier on behalf of the regulated institution where there is an outsourcing of a critical or important function.

If the service provider processes data across different regions, for example in a primary data centre in the UK and a back-up centre in Ireland, then both locations should be listed. In addition, firms should consider whether the service provider uses a sub-contractor to process data on its behalf, and if it does, the location of the sub-contractor and its processing activities should be included as well.

(Video) New EBA Guidance on Outsourcing

Exact location of a data

The prospect of disclosing the location of a data centre will naturally raise concerns from a security perspective. After some feedback on this point during the EBA's initial consultation, the guidelines were clarified so that only the country or region must be recorded, not the precise location of the data. Therefore, the location of the data can be set out in broad terms to a country or region, for example, 'the EU'.

Due diligence

Before any outsourcing commences, the guidelines require firms to undertake a pre-outsourcing analysis. This requires, amongst other things, a risk assessment of the potential additional risks associated with the location of the service or data. The EBA expects firms to factor into their risk assessments additional safeguards where the service provider is located in a country based outside of the EU. For example, the firm should consider the potential difficulty in accessing the data for the purpose of oversight and audit – by both the firm and its regulators – and enforcing a court judgment in that service provider's location.

The location of data and the assessment of the risk in a particular location is not a one-off compliance measure. The location should be documented in the firms' outsourcing register and regularly reviewed and assessed to ensure ongoing compliance in light of any change in legal or political circumstance.

Locations outside of the EU

Countries that are located outside of the EU are considered to be 'third countries'. The EBA has said: "With regard to outsourcing to service providers located in third countries, financial institutions are expected to take particular care that compliance with EU legislation and regulatory requirements (e.g. professional secrecy, access to information and data, protection of personal data) is ensured and that the competent authority is able to effectively supervise financial institutions". Firms will have to require outsourced service providers to comply with confidentiality and GDPR obligations that are equivalent to EU standards and ensure that regulators can exercise their rights of access and audit at the premises from which the services are provided.

In addition, the EBA requires institutions to "take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct". In particular, where the service provider and their sub-contractors are based in a third country , firms should be satisfied that the service provider is acting in an ethical and socially responsible manner and adheres to international standards on human rights, environmental protection and appropriate working conditions, including the prohibition of child labour.

(Video) Key changes in the Finalised EBA Guidelines on Outsourcing

This obligation applies to all outsourcings and will require the firm to ensure that the service provider is compliant with these international and EU legal requirements and with any internal policies or codes of conduct that the firm has in place. With existing arrangements, it may be very difficult for a service provider to renegotiate terms with their subcontractors to meet this requirement.

Contractual challenges outsourcing to cloud providers in third countries

The additional contractual requirements that firms now have to put in place may cause a compliance issue where firms are outsourcing to small cloud providers located outside of the EU.

The low cost cloud model does not easily accommodate individual customers' specific requirements, even where these flow from a sector wide regulatory regime. Indeed, the many benefits that cloud services can offer are often taken on the understanding that there will be very little room for the negotiation of contractual terms or take on of additional risk. Many cloud providers in third countries will simply not be able to change their processes or internal policies to meet the EBA guidelines.

(Video) EBA Outsourcing Guidelines: a major shift in outsourcing governance - are you ready?
Special Report Banking on Cloud

With this in mind, a number of the larger cloud services providers are now well versed in the contractual requirements of the EBA guidelines and are now looking to get ahead of their customer's contractual remediation projects. As we saw with the application of GDPR in 2018, some cloud providers have updated their existing standard terms and conditions to incorporate their interpretation of the guidelines' requirements.

Business continuity issues and Covid-19

It goes without saying that Covid-19 will have a lasting impact on the approach taken to business continuity planning. With business continuity at the heart of the EBA's guidelines, it is important to consider whether a country's response to the pandemic has increased the risk of outsourcing services or data to that country. Firms should look at how certain countries have dealt with the pandemic, and what measures they are putting in place to prevent a resurge, as part of their risk based approach for existing and new outsourcing arrangements.

(Video) EBA Guidelines on Outsourcing

Additional reporting by Carolyn Lang of Pinsent Masons.

(Video) FinTech Operational Resilience and EBA Outsourcing Guidelines.


Who do the EBA outsourcing guidelines apply to? ›

The EBA Guidelines apply to: credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU). These are banks, building societies and IFPRU investment firms; and. payment institutions and electronic money institutions.

What are the requirements for outsourcing? ›

In fact, the considerations are not unique to software development – they apply almost as well to any product or service you have:
  • Control of core competency. Don't outsource your core competency. ...
  • Intellectual property content. ...
  • Technology level. ...
  • Cost factors. ...
  • Product or services. ...
  • Creative or operational.
11 Jul 2012

Are EBA guidelines mandatory? ›

The Court also confirms that, while EBA guidelines are not legally binding, supervisory authorities and financial institutions must make every effort to comply with them, that supervisory authorities have to give reasons if they intend not to comply, and that national courts are expected to take EBA guidelines into ...

What is the EBA regulation? ›

EBA regulation and institutional framework | European Banking Authority. About UsThe EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.

What is outsourcing risk assessment? ›

(1) Outsourcing risk is the risk posed to an insurer's business by non-performance, or poor performance, by a service provider of a function transferred to the service provider under a material outsourcing arrangement (within the meaning of CTRL).

How is outsourcing regulated? ›

National Regulations

US federal laws do not specifically regulate outsourcing transactions. Contract law is generally governed by state law, subject to any applicable federal laws (such as laws relating to intellectual property (IP) rights, immigration, export controls and bankruptcy).

What is the purpose of outsourcing? ›

Companies often outsource as a way to lower costs, improve efficiencies and gain speed. Companies that decide to outsource rely on the third-party providers' expertise in performing the outsourced tasks to gain such benefits.

What are the types of outsourcing? ›

A few of the main categories include:
  • Professional outsourcing.
  • IT outsourcing.
  • Manufacturing outsourcing.
  • Project outsourcing.
  • Process outsourcing.
  • Operational outsourcing.

What is the concept of outsourcing? ›

What Is Outsourcing? Outsourcing is the business practice of hiring a party outside a company to perform services or create goods that were traditionally performed in-house by the company's own employees and staff.

Who does the EBA regulate? ›

The European Banking Authority (EBA) is the regulatory agency that seeks to maintain stability in the European Union's banking industry. The EBA is an independent EU authority that is tasked with both the regulation and supervision of all banking entities located or operating in the European Union (EU).

What is the role of the EBA? ›

The EBA is an independent EU agency established in 2011 at the height of the financial crisis. Its objective is to contribute to financial stability across the EU and safeguard the integrity, efficiency and orderly functioning of the EU banking sector.

What is the difference between ECB and EBA? ›

The European Central Bank (ECB) ensures that banks follow the rules set forth by the EBA, which runs annual transparency exercises and stress tests on more than 100 EU banks. This involves cultivating fiscal data on a bank's capital, risk-weighted assets (RWA), recorded profits and losses, market risk, and credit risk.

Where is EBA located? ›

The European Banking Authority (EBA) is a regulatory agency of the European Union headquartered in Paris.

What are regulatory reporting requirements? ›

Regulatory reporting is the submission of data to a relevant authority in order to demonstrate compliance with the necessary regulatory provisions. In simpler terms, it is the process businesses and individuals must continually go through to show they are following all the rules.

What is EBA stress test? ›

EBA's role in stress testing

To this end, the EBA is mandated to monitor and assess market developments as well as to identify trends, potential risks and vulnerabilities stemming from the micro-prudential level. One of the primary supervisory tools to conduct such an analysis is the EU-wide stress test exercise.

How do you manage outsourcing risks? ›

Requirements Definition. Vendor Selection and Due Diligence. Contract Negotiation and Implementation. Ongoing Monitoring.

What is 3rd Party Risk Management? ›

Third-party risk management (TPRM) is a form of risk management that focuses on identifying and reducing risks relating to the use of third parties (sometimes referred to as vendors, suppliers, partners, contractors, or service providers).

What is a material outsourcing arrangement? ›

material outsourcing means any outsourcing arrangements for which the estimated annual expenditure is likely to exceed 5% of total expenditure incurred on outsourcing activities in the previous financial year will be treated as material.

What is chain outsourcing? ›

Outsourced supply chain management refers to hiring a third-party logistics (3PL) company to manage, improve and optimize the supply chain. This allows ecommerce businesses to delegate storage and time-consuming ecommerce fulfillment tasks while saving money and improving their supply chain velocity.

Is outsourcing illegal in America? ›

There are no national laws or specific national regulations that regulate outsourcing transactions generally or in relation to particular types of outsourcing transactions.

What are the 5 benefits of outsourcing? ›

Advantages of outsourcing
  • Improved focus on core business activities. ...
  • Increased efficiency. ...
  • Controlled costs. ...
  • Increased reach. ...
  • Greater competitive advantage. ...
  • Offshore outsourcing issues.

What are the four main reasons to outsource? ›

Reduce and control costs of operation (this usually the main reason). Improve the company's focus. Liberate inner sources for new purposes. Increase efficiency for some time-consuming functions that the company may lack resources for.

What are the benefits and risks of outsourcing? ›

The Pros And Cons Of Outsourcing
  • You Don't Have To Hire More Employees. When you outsource, you can pay your help as a contractor. ...
  • Access To A Larger Talent Pool. When hiring an employee, you may only have access to a small, local talent pool. ...
  • Lower Labor Cost. ...
  • Lack Of Control. ...
  • Communication Issues. ...
  • Problems With Quality.
17 Jul 2017

What are the 5 outsourcing strategies? ›

5 Outsourced Strategies An Organisation Must Consider
  • Customer Service Outsourcing. ...
  • Finance & Accounting Outsourcing. ...
  • Catalogue Management Outsourcing. ...
  • Outbound Sales For Growth. ...
  • Back Office Outsourcing.
11 Oct 2021

What are the two classifications of outsourcing? ›

Types of process outsourcing

Knowledge process outsourcing (KPO). This deals with outsourcing knowledge development for product improvements, such as research and data analysis. Recruitment process outsourcing (RPO).

What is the best example of outsourcing? ›

Advertising, office and warehouse cleaning, and website development are the best examples of outsourcing. Most business owners delegate authority to outsourced specialists when it comes to bookkeeping, maintenance, recruitment. This helps enterprises to focus most of their resources on the main activity.

What is another word for outsourcing? ›

Outsourcing Synonyms - WordHippo Thesaurus.
What is another word for outsourcing?
1 more row

What company is an example of outsourcing? ›

Alibaba is another example of companies that outsource, but unlike Amazon and eBay, Alibaba is based in China, which makes the challenges of outsourcing somewhat different. In most cases, companies that outsource do so based on cost. Often this is to lower-cost countries like India, China, and the Far East.

Is the EBA a supervisor? ›

The European Banking Authority (EBA) is the micro-prudential supervisory authority for the banking sector in the European Union and forms part of the European System of Financial Supervision (ESFS).

What does EBA stand for in business? ›

Enterprise bargaining is a legislated process of negotiation that occurs between the employer, employees and their bargaining representatives (usually a Trade Union) with the specific goal of creating an enterprise agreement. The duration of Enterprise Agreements varies from between one to four years.

Is the EBA part of the ECB? ›

The ECB is subject to technical standards developed by the European Banking Authority (“EBA”) and adopted by the European Commission, and to the EBA's European Supervisory Handbook.

What is European banking Association? ›

About UsThe EBA is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector.

Are EBA opinions binding? ›

The EBA develops draft BTS which are finally endorsed and adopted by the European Commission. Contrary to other documents such as Guidelines or Recommendations, the BTS are legally binding and directly applicable in all Member States.

Is ECB a regulator? ›

The ECB Executive Board enforces the policies and decisions of the Governing Council, and may direct the national central banks when doing so. The ECB has the exclusive right to authorise the issuance of euro banknotes.

What is Corep regulatory reporting? ›

COREP is the standardized reporting framework for CRD reporting requirements. All BIPRU companies including banking firms, investment companies, and building societies are required to report under COREP. The mandate covers market risk, operational risk, credit risk, capital adequacy ratios, and own funds.

What is the Emergency Banking Act of 1933? ›

The Emergency Banking Act was a federal law passed in 1933. Signed into law by President Franklin D. Roosevelt (D) on March 9, 1933, the act granted the president, the comptroller of the currency, and the secretary of the treasury broader regulatory authority over the nation's banking system.

What is EBA mean in Cambodia? ›

The preferential treatment enjoyed by Cambodia under “Everything But Arms” (EBA) – the EU's trade arrangement for Least Developed Countries – is now temporarily lifted due to serious and systematic concerns related to human rights ascertained in the country.

Who created EBA? ›

The EBA was introduced in 2010 by the European Parliament. It came to replace the previous Committee of European Banking Supervisors (CEBS). The EBA was formally established on January, 1 2011 as part of the European System of Financial Supervision (ESFS).

Where is the fusiform body area? ›

The FBA is located on the ventral surface of the brain, on the lateral posterior surface of the fusiform gyrus.

What are regulatory compliance requirements? ›

Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes. Violations of regulatory compliance often result in legal punishment, including federal fines.

What are the goals of regulations? ›

There are four primary goals of regulation: restrictive regulation, reactive regulation, proactive regulation, and transparent regulation.

What are the first line roles in regulatory reporting? ›

The first line: Functions that own the risk. The second line: Risk and compliance teams. The third line: Functions that provide oversight, including internal and external audit.

How often is EBA stress test? ›

Every two years the EBA carries out EU-wide stress tests in cooperation with the ECB, the European Systemic Risk Board (ESRB) and the national supervisory authorities. The sample included in the test covers the largest significant banks supervised directly by the ECB.

What is the stress test? ›

A stress test usually involves walking on a treadmill or riding a stationary bike while your heart rhythm, blood pressure and breathing are monitored. Or you'll receive a drug that mimics the effects of exercise.

What is the difference between load testing and stress testing? ›

Load testing and stress testing are both types of performance testing, which check how your application performs when many people use it at once. While load testing simulates real-life application load, stress testing tests application performance at peak times.

When did the EBA guidelines enter into force? ›

The EBA Guidelines will enter into force on 30 September 2019 and contain some transitional periods for implementing a register of all outsourcing arrangements and to agree on cooperation agreements between competent authorities or to reintegrate outsourced functions or move them to other service providers, if the ...

What is an outsourcing policy? ›

Outsourcing involves the use of a third party service provider in any number of operational functions to perform ongoing activities (including agreements for a limited period), that would normally be undertaken by [LEP] personnel. This policy is designed to manage the risks associated with outsourcing agreements. Scope.

What is a material outsourcing arrangement? ›

material outsourcing means any outsourcing arrangements for which the estimated annual expenditure is likely to exceed 5% of total expenditure incurred on outsourcing activities in the previous financial year will be treated as material.

What is an outsourcing arrangement? ›

In most instances, a firm would be outsourcing when they are involved in an arrangement where a service provider performs a process, service or activity on behalf of a firm which the firm would otherwise carry out itself.

What are the 3 main factors to consider in determining AML risk? ›

Most Popular Insights. Customer risk-rating models are one of three primary tools used by financial institutions to detect money laundering. The models deployed by most institutions today are based on an assessment of risk factors such as the customer's occupation, salary, and the banking products used.

Which three main risk factors are used for AML risk rating? ›

Size of a business and transaction. Customer type. Types of products and services sold to customers. Location.

What are high risk industries for money laundering? ›

Common examples include, but are not limited to, the following:
  • Convenience stores.
  • Restaurants.
  • Retail stores.
  • Liquor stores.
  • Cigarette distributors.
  • Privately owned automated teller machines (ATM).
  • Vending machine operators.
  • Parking garages.

Which is the best example of outsourcing? ›

Advertising, office and warehouse cleaning, and website development are the best examples of outsourcing. Most business owners delegate authority to outsourced specialists when it comes to bookkeeping, maintenance, recruitment. This helps enterprises to focus most of their resources on the main activity.

Why is outsourcing important? ›

Outsourcing non-core activities can improve efficiency and productivity because another entity performs these smaller tasks better than the firm itself. This strategy may also lead to faster turnaround times, increased competitiveness within an industry, and the cutting of overall operational costs.

What is outsourcing and its benefits? ›

Outsourcing is a common practice of contracting out business functions and processes to third-party providers. The benefits of outsourcing can be substantial - from cost savings and efficiency gains to greater competitive advantage.

What is the difference between insourcing and outsourcing? ›

Outsourcing is the process of hiring an outside organization that is not affiliated with the company to complete specific tasks. Insourcing, on the other hand, is a business practice performed within the operational infrastructure of the organization.

What is a stressed exit? ›

A stressed exit is withdrawing from an outsourcing arrangement following the failure or insolvency of the service provider. A non-stressed exit is moving away from an agreement in a more planned and managed way due to strategic, commercial or performance reasons.

Is outsourcing the same as third party? ›

Outsourcing is a business practice in which a company hires a third-party to perform tasks, handle operations or provide services for the company.

What are the types of outsourcing? ›

A few of the main categories include:
  • Professional outsourcing.
  • IT outsourcing.
  • Manufacturing outsourcing.
  • Project outsourcing.
  • Process outsourcing.
  • Operational outsourcing.


1. Keynote – Introduction to EBA Guidelines on loan origination and monitoring
(Sthlm Fintech Week)
2. Outsourcing Guidelines
(Kyle J. Brost)
3. Deloitte expert podcast on the Outsourcing Circular
(Deloitte Luxembourg)
4. What does vendor and contract management compliance mean: EBA and EIOPA explained
5. Outsourcing / Contracting
(Sairo Law Global)
6. PRA – new rules on outsourcing and third-party risk management

Top Articles

Latest Posts

Article information

Author: Merrill Bechtelar CPA

Last Updated: 09/19/2022

Views: 6364

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.