21 February 2024
Banks outsource certain services to take advantage of lower costs, more flexibility and greater efficiency as well as to optimise the use of their own resources and expertise. However, outsourcing comes with risks that banks should assess thoroughly to ensure business continuity and operational resilience and to limit losses and disruptions. In line with the supervisory priorities, ECB Banking Supervision is strongly committed to build robust operational resilience frameworks. Supervised institutions need to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers, taking into account the growing complexity of supply chains and potential concentration risks.
Since 2022, the ECB has collected annually the outsourcing registers of all its supervised banks. This is based on the requirements of the European Banking Authority (EBA) Guidelines on outsourcing arrangements (EBA/GL/2019/02), which highlight the need for sound risk management frameworks to assess, manage and mitigate outsourcing risks.
In this article, the ECB is sharing the main highlights from the 2023 data collection to help banks gain a deeper understanding of current outsourcing practices and trends and to support them in making risk assessments and peer comparisons.
Increased outsourcing, including from third-country providers
The data show that banks are increasingly using third-party providers to support their operations. The number of outsourcing contracts has increased markedly over recent years and so has the amount budgeted by banks for their outsourcing strategies, especially for the outsourcing of critical functions.
Even though a growing number of external providers are offering their services within the EU, more than 30% of the total outsourcing budget of significant banks is concentrated on ten providers, most of which are headquartered outside the EU (mainly in the United States). This relatively short list of major providers has remained rather stable in recent years, although banks’ reliance on a few large providers is potentially leading to idiosyncratic and systemic concentration risks.
While IT-related outsourcing is widespread as almost all significant institutions outsource some IT services, banks also outsource many other functions, including critical functions. For instance, more than 80 significant banks outsource critical payment and administrative services, and more than half of the banks outsource some of their lending and investment services.
From all contracts with external providers covering critical functions about 50% concern time-critical activities. Around 20% cannot be reintegrated in the banks in case of issues, and around 5% cannot be substituted, for example, through other providers.
The location of third-party service providers’ headquarters and the country from which the services are provided can be another risk driver for banks. A total of 73 significant institutions are using critical services provided from non-EU countries: approximately 22% of all outsourced critical and extra-group services are offered from non-EU countries, predominantly from the United Kingdom and the United States, but also from Switzerland and India.
A related observation is banks’ increasing interest in services provided in the cloud. Almost all significant institutions use cloud services, and most of the providers are located outside the EU. Cloud services account for approximately 15% of all outsourcing contracts.
In view of the EU’s relatively strict data protection rules, it is worth noting that 70% of outsourcing contracts involve the processing of personal data, and more than 70 significant banks outsource such critical functions to providers outside the EU, like the United States, the United Kingdom and Switzerland.
Outsourcing risk management must improve
Given these developments, it is essential that banks assess and manage their outsourcing risks appropriately to ensure that the system as a whole remains resilient.
Moreover, sound risk assessments are not only warranted to protect against systemic risks, they are also essential to identify idiosyncratic risks, which may become relevant depending on the characteristics of the outsourcing arrangement and the outsourced function. The ECB therefore investigated banks’ risk controls and found that more than 10% of contracts covering critical functions are not compliant with the relevant regulations. In addition, over the last three years 20% of these non-compliant contracts have not been subject to a proper risk assessment and 60% have not been audited.
This is a clear sign that the banks concerned are not giving sufficient consideration to their outsourcing risks. ECB Banking Supervision will follow up on this to ensure that these banks comply with the regulations.
From January 2025, the application of the Digital Operational Resilience Act (DORA) will provide further instruments for the oversight of critical providers of IT services and will foster the harmonisation of rules to ensure that the entire financial system remains operationally resilient. At the same time, given banks’ high reliance on outsourcing, ECB Banking Supervision will continue to monitor all outsourcing arrangements that are particularly relevant or critical for banks and will thereby focus on specific aspects, such as risks associated with cloud outsourcing and concentration risks.
