Guidelines for Financial Institutions on Outsourcing of Third-party Services

Guidelines for Financial Institutions on Outsourcing of Third-party Services

In 2019, the European Banking Authority issued guidelines on outsourcing arrangements that concern banking and payment institutions. The guidelines reflect the rising use of cloud providers in the financial sector. The main goal is to create guidelines to regulate and harmonise the demands on financial institutions based on risk management.

Financial institutions must comply with the EBA Guidelines by December 2021 at the latest.

Key requirements

  • The institution must have an outsourcing strategy that defines all outsourcing phases, i.e. preparation, implementation and termination of third-party services.
  • The institution's dependency on outsourcing must be evaluated.
  • The outsourcing provider of third-party services must be evaluated in terms of risk.
  • The potential influence of an outsourcing setup on the organisation's operational risks must be assessed.
  • Guidelines and regular overviews of outsourcing must be in place.
  • An exit strategy must be defined for all functions that are deemed critical.


The guidelines do not only concern the financial institutions, but also the service providers. It is necessary for the financial institutions to transfer the requirements to the providers to ensure compliance with the EBA guidelines. Apart from necessary technical measures, this also includes greater demands on documentation and internal processes.

How can we help you?

BDO has created a methodology and a control framework for the evaluation of all EBA/GL/2019/02 guidelines and their transposition by the National Bank. The result of our services is an evaluation of compliance with the framework and preparation for or representation in regulatory proceedings.

Main contact persons