Published date: 25 February 2019

Final Report on EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)

These guidelines (with the exception of paragraph 63(b)) apply from 30 September 2019 to all outsourcing arrangements entered into, reviewed or amended on or after this date. Paragraph 63(b) applies from 31 December 2021.

Executive summary
Background
Guidelines on outsourcing
1. Compliance and reporting obligations (paras. 1-4)
Status of these guidelines (paras. 1-2)
Reporting requirements (paras. 3-4)
2. Subject matter, scope and definitions (paras. 5-12)
Subject matter (paras. 5-6)
Addressees (paras. 7-8)
Scope of application (paras. 9-11)
Definitions (para. 12)
3. Implementation (paras. 13-17)
Date of application (paras. 13-15)
Transitional provisions (para. 16)
Repeal (para. 17)
4. Guidelines on outsourcing (paras. 18-119)
Title I - Proportionality: group application and institutional protection schemes (paras. 18-25)
1 Proportionality (paras. 18-20)
2 Outsourcing by groups and institutions that are members of an institutional protection scheme (paras. 21-25)
Title II - Assessment of outsourcing arrangements (paras. 26-31)
3 Outsourcing (paras. 26-28)
4 Critical or important functions (paras. 29-31)
Title III - Governance framework (paras. 32-60)
5 Sound governance arrangements and third-party risk (paras. 32-34)
6 Sound governance arrangements and outsourcing (paras. 35-40)
7 Outsourcing policy (paras. 41-44)
8 Conflicts of interests (paras. 45-47)
9 Business continuity plans (paras. 48-49)
10 Internal audit function (paras. 50-51)
11 Documentation requirements (paras. 52-60)
Title IV - Outsourcing process (paras. 61-108)
12 Pre-outsourcing analysis (paras. 61-73)
12.1 Supervisory conditions for outsourcing (paras. 62-63)
12.2 Risk assessment of outsourcing arrangements (paras. 64-68)
12.3 Due diligence (paras. 69-73)
13 Contractual phase (paras. 74-99)
13.1 Sub-outsourcing of critical or important functions (paras. 76-80)
13.2 Security of data and systems (paras. 81-84)
13.3 Access, information and audit rights (paras. 85-97)
13.4 Termination rights (paras. 98-99)
14 Oversight of outsourced functions (paras. 100-105)
15 Exit strategies (paras. 106-108)
Title V - Guidelines on outsourcing addressed to competent authorities (paras. 109-119)
5. Accompanying documents
5.1 Draft cost-benefit analysis/impact assessment
5.2 Feedback on the public consultation