The European Central Bank (ECB) is emphasizing the need for banks to enhance their management of outsourcing risks, particularly regarding the processing of personal data. As part of its supervisory priorities for 2024, the ECB highlights that institutions must address vulnerabilities resulting from their increasing operational dependence on third-party providers. This includes considerations of the complexity of supply chains and potential concentration risks.
The central bank has shared findings from a 2023 data collection initiative involving all supervised banks, revealing a significant rise in the number of outsourcing contracts and the budgetary allocations for outsourcing strategies, especially for critical functions.
Despite a growing number of external service providers within the EU, over 30% of the total outsourcing budget of major banks is concentrated among just ten providers, primarily located outside the EU. While IT outsourcing is prevalent, more than 80 significant banks delegate critical payment and administrative services, and over half of them outsource some lending and investment services.
Out of all contracts with external providers managing critical functions, approximately 50% involve time-sensitive activities, around 20% cannot be reintegrated in the event of problems, and about 5% cannot be substituted by other providers.
Additionally, the ECB points out that the headquarters and originating countries of third-party service providers introduce further risk elements for banks. Currently, 73 major institutions utilize critical services from non-EU countries, with about 22% of all outsourced critical services sourced from outside the EU, predominantly the United Kingdom, the United States, Switzerland, and India.
There is also a growing trend among banks towards cloud services, with nearly all significant institutions leveraging these solutions, mainly from providers based outside the EU, representing about 15% of all outsourcing contracts.
In light of the EU’s stringent data protection regulations, the ECB notes that 70% of outsourcing agreements involve personal data processing, with more than 70 significant banks outsourcing such critical functions to non-EU providers. The central bank stresses the importance of proper assessment and management of outsourcing risks to maintain the resilience of the financial system.
The ECB has also reviewed banks’ risk controls and found that over 10% of contracts involving critical functions do not comply with relevant regulations. In the past three years, 20% of these non-compliant contracts lacked appropriate risk assessments, and 60% have not undergone auditing. The regulator expressed concern that the banks involved are not adequately addressing their outsourcing risks and intends to follow up to ensure compliance with regulatory standards.