Insights paper: EU Financial Services Guidance for IT Outsourcing Regulation and Managing Third-Party Risk

Across the European Union (EU) financial services sector, there has been an increasing tendency to outsource activities to improve efficiency and flexibility and reduce costs. Of all the activities that firms are choosing to outsource IT has become the most prevalent, outsourcing to Cloud service providers has also gained importance (1).

The management body of each financial institution remains responsible for that institution and its activities at all times - European Banking Authority (EBA)

Whilst IT outsourcing can prove to be very beneficial to an organisation, relying on third-parties to provide critical or important functions brings additional risk and a responsibility to properly govern, manage and mitigate the associated risks.

Regulators are understandably concerned over the increasing reliance on third-parties and have proposed tighter rules for financial services firms wanting to outsource functions, with stricter and stronger rules for the outsourcing of essential operations such as IT. Regulators across the EU have made it clear that institutions must maintain responsibility for all outsourced functions and oversee and manage all risks.

To properly manage the risks associated with IT outsourcing and ensure compliance, financial services firms must first understand current EU regulation and then implement robust end-to-end risk management programmes which ensure compliance.

To support EU financial services organisations on their journey to compliance we have compiled the key EU regulations around IT outsourcing, highlighting any specific rules and guidance around business continuity and contingency planning for critical functions. In this paper, you’ll also find NCC Group’s best practice advice and recommended solutions for managing third-party risk and ensuring compliance.

Download the paper here

(1) Consultation on draft Guidelines on outsourcing (EBA/CP/2018/11)