The European Central Bank is warning banks that their management of outsourcing risk must improve, with a stringent focus on the processing of personal data.
As part of its supervisory priorities for 2024, the ECB says institutions need to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers, taking into account the growing complexity of supply chains and potential concentration risks.
To reinforce its effort, the central bank has shared the highlights of a 2023 data collection exercise across all supervised banks which shows that the number of outsourcing contracts has increased markedly over recent years and so has the amount budgeted by banks for their outsourcing strategies, especially for the outsourcing of critical functions.
Even though a growing number of external providers are offering their services within the EU, more than 30% of the total outsourcing budget of significant banks is concentrated on ten providers, most of which are headquartered outside the EU.
While IT-related outsourcing is widespread, more than 80 significant banks outsource critical payment and administrative services, and more than half of the banks outsource some of their lending and investment services.
From all contracts with external providers covering critical functions about 50% concern time-critical activities. Around 20% cannot be reintegrated in the banks in case of issues, and around five percent cannot be substituted, for example, through other providers.
The location of third-party service providers’ headquarters and the country from which the services are provided can be another risk driver for banks, says the ECB. A total of 73 significant institutions are using critical services provided from non-EU countries: approximately 22% of all outsourced critical and extra-group services are offered from non-EU countries, predominantly from the United Kingdom and the United States, but also from Switzerland and India.
A related observation is banks’ increasing interest in services provided in the cloud. Almost all significant institutions use cloud services, and most of the providers are located outside the EU. Cloud services account for approximately 15% of all outsourcing contracts.
In view of the EU’s relatively strict data protection rules, the ECB notes that 70% of outsourcing contracts involve the processing of personal data, and more than 70 significant banks outsource such critical functions to providers outside the EU.
States the Central Bank: "Given these developments, it is essential that banks assess and manage their outsourcing risks appropriately to ensure that the system as a whole remains resilient."
The ECB also investigated banks’ risk controls and found that more than 10% of contracts covering critical functions are not compliant with the relevant regulations. In addition, over the last three years 20% of these non-compliant contracts have not been subject to a proper risk assessment and 60% have not been audited.
"This is a clear sign that the banks concerned are not giving sufficient consideration to their outsourcing risks, says tthe regulator. "ECB Banking Supervision will follow up on this to ensure that these banks comply with the regulations."