Imagen de cabecera

ECB on non-financial risks: severe conclusions from the annual analysis on outsourcing

The European Central bank (ECB) issued an interesting article on February 21st, 2024. Since 2022, the ECB collects the outsourcing registers of all significant institutions (SIs) within the Single Supervisory Mechanism (SSM) on an annual basis.

For the 2023 data collection, the ECB had 109 SIs in scope, and focused on the increasing reliance of European banks on outsourcing, the criticality of outsourced functions, the possibility to reintegrate or substitute outsourced services, and the reliance on providers outside the EU and cloud service providers:


The ECB conclusions are severe on 6 key aspects:

1) Increasing dependency on third party providers has been identified, with half the outsourcing contracts covering critical functions,

2) Outsourced services are related mainly to ICT (Information and Communications Technology) but also to other relevant functions, e.g. payments and administrative services,


3)     50% of all extra group critical contracts support time critical functions, 20% are impossible to reintegrate and 5% are impossible to substitute,


4)     Around 22% of critical extra-group outsourcing is to providers located in third countries (73 Sis), the top 5 being the UK, the US, China and India,

5)     108 SIs use cloud services: around 50% of contracts on cloud services cover critical activities and providers are mainly located outside the EU/EEA,

6)     Around 12% of all reported contracts are not compliant with EBA (European Banking Authority) guidelines , of which 60% were not subject to audit in the last three years, showing the need for better risk management and deep ECB supervision.

The forthcoming (January 2025) Digital Operational Resilience Act (DORA) aims to enhance oversight of critical IT service providers and harmonize regulations. In that context, the ECB Banking Supervision pledges continued monitoring of outsourcing arrangements, with a focus on cloud outsourcing and concentration risks.

My personal take on this analysis is two-fold:

· These observations go beyond the banking sector and should be a call for Insurance, Asset management, but also other industries to update their outsourcing risk analysis,

·      in the context of DORA, Internal Audit teams in Europe have a critical role in contributing to the analysis, measurement of the outsourcing risk exposure, especially on the “return ticket” (possibility to reintegrate)