The EBA outsourcing guidelines are one of Europe's most detailed references for outsourcing risk. They apply to institutions within the guideline scope and are especially important for critical or important functions, outsourcing registers, cloud, due diligence, contracts, access and audit rights, sub-outsourcing, monitoring, and exit.
Official sources
What the guidelines are trying to do
The EBA wants firms to remain in control when functions are outsourced, especially critical or important functions. Outsourcing should not impair governance, supervision, risk management, customer protection, data protection, auditability, or the ability to exit.
What they cover
- outsourcing policy and governance;
- assessment of critical or important functions;
- outsourcing register;
- pre-outsourcing analysis and due diligence;
- contract clauses and access, information, and audit rights;
- sub-outsourcing and data location;
- monitoring and exit strategies.
What teams need to do
Teams should maintain an outsourcing register that is useful for operating the program, not just for regulatory reporting. Each critical or important outsourcing arrangement should have a clear materiality rationale, owner, contract record, data and location profile, sub-outsourcing visibility, monitoring plan, issue record, and exit strategy.
Evidence to maintain
- Outsourcing policy and governance records.
- Critical or important function assessments.
- Outsourcing register.
- Due diligence and approval evidence.
- Contract review evidence and executed agreements.
- Sub-outsourcing, data, monitoring, issue, and exit evidence.
Common gaps
- Criticality decisions are not repeatable.
- The register is not connected to monitoring workflows.
- Cloud arrangements lack exit and concentration evidence.
- Sub-outsourcing chains are not refreshed after onboarding.
How Halbarad helps
Halbarad helps teams build and maintain the outsourcing register, collect diligence, map downstream providers, monitor changes, track remediation, and preserve the audit trail for critical or important functions.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.