Share with your friends

Outsourcing is an ECB priority

Outsourcing is an ECB priority

For banks, IT outsourcing risks are covered by a multitude of frameworks and standards.


Related content

Suited man with laptop in wire room

As part of the supervisory priorities for 2017, the European Central Bank (ECB) will initiate a thematic review of banks’ outsourced activities to assess how they are managing the associated risks. IT outsourcing activities will be a large and important part of this review.

This supervisory priority echoes the outcomes of the KPMG benchmark analysis on IT risks carried out in June 2016. The KPMG ECB Office analysis covers ten different European countries. The aim is to find out the main IT risk. IT outsourcing risks were the third most prevalent IT risks in the banking sector right behind cyber risks and data risks (quality, privacy, etc.).

What is IT outsourcing?

IT outsourcing comes in many forms. Some of the most common types of IT outsourcing are in systems development and maintenance, support to data centers operations, network administration, disaster recovery services, application hosting, and cloud computing. Outsourcing can involve the provision of IT capabilities and facilities by a single third party or multiple vendors located in the home country or abroad.

What risks IT outsourcing involve?

IT outsourcing can involve many types of risks. First of all, the bank runs the risk of receiving poor quality work due to the lack of skills on the vendor side or to the vendors’ high employee turnover rates. Thus, high-quality service could be compromised. Moreover, if the vendor does not document their work well, it would be difficult for the bank to ensure adequate and timely insourcing again. The bank also runs the risk of downtime during critical system failures, leading to potential loss of productivity. It may take days before a busy IT contractor can devote attention on the business problem and resolve the issues. Another important risk that a bank could run is the risk of the outsourcing company not implementing security measures therefore causing leaks of intellectual property or other private data.

The ECB’s last review

The ECB already carried out a thematic review on IT outsourcing risks in 2015 based on self-assessment questionnaires along with specific documents to be provided by supervised institutions. 

The ECB requested information about the IT budget and forecast of which outsourced IT and of which cloud-outsourced IT for both, “build-the-bank” as well as “run-the-bank”.

They also collected specific details on IT outsourcing contracts. If a bank had less than 50 contracts, it had to provide detailed information about all of them. If it had more than 50 contracts, the bank had to provide detailed information on the top 10-15 contracts with regards to criticality for business, the top 10-15 contracts with regards to highest sensitivity of data and the top 25-30 contracts according to size per year or above 5 million EUR.

On top of all this collected information, supervised institutions had to answer around 60 detailed questions on the governance and policies regarding IT outsourcing, selection of providers, prior risk assessment, monitoring and cloud computing. 

Existing Frameworks and standards

IT outsourcing risks in the banking sector are covered by different frameworks and standards, national and/or global requirements. The ITIL Framework (Information Technology Infrastructure Library) includes best practices for managing IT outsourcing. The Bank for International Settlement (BIS) released outsourcing guidance for financial services. Last but not least, the European Banking Authority (EBA), in its recently released ICT Guidelines, provides guidance to identify material IT outsourcing risks and controls to mitigate them.

Our view

Supervisors tend to focus more on the level of control of the outsourced activities, whereas banks are more concerned about losing core banking competencies and knowledge but also about increased IT risks as a result of digitization, tailored client services or process optimization which require outsourcing and cloud computing). Nevertheless, CIOs continue to outsource IT activities in line with the target operational model to generate significant financial and operational advantages. 

Leading practice in this field should encompass the internal control organization of major outsourcing projects with a focus on regulatory compliance, appropriate governance, risk management and the general organization of outsourcing process including internal control and pre/post implementation activities.

The main objective is to improve and streamline the internal control organization of banks’ major outsourcing projects. To this end, compliance with the principles and best practices defined in the previously mentioned frameworks and guidelines is recommended. Furthermore, industry best practice includes:

  • A comprehensive policy to guide the assessment of whether and how activities can be appropriately outsourced;
  • A comprehensive outsourcing risk management program to address the outsourced activities and the relationship with the service provider;
  • Outsourcing arrangements related to obligations to customers and regulators;
  • Due diligence in selecting third-party service providers;
  • Contracts that clearly describe all material aspects of the outsourcing arrangement, including the rights, responsibilities and expectations of all parties;
  • Contingency plans, including a plan for disaster recovery and periodic testing of backup facilities; and
  • Confidentiel information protection.

In light of the ECB’s thematic review, banks should be making every effort to implement the guidance and leading practices that are becoming the industry norm.

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Sign up today