How to Identify Outsourcing in Banking? A Practical Guide for Financial Institutions

Outsourcing in banking is subject to strict regulations, and its correct classification is key to avoiding legal and supervisory risks. Learn in this article about when a collaboration with a supplier becomes outsourcing and how to manage such a relationship in compliance with regulations.

Banks and cooperative banks face ever-increasing regulatory pressure. They must regularly review and adapt their operations to national and European standards, including EBA guidelines, the DORA regulation, and KNF recommendations. One area that regulators pay attention to particularly closely is outsourcing. This model brings financial institutions a range of benefits, from cost reduction to freeing up more resources for their core business activities. The challenge, however, lies in correctly classifying cooperation with vendors. Mistakes in this area can lead to legal and financial consequences, from regulatory fines to the need for immediate termination of a vendor agreement.

What Is Outsourcing According to the EBA?

According to the European Banking Authority’s guidelines (EBA/GL/2019/02), outsourcing is any agreement under which a bank delegates a service or task to an external company that it would otherwise perform itself.

For such cooperation to be considered outsourcing, it must meet the following criteria:

• Repetitiveness – the service is not a one-off activity but is performed on a recurring or ongoing basis.
• Positive outcome of the test – meaning an assessment confirms that the given function (or part of it) could be carried out by the institution itself, even if it has not done so in the past.

It should be noted that the concept of outsourcing under the EBA Guidelines is broader than outsourcing as defined in Article 6a of the Polish Banking Law. National regulations govern only part of the issues covered by outsourcing in the EBA’s sense. In practice, this means that the EBA Guidelines should be treated as the primary regulatory framework. The exception applies when national laws are more stringent—imposing stricter requirements or greater limitations on a bank’s freedom of action. In such cases, national regulations take precedence.

Outsourcing vs. Association-Based Outsourcing

In the classic outsourcing model, a bank delegates specific tasks to an external entity with which it has no capital or organizational ties. For cooperative banks, however, the situation is more complex as they operate within associations, which creates an additional mechanism known as association-based outsourcing.

Association-based outsourcing occurs when a cooperative bank uses the services of its associating bank or another institution within the same structure. Generally, if the service provided by the associating bank directly results from obligations defined in the association agreement, it is not considered outsourcing.

However, if the associating bank provides services to a member bank that are not specified in the agreement, the cooperative bank must assess whether the cooperation meets the outsourcing criteria outlined above. If it does, the general outsourcing regulations apply.

In practice, this means that simply being part of an association does not exempt a cooperative bank from the obligation to review each service for compliance with outsourcing regulations. Depending on the outcome of this assessment, the bank may be required to:

• enter into a separate outsourcing agreement with the affiliating bank,
• fulfill reporting obligations (notification, registration, risk assessment),
• subject the service to a compliance audit.

What Must Be Included in an Outsourcing Agreement?

If cooperation with a vendor is classified as outsourcing, the bank is required to sign a written agreement. This is a fundamental obligation under both national and European regulations.

When the subject of the agreement involves acquiring ICT services, the scope must be expanded to include additional elements that are critical for operational security and business continuity. Beyond the standard provisions on party liability or termination periods, the agreement should specify, among other things:

 the procedures and rules for reporting incidents and emergencies (by both the bank and the vendor),
 requirements for reporting operational events and incidents,
 SLA (Service Level Agreement) parameters, i.e., measurable indicators of service quality,
 rules for executing BCP (Business Continuity Plan) tests, contingency plans designed to maintain the bank’s key business processes in case of disruptions,
 RTO (Recovery Time Objective) parameters—the maximum allowable time to restore a service, system, or process after a failure,
 the admissibility and conditions for further outsourcing of services by the provider (subcontracting),
 The rights of the bank and supervisory authority (KNF) to conduct audits at the vendor.

When Is Cooperation with a Vendor Not Considered Outsourcing?

Not every contract with an external company falls under outsourcing regulations. To provide greater clarity, the EBA Guidelines outline specific examples of cooperation that are not considered as outsourcing.

For instance, an arrangement is not considered outsourcing when:

• The service is legally required, such as the audit of financial statements by a certified auditor.
• The vendor provides access to market information, e.g., data from providers such as Bloomberg, Moody’s, Standard & Poor’s, or Fitch.
• The service is specialized but unrelated to the bank’s operational activities—such as an architect’s consultation, a legal opinion, or representation before courts or administrative bodies.
• The service is purely technical or auxiliary in nature, e.g., cleaning, company car servicing, reception or secretarial support, supply of office materials, equipment, or utilities.

In practice, this means that in order to assess whether a given cooperation is subject to outsourcing regulations, its impact on the bank's operational activities and the degree of integration of the service with its processes are of key importance.

When do we deal with banking outsourcing?

CHECKLIST: “Is This an Outsourcing Service?”

To properly assess whether a given service is subject to outsourcing regulations, it is worth conducting an internal analysis based on several key questions:

• Is the service recurring in nature (cyclical, ongoing)?
• Does it impact banking processes (e.g., operations, customer service, security)?
• Does it involve customer data, ICT infrastructure, or transactional systems?
• Could its unavailability or failure create operational or legal risks for the bank?
• Could the bank perform this service internally?

If the answer to most of these questions is “yes,” there is a strong probability that the arrangement qualifies as outsourcing. In such a situation, an appropriate agreement should be concluded with the provider and all required supervisory mechanisms implemented.

Key Principles for Safe Cooperation with Vendors

Compliance with outsourcing regulations is not only a legal obligation but also an element of responsible operational risk management. In the cooperative banking sector, where many services are delivered through association-based models, it becomes particularly important to carefully analyze the nature of each engagement, whether with external providers or institutions operating within the same association.

Proper service classification, execution of an appropriate agreement, and ongoing oversight of its performance are the fundamental pillars supporting regulatory compliance with the DORA regulation, EBA Guidelines, and KNF recommendations.