Last week, the European Central Bank (“ECB”) released its horizontal analysis of the most recent Outsourcing Registers submitted by significant institutions (SIs). The report highlighted the continued dominance of IT-related outsourcing arrangements and recognised that SIs still have work to do to address deficiencies in the governance of these arrangements, as well as in the areas of IT Security and the management of cyber risks.

Key Trends Identified

The ECB report highlights the main developments in the types of outsourcing arrangements of SIs based on the Outsourcing Registers submitted in December 2024. While it is important to consider the nature, scale and complexity of the entities in scope of the review, the developments highlighted in this report have been observed across the wider financial services industry, especially as firms increase their adoption of technology-reliant operating models and work to comply with the EU’s Digital Operational Resilience Act (“DORA”).

The key developments identified within the report can be categorised under the following headings:

• Types of Outsourcing: Between 2022 and 2023, the reliance on outsourced arrangements, particularly those with external third-party providers, has continued to increase. Contracts for IT Services continue to dominate representing c.47% of all outsourcing arrangements in place. In addition, where SIs are using Cloud Services, more than 51% of those contracts are in place to support critical or important functions.
• Sub-Outsourcing: There has been an increase in the volume and complexity of chain-outsourcing arrangements with an average of four sub-contractors identified for each primary contract. In reviewing this analysis, it is important to note that firms only need to identify sub-contractors for critical or important arrangements in their Outsourcing Register; however, long and complex chain outsourcing arrangements amplify third-party risk and have a significant impact on the time and effort required to monitor the outsourcing arrangement.
• Substitutability and Reintegration: Around 82% of critical or important outsourcing arrangements are difficult or impossible to substitute and 95% of the 82% are difficult or impossible to reintegrate. Given the importance of digital and operational resilience, these figures emphasise the need for robust and comprehensive business continuity and exit planning. These plans must be regularly tested to make sure that firms can continue to operate in case of a service disruption or outage.
• Non-EU Dependencies: There has been a significant rise in the volume of outsourcing arrangements with service providers located outside of the EU, more specifically in the UK, US, India, Switzerland and Serbia. In light of growing geopolitical tensions and a widening divergence between US and EU regulatory regimes, firms will need to take into consideration any impacts on the third-party risks arising from these arrangements as well as how they will ensure the resilience of their entities more broadly.
• Concentration Risk: Half of the total outsourcing budget of SIs in 2023 was spent on services from the top 30 external providers. Concentration risk remains a complex topic not least because the measures used to monitor concentration may differ between service providers (e.g. % of revenue, number of employees, number of trades etc.). However, when it comes to IT Outsourcing, firms are faced with the reality that there may be a small number of IT Service Providers dominating the market for a particular service which limits the diversification options available to firms.

What’s Next?

The financial services industry is changing rapidly as firms embrace new financial and regulatory technologies. While these FinTech and RegTech technologies are undoubtedly creating efficiencies in the way financial entities operate, they are also amplifying existing risks and introducing new ones for both firms and their regulators who are charged with supervising how firms address the related risks. It therefore remains vital that firms properly manage their IT, cyber and third-party risks and ensure they are well positioned to recover from an IT service outage or disruption.

Arthur Cox LLP was delighted to announce the appointment of Rhiannon Monahan as an Associate Director within the Governance and Consulting Services Group in June 2024. Rhiannon brings a depth of industry experience in the area of third-party management and outsourcing governance, having previously acted as Head of Outsourcing Oversight to multiple entities within the Irish financial services industry.

Combining Rhiannon’s practical insights on how best to identify, manage and risk assess IT Outsourcing with the legal and regulatory expertise of the Arthur Cox Technology and Innovation Group, Arthur Cox will be releasing a series of articles based on the key development highlighted in the report and the practical ways in which firms can address the challenges arising from IT Outsourcing.