The European Central Bank (ECB) is cautioning banks about the need to enhance their management of outsourcing risks, particularly concerning the processing of personal data.

In its supervisory agenda for 2024, the ECB emphasizes the necessity for institutions to address vulnerabilities arising from their growing dependence on third-party providers. This includes considering the escalating complexity of supply chains and potential concentration risks.

To bolster this initiative, the central bank has disclosed insights from a data collection exercise conducted in 2023 across all supervised banks. The findings reveal a significant surge in the number of outsourcing contracts in recent years, along with an increase in banks' budget allocations for outsourcing strategies, especially concerning critical functions.

Despite the proliferation of external providers operating within the EU, more than 30% of significant banks' total outsourcing budget is directed towards ten providers, many of which are based outside the EU.

While IT-related outsourcing is prevalent, over 80 significant banks outsource critical payment and administrative services, with more than half also outsourcing some lending and investment services.

Approximately half of all contracts with external providers covering critical functions involve time-critical activities. Around 20% of these contracts cannot be reintegrated within banks in case of issues, and roughly 5% cannot be substituted, highlighting potential vulnerabilities.

The ECB underscores that the location of third-party service providers' headquarters and the countries from which services are provided can pose additional risks for banks. A considerable number of significant institutions rely on critical services from non-EU countries, primarily the United Kingdom, the United States, Switzerland, and India.

The ECB also notes a growing interest among banks in cloud services, with almost all significant institutions utilizing such services, predominantly sourced from providers outside the EU. Cloud services represent approximately 15% of all outsourcing contracts.

Given the EU's stringent data protection regulations, the ECB highlights that 70% of outsourcing contracts involve the processing of personal data, with over 70 significant banks outsourcing critical functions to providers located outside the EU.

In light of these developments, the ECB stresses the importance of banks adequately assessing and managing their outsourcing risks to maintain overall system resilience.

Furthermore, the ECB's investigation into banks' risk controls reveals that more than 10% of contracts covering critical functions are non-compliant with relevant regulations. Moreover, over the past three years, 20% of these non-compliant contracts have not undergone proper risk assessment, and 60% have not been audited.

This indicates a lack of sufficient consideration for outsourcing risks among the concerned banks, according to the regulator, which pledges to follow up to ensure compliance with regulations through ECB Banking Supervision.