Outsourcing of IT Services in Fintech

For fintech companies, outsourcing to IT providers is often essential to drive innovation – from payment platforms and customer interfaces to data storage and cloud infrastructure. However, outsourcing within the financial sector is subject to specific regulatory frameworks that impose stringent requirements on both process and providers. A specialist fintech lawyer can be decisive in ensuring compliance from the outset.

A central framework is the EBA Guidelines on Outsourcing (EBA/GL/2019/02). These set detailed requirements for how affected fintech firms must assess, document and oversee external IT providers – particularly where the engagement concerns critical or important functions. Many organisations also refer to the eba guidelines on outsourcing arrangements and cite eba gl 2019 02 for clarity and alignment.

When is the IT provider part of a critical function?

The EBA guidelines (EBA/GL/2019/02) apply to credit institutions, payment institutions and electronic money institutions. If an IT service is classified as a critical or important function under the guidelines – for example, operating payment systems – extensive requirements apply. Among other things, fintech firms must:

• Identify risks and assess the provider’s capability and capacity.
• Ensure a written agreement is in place that meets the regulatory requirements.
• Maintain monitoring and evaluation mechanisms to follow up and assess the provider’s performance over time.

Favourable commercial terms are not enough – control, transparency and the possibility of supervision must be embedded throughout the relationship. These expectations are consistent with the eba outsourcing guidelines and the eba guidelines on outsourcing arrangements.

Controlling the IT provider – meeting the EBA’s requirements

The guidelines require that the fintech firm retains control over its own operations. The outsourcing agreement must therefore contain clear rights and obligations that enable continued supervision and governance. This includes, for example:

• Audit rights and physical access to the provider’s premises, systems and data.
• Control over any further outsourcing – the provider must not appoint sub-processors without approval.
• Ongoing access to all relevant documentation and reporting.
• Agreed exit strategies to secure transition on termination or in a crisis.

There are further requirements under other regimes that may be relevant when outsourcing. For example, transfers of personal data to third countries trigger specific obligations under the GDPR, which must also be addressed in the contract.

Practical guidance when procuring IT providers

Fintech firms should consider the following when outsourcing to IT providers under the EBA guidelines:

• Assess whether the service is a critical or important function – i.e. whether a failure would materially affect business continuity, compliance, financial position or the quality of customer services.
• Conduct thorough due diligence of the provider, including information security, regulatory compliance and operational capacity.
• Ensure contractual terms meet EBA requirements on control, audit and notification, including robust monitoring and evaluation mechanisms.
• Maintain a register of all outsourced activities – all critical functions and supporting records must be available to supervisory authorities.
• Plan exit strategies already during procurement – so the business can continue without interruption, including on insourcing or provider substitution.

Selecting the right IT provider is not only about technology and price; it is about meeting complex legal and regulatory requirements from day one. At Morling Consulting, our fintech lawyers help companies procure and negotiate agreements with IT providers in line with the EBA Guidelines on Outsourcing (often cited as eba gl 2019 02).