Man working with laptop

Advantages of outsourcing

If implemented correctly, outsourcing allows reaching important results in terms of cost reduction, operating flexibility, scalability, and efficiency of activities and, at the same time, granting banks and financial intermediaries to focus on core activities.

Related risks and applicable regulation

Outsourcing an activity implies a number of risks (strategic, reputational, compliance, operating risks, etc.) that need to be evaluated and each time managed.

In order to guide intermediaries through a stable and safe management of outsourced activities and, mostly, to prevent related risks, the EBA issued new guidelines on outsourcing (Guidelines on outsourcing, EBA/GL/2019/02), which have been recently fully implemented by the Bank of Italy. The provisions of the Bank of Italy have been effective since 23 September 2020 and apply to all outsourcing agreements signed, renewed or amended starting from that date. The provisions set a plan with a range of objectives, up to the complete adjustment by 31/12/2021.


Under the new provisions, intermediaries must meet different requirements, regarding the whole outsourcing process, i.e.: strategic and approach requirements, organizational and process requirements, and performance and control requirements.

In particular, the main requirements are:

  • Create an outsourcing function or appoint a dedicated employee (senior staff member)
  • Ensure to have proper resources, in terms of both skills and quantity
  • Formalize and implement an outsourcing policy
  • Record, in a proper register, the main characteristics of all outsourcing agreements
  • Evaluate and manage the risk related to the activity to be outsourced and to the specific outsourcing agreements (including ICT risks, risks related to fintech and risks related to sub-outsourcing)
  • Identify, assess, and manage conflicts of interest, even those within the group
  • Adjust all outsourcing agreements by the end of 2021, in order to include the new provisions
  • Ensure to have a strategy and agreements that allow to transfer to another supplier, reintegrate or suspend the key or important outsourced functions
  • Prepare, maintain, and regularly test proper operating continuity plans with regard to key or important outsourced functions
  • Ensure to have control systems with particular reference to personal or confidential data processing, to ICT risks and to cybersecurity, and to the compliance with performance and quality standards (service levels).

Our solutions: from the “gap analysis” to the full review of the outsourcing management framework

In our experience, we could ascertain that outsourcing management systems are often characterized by weaknesses, critical aspects and anomalies that expose intermediaries to relevant risks.

Fields of action

We can support you and take efficient actions in many areas:

  1. Support with strategic approach
  2. Realization of outsourcing management and organization processes
  3. Interventions focussed on specific aspects or weaknesses
  4. Coordination of the adjustment plan
  5. Inspections on site

Our planning

Definition of the strategic approach to outsourcing

  • Policy definition
  • Risk analysis
  • Support with “make or buy” choice

Definition of the optimal organizational structure: identification of the organizational structure in relation to regulatory requirements and to the characteristics of the client

Gap Analysis & remediation plan: analysis of the current outsourcing management by identifying the gaps and actions to be taken

Outsourcing management framework: realization of the outsourcing management framework (policies, procedures, controls, register, contracts, etc.)

Identification and evaluation of providers: selection of providers and evaluation of their financial, technical, and management reliability

Management of contracts: check of contents, development and management of standards, monitoring and management of renewals, etc.

Monitoring of outsourced services

  • Preparation of KPIs and reporting
  • Assessment systems with reference to performance, timeliness, quality, service availability compared to rules and policies, etc.

Registration: definition of the register content, collection and update of information

Support with the management of outsourcing: coordination of outsourcing activities and relevant monitoring on behalf of the Manager

Definition of control systems: definition and implementation of proper control systems with regard to relevant aspects (privacy, ICT and Cybersecurity, service levels)

Audit activities: definition and realization of an audit plan with reference to both internal and external (providers’) fulfilments.