ECB: Outsourcing Trends in the Banking Sector
?Increased Outsourcing: Banks have expanded their outsourcing expenditures, with administrative expenses on outsourcing rising from 6.8% to 7.2%. ICT outsourcing remains dominant, though its share of total outsourcing budgets slightly decreased from 49% to 47%.
?Cloud Outsourcing Growth: Banks are increasingly dependent on cloud services, with expenditure growing by 13.5% year-over-year. Public cloud and Software-as-a-Service (SaaS) models are widely adopted, reflecting industry-wide digital transformation.
?Third-Party and Sub-Outsourcing Risks: Banks face complex outsourcing supply chains, with an average of four subcontractors per contract. Sub-outsourcing to external service providers accounts for 67% of contracts, particularly in ICT services.
?Limited Substitutability: The difficulty in replacing external service providers increased from 80% to 82%, with 95% of outsourced critical functions classified as difficult or impossible to reintegrate.
?Geopolitical and Regional Dependencies: The outsourcing of critical services to non-EU providers grew by 36%, with ICT contracts outsourced to providers in the UK, US, and India rising from 22% to 27%. This trend amplifies geopolitical risk exposure.
?Concentration Risk: The outsourcing market is concentrated among a small number of external providers, with half of the total outsourcing budget spent on just 30 companies. This concentration raises concerns about operational resilience should a key provider fail.
?Regulatory Considerations: DORA Compliance - The Digital Operational Resilience Act (DORA) mandates stronger third-party risk management, requiring banks to assess operational risks tied to ICT outsourcing and ensure compliance with resilience frameworks; ECB Supervisory Priorities (2025-2027) - The ECB continues to emphasize the need for enhanced IT security, better monitoring of outsourcing arrangements, and remediation of deficiencies in third-party risk management.