Concentration risk and the EBA's outsourcing guidelines

A number of recent regulatory frameworks and guidelines have required financial institutions to address these concerns, including the European Banking Authority in its Guidelines on Outsourcing.

Regulators are concerned with a number of different scenarios. For one, they do not want any single financial institution to become overly reliant on one or a very limited number of service providers. If an ongoing technology failure or cyber attack occurs at one of these service providers, it may have detrimental consequences for a large number of the financial institution's customers – and, depending on the size of the institution, the stability of the financial sector as a whole.

A second scenario of concern to regulators is where a large number of financial institutions become reliant on one or only a very limited number of service providers in a specific business area, particularly if the business area relates to a critical or important function. Regulators have highlighted cloud infrastructure providers as an example, and indicted that this concern is heightened where there is a dominant service provider which provides technology or services that are not easily substitutable.

Overreliance on expertise within a few companies – for example, those that can perform penetration testing for cyber security and resilience purposes – is another related concern for some regulators. Concentration of customer data on the servers of a small group of service providers has also been raised.

What do the EBA outsourcing guidelines say about concentration risk?

Financial institutions should assess the impact a potential arrangement will have on their overall operational risk before outsourcing. As part of this assessment, they should consider concentration risk as part of an exercise in balancing the expected benefits of the proposed arrangement against its expected costs. Specific attention should be given to circumstances where the financial institution plans to outsource "to a dominant service provider that is not easily substitutable" or where it engages in "multiple outsourcing arrangements with the same service provider or closely connected service providers".

The EBA guidelines place responsibility on financial institutions to monitor their own concentration risks "on a micro level". Regulators should monitor concentration risk at the sector level, "on both a micro and macro level". The steps financial institutions should take to ensure that they are complying with regulatory expectations will therefore depend not only on their direct regulatory obligations, but also the extent to which they are called upon to assist regulators in achieving their regulatory goal to monitor the risks across the sector.

In their contracts with suppliers, financial institutions should ensure that they retain rights to provide regulators with information which may be useful in monitoring concentration risk across the sector. Regulators are given powers to ask for "detailed information on any outsourcing arrangement"; to limit or restrict the scope of the outsourced functions; to require exit from one or more outsourcing arrangements; and to "cancel contracts" where regulatory requirements are not being met.

Future regulatory refinements

In the UK, the Prudential Regulation Authority (PRA) has signalled its willingness to "further refine its approach" towards regulation and concentration risk. It has also said that it will continue to work with international standard-setting bodies, including the Basel Committee on Banking Supervision and International Association of Insurance Supervisors (IAIS), to "develop and adopt international standards" on cloud infrastructure providers.

This is in line with a recommendation given by the collective European Supervisory Authorities to the European Commission last year to take into account "the potential systemic risks that may result from outsourcing or third party concentration risks [and] consider a legislative solution for an appropriate oversight framework for monitoring the activities of third party providers when they are critical service providers".

It is therefore likely that, in addition to current proposals for change to the regulatory operational resilience and outsourcing frameworks, we will see further changes introduced in relation to monitoring and mitigating concentration risks. As the PRA and other regulators are welcoming views on how regulated entities currently assess concentration risk, financial institutions have been given a good opportunity to provide practical and objective criteria to help shape future regulation and guidance in a way that balances the need to implement innovative technologies with the need to protect the interests of customers.