Outsourcing trends in the banking sector

19 February 2025

Banks continue to operate in an environment of increased geopolitical tensions and cyber risks. Against this background, operational resilience is increasingly important to navigate these evolving challenges. While banks shift towards cloud-based solutions to facilitate the agility and scalability of IT infrastructures, the ECB found vulnerabilities in their IT outsourcing strategies, and thus detailed its draft supervisory expectations and good practices for cloud outsourcing. Additionally, investments in robust cybersecurity measures are paramount to protect banks against rising cyber threats. Regulatory frameworks, such as the EU’s Digital Operational Resilience Act (DORA), are further shaping strategies by mandating comprehensive resilience testing and reporting. Aiming to keep digital threats in check, DORA harmonises the rules relating to digital operational resilience that apply to different types of financial entities, including banks, as well as to external third-party service providers that offer services around information and communication technology (ICT).

Operational resilience remains front of mind for European supervisors, and the ECB’s supervisory priorities 2025-27 continue to emphasise the need to remediate deficiencies in IT outsourcing, IT security and cyber risks. European banking supervision’s yearly analysis of outsourcing registers highlights the latest developments in outsourcing and the resulting risks. The insights below are from the 2024 analysis, which is based on year-end data for 2023.

Overall, the 2024 analysis shows that banks were increasingly relying on outsourcing. Year-end data for 2023 indicate that the share of administrative expenses spent on all outsourcing services from external providers has increased from 6.8% to 7.2%. Outsourcing of ICT services, especially cloud services, continued to grow. At the same time, outsourcing supply chains remained complex, which increases the effort required for banks to monitor them. Concentration among a limited number of service providers remained high, while dependency on outsourcing services continued to rise.

It therefore remains vital that banks properly manage their third-party risks and abide by DORA to manage third-party risks stemming from their ICT contracts. Moreover, given the increased geopolitical tensions, banks should be mindful of the heightened risks arising from increasingly sourcing ICT services from countries or providers headquartered outside the EU.

IT outsourcing

Between 2023 and 2024 banks on average increased their outsourcing budget for ICT services by 2.1%; in the 2024 analysis, the average expenditure per significant institution (SI) amounted to approximately €83.9 million, compared to around €82.2 million in 2023. However, owing to increases in the budget spent on other services, the share of ICT services decreased slightly from 49% to 47% of the total outsourcing budget. Payment services and cash management services accounted for 10% and 8% respectively.

Distribution of budget spending by category

(percentages)

Cloud outsourcing

Among other ICT services, banks continue to strongly rely on cloud service outsourcing: nearly all banks have contracts for cloud-based critical functions and on average together they spent 13.5% more on cloud outsourcing than in the 2023 analysis. In the 2024 analysis, the average expenditure per SI was around €57 million EUR, compared to the absolute figure of €50.2 million in 2023. The preferred deployment and service models are “public cloud” and “software as a service”, particularly within ICT services. These trends reflect a broader industry shift towards digital transformation and reliance on advanced technological solutions.

Sub-outsourcing

The third-party risk from sub-outsourcing depends on two factors: the length of the supply chain and whether the sub-outsourcing involves external service providers. The data show that the supply chain is complex, as on average contracts have four subcontractors. The share of contracts sub-outsourced to external service providers amounted to 67%. This number includes the 52% of intragroup outsourcing contracts that are sub-outsourced to external service providers; this is largely driven by the sub-outsourcing of ICT services.

Substitutability and reintegration

As banks rely heavily on external service providers for critical functions, it is important to assess how easily a significant institution (SI) can switch the service provider (“substitutability”) or decide to perform the service itself (“reintegration”). The share of critical functions outsourced to external service providers that are difficult or impossible to substitute increased from 80% to 82%, of which 95% are difficult or impossible to reintegrate. Thus, for each new outsourcing decision SIs should consider the impact on their overall dependency on third-parties.

Substitutability of providers per contract

(percentage of the total critical and external budget)

Dependencies on non-EU countries

Against the background of increasing geopolitical tension, outsourcing risks differ depending on whether the services are provided from within the European Union (EU)/European Economic Area (EEA) or from non-EU countries. An increasing number of critical services are provided from non-EU countries (+36%). The percentage of critical ICT contracts outsourced to external providers located in non-EU countries (particularly the United Kingdom, United States and India) increased from 22% to 27%. This signals growing complexity and an extended global scope of outsourcing arrangements.

Country providing the services

(percentages of the total critical and external budget)

Country providing the services – Non-EU countries

(percentage of the total number of all critical and external contracts)

Country of origin of parent companies of the top 30 providers by budget expenditure for 2022 and 2023

(percentage of the budget spent on the top 30 providers)

Concentration and external providers

The outsourcing of critical services is concentrated among a limited number of external providers, making robust risk management all the more necessary. The high concentration may have wider repercussions on banks’ operational resilience should one key provider become unavailable. Similarly to the 2023 analysis, half of the total budget is spent on only 30 external providers.

Budget per provider – single and cumulative

(percentage of total budget spent on the top 500 providers)