ARTICLE
18 March 2026

Outsourcing For Financial Institutions

MF
MK Fintech Partners

Contributor

MK Fintech Partners logo
MK Fintech Partners Ltd. is affiliated with the prestigious Michael Kyprianou Group, a leading international legal and advisory entity. Renowned for its diverse legal services, the group has become one of Cyprus' largest law firms, with offices in Nicosia, Limassol, Malta, Ukraine, the United Arab Emirates, and the UK.
Explore Firm Details
Outsourcing has become a commercial reality for financial institutions of all sizes. Whether it is a core banking platform, a compliance function, or an API integration with a payments provider...
Malta Corporate/Commercial Law
Kane Sammut Henwood
Your Author LinkedIn Connections
Kane Sammut Henwood’s articles from MK Fintech Partners are most popular:
  • within Corporate/Commercial Law topic(s)
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • in Europe
  • with readers working within the Business & Consumer Services industries
MK Fintech Partners are most popular:
  • within Corporate/Commercial Law topic(s)
  • with Inhouse Counsel

MFSA Rules, DORA, and the EBA Guidelines

Abstract:

Outsourcing has become a commercial reality for financial institutions of all sizes. Whether it is a core banking platform, a compliance function, or an API integration with a payments provider, the regulatory framework governing these arrangements is extensive and, since January 2025, considerably more demanding. This article sets out the key questions institutions should be asking, drawing on the MFSA rules (FIR/01 and FIR/03), DORA, and the EBA Guidelines on Outsourcing.

1. What is Critical, Important, or Material Outsourcing?

Not all outsourcing arrangements are treated equally. The threshold concept across all three frameworks is whether a disruption to the outsourced function would materially affect the institution's ability to operate, meet its obligations, or remain compliant. Classic examples include core banking systems, payment processing, and key IT infrastructure.

MFSA Rules: FIR/01 and FIR/03

Under the MFSA's Financial Institutions Rulebook, financial institutions are subject to Banking Rule BR/14 as applied through FIR/01 and FIR/03. The October 2025 overhaul of FIR/01 brought a significant structural change: outsourcing arrangements are now assessed at the authorisation stage, not simply post-licence.

FIR/03 is the operative chapter for ongoing outsourcing obligations and requires institutions to formally classify each outsourced activity as either critical or non-critical, with documented justification for that classification. A written outsourcing policy must be maintained, covering oversight mechanisms, risk management procedures, and escalation protocols.

A consistent finding from the MFSA's 2025 thematic review was that institutions were misclassifying functions such as compliance, risk management, and internal audit as non-critical. Under FIR/03 and BR/14, these functions are treated as inherently critical, and thus, getting the classification wrong is not a technical error, it is a substantive compliance failure.

DORA

For ICT-related services, DORA applies its own definition: a service supports a "critical or important function" where its absence or failure would substantially impair the financial entity's performance, resilience, or regulatory compliance. Cloud computing, data centres, and managed security services are the obvious examples, but the definition extends to any ICT third-party arrangement where dependency creates material risk.

EBA Guidelines

The EBA Guidelines define critical or important functions as those where a disruption would severely impair the institution's ability to comply with its authorisation conditions, meet its financial obligations, or maintain adequate internal controls. The EBA's formulation is deliberately broad and should be applied with caution when in doubt, classify up.

A Practical Note on Concentration Risk

The MFSA's 2025 thematic review flagged a sector-level concern that deserves separate attention: multiple institutions were found to rely on the same small pool of outsourced compliance officers and internal auditors, often engaged for only a few hours per week. This raises both individual substance questions (is the function genuinely being performed?) and systemic concentration risk across the sector. Institutions should be asking not just whether a function is classified correctly, but whether the outsourced arrangement is genuinely adequate in practice.

2. What Considerations Does an Institution Have to Take When Outsourcing?

Outsourcing is not simply a commercial procurement decision. It triggers a structured set of regulatory obligations, and institutions need to work through these at the outset rather than retrospectively.

Pre-Outsourcing Analysis

Before any contract is signed, the institution must determine whether the function in question is critical or important. A pre-risk assessment is mandatory, covering at minimum:

  • Legal and regulatory risk: including data protection (GDPR), applicable licensing conditions, and jurisdictional considerations where the provider operates outside the EEA.
  • Reputational risk: the institution remains accountable for the outsourced function in the eyes of both the MFSA and its customers.
  • Operational risk: what happens if the provider fails, is acquired, or simply underperforms?

Concentration risk: is the institution building material dependence on a single provider, or on a small number of providers across multiple functions?

Contractual Requirements

The contract must be clear, comprehensive, and compliant. At a minimum it should address:

  • Service levels, including measurable KPIs and remediation mechanisms for underperformance.
  • The location(s) where data is processed, particularly relevant for GDPR and for MFSA supervisory access.
  • Sub-outsourcing: whether it is permitted, under what conditions, and what approval rights the institution retains.
  • Audit and access rights: the institution must be able to inspect, audit, and obtain information from the provider.
  • Termination and exit provisions: the institution must be able to exit the arrangement, including in the event of the provider's insolvency or regulatory non-compliance.

Governance and Ongoing Monitoring

The management body retains full responsibility for outsourced functions. This is not merely a regulatory formality because it means there must be genuine internal oversight, not simply a commercial relationship managed by one member of staff. Regular performance reviews, defined escalation paths, and documented audit activity are expected throughout the life of the arrangement.

Exit Strategies

For critical functions, a robust and tested exit plan is mandatory. "Tested" is the operative word. A plan that exists on paper but has never been reviewed against operational reality will not satisfy regulatory expectations. The plan must demonstrate that the institution can transition to an alternative provider or bring the service in-house without material disruption to operations or customers.

Intra-Group Outsourcing

The MFSA's thematic review found that institutions were treating intra-group arrangements as effectively exempt from standard due diligence. This is incorrect. Intra-group arrangements must be at arm's length, supported by formal written agreements, and subject to the same risk assessment and ongoing monitoring requirements as external outsourcing. The group relationship does not reduce the regulatory obligation; it simply changes the counterparty.

3. What Are the Legal Requirements for Notifying an Outsourced Function?

Notification obligations sit across the MFSA rules and, for ICT services from January 2025, DORA. The key requirements are as follows.

MFSA Rules (FIR/01, FIR/03, BR/14)

Institutions must notify the MFSA of an intention to outsource, particularly where the function is material. The timing of this notification matters: under the revised FIR/01, outsourcing arrangements are now assessed as part of the authorisation process, which means that for new applicants, the structure and nature of outsourcing must be addressed at application stage, not disclosed after the fact.

The ongoing obligations include:

  • Register of outsourcing arrangements: institutions must maintain an up-to-date register of all outsourcing arrangements, differentiating clearly between critical/important and non-critical functions.
  • Sub-outsourcing notifications: where the service provider wishes to sub-outsource, contracts must address whether this is permitted and the institution must be notified of any sub-outsourcing that could affect its ability to monitor the arrangement.
  • Inspection and audit rights: all contracts must contain provisions permitting the MFSA to inspect and audit service providers directly.

Material changes: any material change to an existing outsourcing arrangement is likely to require notification, and potentially prior approval, depending on the nature of the change.

MFSA Rules (FIR/01, FIR/03, BR/14)

Institutions must notify the MFSA of an intention to outsource, particularly where the function is material. The timing of this notification matters: under the revised FIR/01, outsourcing arrangements are now assessed as part of the authorisation process, which means that for new applicants, the structure and nature of outsourcing must be addressed at application stage, not disclosed after the fact.

The ongoing obligations include:

  • Register of outsourcing arrangements: institutions must maintain an up-to-date register of all outsourcing arrangements, differentiating clearly between critical/important and non-critical functions.
  • Sub-outsourcing notifications: where the service provider wishes to sub-outsource, contracts must address whether this is permitted and the institution must be notified of any sub-outsourcing that could affect its ability to monitor the arrangement.
  • Inspection and audit rights: all contracts must contain provisions permitting the MFSA to inspect and audit service providers directly.
  • Material changes: any material change to an existing outsourcing arrangement is likely to require notification, and potentially prior approval, depending on the nature of the change.

From 17 January 2025, DORA requires institutions to maintain a Register of Information (RoI) covering all ICT third-party arrangements, not just those supporting critical or important functions. This register must be reported to the relevant competent authority annually. The MFSA's 2025 thematic review found that many institutions' registers were incomplete, with missing entries for sub-outsourcing chains and inadequate detail on data processing locations. Maintaining an accurate and complete RoI is a core supervisory deliverable.

4. Can an Institution Use a Sub-Outsourced Service or Function?

Sub-outsourcing is permitted, but the institution's accountability does not diminish when the service is passed down the chain. This is worth stating plainly, because the practical governance implications are sometimes underestimated.

Key Obligations

Sub-outsourcing must be:

  • Contractually governed: the institution's agreement with its primary provider must address whether sub-outsourcing is permitted, under what conditions, and what approval rights are retained.
  • Subject to prior authorisation: material sub-outsourcing by the provider should require the institution's prior approval, not simply notification after the fact.

Subject to due diligence: the institution must satisfy itself that sub-contractors meet the same standards as the primary provider they cannot simply inherit compliance by virtue of being engaged by a regulated provider.

Maintaining Access and Audit Rights

Access and audit rights must flow through the chain. If the institution cannot audit a sub-contractor, or cannot require its primary provider to do so on its behalf, the arrangement does not meet regulatory expectations. This is particularly relevant in complex technology chains where cloud infrastructure providers, API aggregators, and managed service providers are each part of the delivery model.

Monitoring for Material Risk Increases

Sub-outsourcing arrangements must be monitored for changes that could materially increase risk. A sub-contractor being acquired by a competitor, a key individual departing, or a security incident at a fourth-party provider can all create material risk at the level of the regulated institution. Institutions are expected to have sufficient visibility into their outsourcing chains to identify and respond to these events.

5. DORA Requirements When Outsourcing an ICT-Related Service or Function

DORA came into force on 17 January 2025 and applies to a wide range of financial entities. For institutions outsourcing ICT services, DORA imposes a structured and demanding set of obligations that run alongside (and in some cases take precedence over) the broader MFSA outsourcing framework. This applies to companies whether they are a technology platform, an API integration, cloud infrastructure, or a managed security service

Pre-Outsourcing Due Diligence and Assessment (Article 28)

Before entering into any ICT outsourcing arrangement, institutions must conduct thorough pre-contract assessments covering:

  • Criticality assessment: does the ICT service support a critical or important function? The answer determines the level of diligence and contractual rigour required.
  • Provider due diligence: the provider's reputation, technical expertise, financial stability, and operational resilience must all be assessed, not assumed.
  • Information security standards: the provider must adhere to security standards commensurate with the sensitivity of the functions and data involved.
  • Concentration risk: institutions must analyse whether engaging the provider creates or exacerbates dependence on a limited number of suppliers or generates systemic interdependencies.

Conflicts of interest: any potential conflicts of interest must be identified and assessed before contracting.

Mandatory Contractual Provisions (Article 30)

DORA requires that ICT outsourcing contracts be documented in a single written instrument (which may include annexes) and contain specific clauses. For critical and important functions, additional provisions apply. Key contractual requirements include:

  • Service description and data location: a detailed description of services, including the specific locations where data is processed and stored.
  • Data availability, integrity, and confidentiality: explicit guarantees that the provider will maintain the security and accessibility of the institution's data.
  • Unrestricted audit rights: the institution and its regulators must have unrestricted rights to access, inspect, and audit the provider. For critical functions, these rights must be continuous rather than periodic.
  • Sub-outsourcing controls: strict conditions on the provider's ability to sub-contract, including the institution's right to withhold consent.
  • Incident management obligations: the provider must assist in managing ICT-related incidents at no additional cost to the institution.

Termination rights: clear and exercisable rights to terminate the contract, including in the event of the provider's insolvency, material breach, or regulatory non-compliance.

Ongoing Monitoring and Oversight

DORA does not permit a "sign and forget" approach. Institutions are required to:

  • Maintain the Register of Information (RoI): a detailed and current register of all ICT third-party arrangements, to be reported to regulators annually.
  • Continuously monitor service levels: SLA compliance, security posture, and regulatory compliance must be actively monitored throughout the contract lifecycle.
  • Ensure provider participation in resilience testing: providers must participate in the institution's ICT resilience testing programme. For critical functions, this includes Threat-Led Penetration Testing (TLPT).

Exit Strategies and Business Continuity

For critical or important functions, exit strategies are mandatory rather than recommended. A compliant exit strategy must:

  • Be documented, reviewed, and tested not simply written and filed.
  • Demonstrate that data can be migrated to an alternative provider or brought in-house without service interruption.
  • Address business continuity even in the event of a sudden or unplanned provider failure.

Specific Considerations for APIs and Cloud Services

API integrations and cloud services present particular challenges under DORA because the delivery chain can be long and the institution's visibility into that chain is often limited. Key considerations include:

  • API security: institutions must ensure robust authentication controls, end-to-end data encryption in transit, and comprehensive monitoring of data flows at the API level.

Fourth-party and Nth-party visibility: DORA requires institutions to have meaningful visibility into the sub-outsourcing chain. Where a SaaS provider relies on cloud infrastructure from a hyperscaler, and that hyperscaler in turn relies on third-party services, the institution cannot simply treat this as the provider's problem. Concentration at the level of cloud infrastructure providers is a specific concern that the MFSA's supervisory findings have highlighted.

The table below summarises the key differences in requirements between non-critical and critical ICT outsourcing arrangements under DORA:

Requirement

Non-Critical

Critical / Important
Due Diligence Standard In-depth
Contract Terms Article 30(2) Article 30(2) & 30(3)
Exit Strategy Recommended Mandatory
Audit Rights Basic Unrestricted / Continuous
TLPT Testing No Mandatory

Takeaways

The regulatory landscape for outsourcing has shifted materially since January 2025. Institutions can no longer treat outsourcing as a purely commercial matter: the MFSA's revised FIR/01, the ongoing requirements under FIR/03 and BR/14, and the introduction of DORA for ICT services have together created a structured and demanding framework that must be addressed proactively. It is integral to understand the classification as this impacts compliance, risk management, and internal audit.

These are inherently critical functions, and misclassifying them is a substantive failure, not a technicality. Contracts must contain specific, enforceable provisions covering audit rights, sub-outsourcing controls, data location, and exit. Intra-group arrangements attract the same obligations as external ones. Sub-outsourcing chains require active oversight and genuine visibility, not contractual assumptions.

For ICT services, DORA's Register of Information must be complete and current, and exit strategies for critical functions must be tested, not merely documented. The MFSA's 2025 thematic review findings serve as a clear signal: the regulator is scrutinising these arrangements closely, and institutions that have not yet audited their outsourcing frameworks against current requirements should do so without delay.

Editor: Matteo Alessandro (Senior Associate) – MK Fintech Partners Ltd

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Person photo placeholder
Kane Sammut Henwood
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More