ARTICLE
25 March 2026

Outsourcing Under MFSA Rules

BD
BDO Malta

Contributor

BDO Malta logo
Forming part of BDO’s Global Network, BDO Malta is a professional services and advisory firm, assisting companies in accelerating business growth through exceptional client service. Established in 1978, BDO Malta provide a wide portfolio of services including regulatory advisory, outsourcing, audit and assurance, tax & technology regulatory compliance to assist clients across different industries in growing their businesses efficiently.
Explore Firm Details
However, under the MFSA’s outsourcing expectations, the moment a third party supports a critical or important function, the conversation changes. You are no longer buying a service; you are creating a dependency that must be governable, auditable, and exitable.
Malta Employment and HR
Lara Borg Bugeja and Kyle Buhagiar
Your Author LinkedIn Connections
Lara Borg Bugeja’s articles from BDO Malta are most popular:
  • within Employment and HR topic(s)
  • in United States
BDO Malta are most popular:
  • within Employment and HR, Government and Public Sector topic(s)

Outsourcing is often sold internally as speed: “let’s plug in a provider and move on.” 

However, under the MFSA’s outsourcing expectations, the moment a third party supports a critical or important function, the conversation changes. You are no longer buying a service; you are creating a dependency that must be governable, auditable, and exitable. 

The MFSA guidance is explicit about why it cares: regulated firms increasingly rely on ICT-enabled critical/important functions delivered remotely by third parties (often cloud), which expands cyber exposure and complicates supervisory oversight. 

So, the real question isn’t “can we outsource this?” 

It’s “can we still prove control after we outsource it?” 

1. Classify it properly 

The MFSA expects a structured pre-outsourcing analysis that includes assessing whether the function is critical or important, and then working through supervisory conditions, risks, due diligence, and conflicts of interest before you sign. 

For credit institutions, MFSA’s Banking Rule BR/14/2020 adds a hard procedural trigger: where a bank intends to outsource a material service/activity, it must inform the MFSA in writing at least 60 days in advance. 

Practical risk: if you get classification wrong at the start, you typically miss the governance steps that regulators expect to see later (risk assessment depth, contract clauses, exit plan). 

2. Documentation is not optional: the outsourcing registry is a supervisory instrument 

The MFSA expects firms to maintain a register of outsourcing arrangements and be able to provide it in a processable electronic form when requested. 

This does not just refer to a list of vendors. The register content MFSA expects includes items that forces firms to think about resilience, governance, and operational continuity, including: 

  • Audit timing: most recent audit completed + next scheduled audit 

  • Suboutsourcing chains: entities involved, countries of registration, and data processing/storage locations 

  • Substitutability/reintegrability: how easily the service can be replaced or brought back inhouse 

  • Alternative providers: realistic backup options 

  • Timecriticality: whether the outsourced activity supports timecritical or missioncritical operations 

  • Exit strategy: whether a written, referenced exit strategy exists 

Practical risk: firms treat this as an administrative log, but MFSA treats it as a map of operational dependency. 

For critical or important functions, the MFSA guidance sets out what minimum clauses the outsourcing agreement should include at a minimum; 

  • clear description of the services to be provided under the SLA, 

  • good governance of the provision of services, 

  • locations where the function is performed and where data is stored/processed + notification of changes, 

  • information security and data protection expectations, 

  • measurable SLAs and reporting obligations, 

  • requirements to implement and test contingency plans, 

  • provisions to ensure firm-owned data remains accessible in provider insolvency/resolution/discontinuation, and 

  • cooperation with competent authorities.  

3. Audit and Access rights 

MFSA expects outsourcing agreements for critical/important functions to provide the unrestricted right for the licence holder and the Authority to inspect and audit the provider (with further detail in the related sections). 

For banks under BR/14/2020, the rule is similarly strong; for material outsourcing, the provider must grant the institution and the MFSA (including the Resolution Authority and appointees) full access to premises, systems, data, and unrestricted inspection/audit rights. And even for non-material outsourcing, access/audit rights still need to be ensured on a risk-based basis, recognising that services can become material over time. 

4. Sub-outsourcing: the silent multiplication of your risk perimeter 

MFSA expects the outsourcing agreement to state whether sub-outsourcing is permitted. 

If it is permitted, MFSA expects controls such as: 

  • prior authorisation/approval mechanics (including for sub-outsourcing of data), 

  • notification periods that allow the firm to risk assess and object, 

  • termination rights for undue sub-outsourcing, 

Practical risk: without these controls, you can end up with your “vendor” being effectively a broker, while your data and operations are handled by entities you never assessed. 

5. Monitoring & oversight 

MFSA expects monitoring with particular focus on critical/important outsourcing, including incident handling, clearly delineated roles/responsibilities for IT and non-IT processes affected, and independent verification of SLAs.  

6. Exit Strategies  

MFSA expects outsourcing arrangements to facilitate transfer to another provider or reintegration into the firm, with contract terms on transition periods, provider support, and deletion of remaining firm data after transfer. 

MFSA also expects firms to engage in supervisory dialogue for planned outsourcing of critical/important functions (or if a function becomes critical/important), and to inform it of material changes/severe events that could materially impact continuing business provision. 

Practical risk: “either party may terminate” is not an exit plan. MFSA expects a transfer-ready arrangement. 


Where BDO Malta Can Help 

At BDO Malta, we translate the MFSA’s outsourcing expectations into practical, workable solutions. In practice, this means supporting your firm to: 

  • Correctly classify all arrangements — distinguishing outsourcing from nonoutsourcing, and identifying critical or important functions in line with MFSA criteria. 

  • Develop or update your outsourcing policy and register to ensure full alignment with supervisory expectations. 

  • Conduct and document the required preoutsourcing due diligence and risk assessments, providing the level of evidence the MFSA typically requests. 

  • Review and negotiate outsourcing contracts so that access/audit rights, suboutsourcing controls, data location requirements, and exit strategies are clearly defined and enforceable. 

  • Design oversight and monitoring frameworks proportionate to your firm’s size, risk appetite, and operational model. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Lara Borg Bugeja
Lara Borg Bugeja
Photo of Kyle Buhagiar
Kyle Buhagiar
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More