With the importance of fintech providers getting ever greater in the rush to digitisation, financial institutions are adapting their business models, embracing outsourcing as a way to get relatively easy access to new technologies and to achieve economies of scale.

With this in mind, the EBA is trying to create a more harmonised framework, consistent with the requirements on outsourcing under diverse directives PSD2, MiFID II and the Commission's Delegated Regulation.

In particular, the new guidelines clarify that the management body of each financial institution remains responsible for that institution and its activities at all times. Says the EBA: "Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell' that lacks the substance to remain authorised."

The guidelines note that there are particular challenges to ensure the effective supervision when functions are outsourced to service providers located in third countries. Again, financial institutions are "expected to ensure compliance with EU legislation and regulatory requirements".

The EBA has also clarified which arrangements with third parties are to be considered as outsourcing, differentiating between requirements on critical and important arrangements and those considered less risky.

Finally, competent authorities are required to effectively supervise financial institutions' outsourcing arrangements, including identifying and monitoring risk concentrations at individual service providers and assessing whether or not such concentrations could pose a risk to the stability of the financial system.

The guidelines will enter into force on 30 September, with some transitional periods.