As the deadline for ensuring pre-existing contracts (as defined below) are compliant with the EBA Guidelines (as defined below) draws near, our FinTech team takes a quick look at the approach taken by financial services companies. In particular, we focus on: (i) what the EBA Guidelines are, (ii) who is affected by them and (iii) some of the key strategies to implement to ensure compliance by the deadline, based on our experience advising clients.


The European Banking Authority published a final report on its guidelines relating to outsourcing (the EBA Guidelines) in February 2019. The EBA Guidelines came into force on 30 September 2019 and apply to banks, payment institutions, electronic money institutions and certain types of investment firms (Financial Service Companies) and continues to apply even in a post-Brexit context because the FCA has stated these are principles to which it wishes to see continued adherence by firms under its supervision.

Implementation dates

The EBA Guidelines affects contracts entered into after 30 September 2019 and also needs to be reflected in any in-scope contracts entered into prior to 30 September 2019 (pre-existing contracts) by the 31 December 2021 or the first renewal date of such contract (whichever is earlier). However, this deadline does not apply to what is referred to in the EBA Guidelines as “outsourcing arrangements to cloud service providers”.


The EBA Guidelines apply to contracts between Financial Service Companies and suppliers if the service under the relevant contract constitutes an “outsourcing”. This can be a complex question and there are certain minimum requirements in respect of an outsourcing which need to be considered on a case by case basis. If the services under the relevant contract comprise an outsourcing, then the next question is whether this outsourcing constitutes a “critical or important” outsourcing or not. This distinction is important to make because some of the provisions of the Guidelines only apply to critical or important outsourcings and some of the provisions, although still applied, are only to be applied “proportionately” where the outsourcing is not a critical or important one.

Non-outsourcing contracts

If the services under the relevant contract do not comprise an outsourcing, then the EBA Guidelines do not apply directly. However, the EBA Guidelines does state that Financial Service Companies may also enter into contracts with suppliers where the service does not constitute an outsourcing but is nonetheless mission critical and creates a significant risk for the Financial Service Company’s business and/or its legal or regulatory compliance. In such circumstances the EBA Guidelines suggests that where such contracts are material or high risk then the Financial Service Company should consider applying the relevant provisions of the EBA Guidelines to it where it is feasible and appropriate to do so.

Approach to compliance with pre-existing contracts

There is no “one-size-fits-all” approach to ensuring compliance of pre-existing contracts with the EBA Guidelines. However, here are some strategies to consider based on our experience advising clients:

  • create a generic addendum or supplement that seeks to amend the relevant pre-existing contract to ensure compliance with the EBA Guidelines regardless of its existing content.
  • review the key clauses of the relevant pre-existing contract to create an appropriate dedicated version of the generic addendum for that pre-existing contract e.g. review party and service details, governing law, notice provisions, how contract variations can be effected.
  • in producing the dedicated version, then consider if you should adapt the substance of the addendum further to align it with the contents of the applicable pre-existing contract (e.g. removing aspects of the addendum wording already covered by the existing drafting). This may help short-circuit negotiations by avoiding negotiations around provisions already captured in the existing drafting.
  • if there is a large number of pre-existing contracts to fix (or you are under a tight timeframe) , the above approach may be too time consuming and expensive and so it may be better to keep everything in the addendum and simply state to the extent there is a conflict between its contents and the contents of the pre-existing contract it is seeking to amend, then the terms in the addendum prevail.
  • consider whether you should have one addendum for critical or important outsourcings and one addendum for non-critical or important outsourcings. If you have two addenda, then this may make it easier to fix the non-critical or important outsourcings (as there are fewer requirements on such contracts as mandated by the EBA Guidelines). However, you could consider sending non-critical or important vendors an addendum that is broadly the same as the addendum for critical or important outsourcings on the basis that many of the provisions mandated by the EBA Guidelines are best practice provisions often included in vendor agreements. This approach also has a number of benefits: (1) future-proofing the agreement: if a non-critical or important outsourcing later becomes critical and the vendor had executed an addendum that included all the requirements for critical or important outsourcings, then the relevant agreement would not need to be revisited for compliance with the EBA Guidelines and (2) misclassification: if the outsourcing has been misclassified as non-critical by the risk and compliance team, then there will be no adverse consequences (or need to revisit the pre-existing contract) if the pre-existing contract has been amended to include all the critical or important outsourcing requirements.
  • consider a phased approach to implementation of the updating of pre-existing contracts rather than completing the process for all pre-existing contracts at the same time. Consider focusing, first, on critical or important contracts and high tier non-critical or important contracts and pre-existing contracts close to renewal/expiry. This phased approach also helps to spread the workload of responding to vendors and that of dealing with escalation queries. Experience on earlier phases would also enable the team to fine tune the playbook to inform their handling of later phases.