2021_6191 Custom software development and support outsourcing clarification | European Banking Authority Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2021_6191 Custom software development and support outsourcing clarification
Question ID
2021_6191
Legal act
Directive 2013/36/EU (CRD)
Topic
Supervisory review and evaluation (SREP) and Pillar 2
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
EBA/GL/2019/02 - Guidelines on outsourcing arrangements
Article/Paragraph
12, 26, 28
Name of institution / submitter
Solutium d.o.o.
Country of incorporation / residence
Slovenia
Type of submitter
Other
Subject matter
Custom software development and support outsourcing clarification
Question

Company for development and maintenance of banking software has identified the following unclarities related to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) that were published by European Banking Authority (EBA) and for which we ask for clarification/interpretation:

  1. Is custom software development, which is based on specifications and orders from a bank, and which covers thematic area or function that the bank defined as a critical function, considered as outsourcing (in terms of the referenced guidelines) when the act of development is performed on an occasional (not recurrent and not ongoing) basis?

  1. Is regular custom software maintenance and support of software mentioned in the previous bullet point, which covers thematic area or function that the bank defined as a critical function, considered as outsourcing (in terms of the referenced guidelines) if the company providing the software maintenance and support service doesn’t have access to bank’s production environment or data from the production environment? IT department of the bank exclusively maintains their production environment, and only the bank has access to production environment data (first level support). The company offers second level support to the IT department, which consists of consultations for resolving more demanding problems, which are simulated in the test environment (without any access to the production environment).

  1. In case any of the services mentioned in the previous bullet points are considered as outsourcing (in terms of the referenced guidelines), must the contract between the company and the bank implement all guidelines or only those that are relevant for the scope of cooperation between the company and the bank? Please confirm that there is no need for the contract to cover guidelines related to cloud services and outsourcing data processing services if the company does not offer cloud services nor processes any data of the bank.

 

Background on the question

Company for development and maintenance of banking software has identified listed unclarities related to the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) which need clearification.

Submission date
09/09/2021
Rejected publishing date
29/04/2022
Rationale for rejection

This question has been rejected because to ensure the effectiveness of the Q&A process it focuses on answering questions that are likely to be relevant to a broad set of stakeholders – for example, a large number, broad range or wide geographical distribution – rather than questions which address circumstances which appear likely to be relevant only to the particular circumstances of certain stakeholders or transactions.

For further information on the purpose of this tool and on how to submit questions, please see “Additional background and guidance for asking questions”.

Status
Rejected question

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive