Here are the main contents of the EBA Recommendations:

• Security of data: financial institutions, before outsourcing their services, should conduct a thorough risk assessment and should ensure that the confidentiality of the information is protected;
• Location of data and processing: financial institutions should inform regulators of the country where the service will be performed, proposing – if necessary – a revision of the legislation on data processing. Special attention should be paid when outsourcing services concern extra UE Countries;
• Audit: financial institutions should provide systems that allow themselves – and the regulators of the countries – full access to the business premises where the outsourcing service is performed, providing the possibility to analyse and verify the systems and devices used for providing the services outsourced;
• Chain outsourcing: in the case of subcontract of the outsourced service, also the subcontractor shall be required to fully comply with the measures and recommendations described above;
• Contingency planning: financial institutions shall provide well tested exit and emergency plans and make sure the outsourcing service provider is obliged to make an orderly transfer of the services so as to maintain business continuity.