Material Outsourcing in UK Financial Services: A Practical Guide for Fintech Founders and GCs

Outsourcing Explained: Series 1

What actually is “outsourcing” in financial regulation?

Welcome to Outsourcing Explained.

This is our new blog series unpacking the UK financial services outsourcing regime, one practical step at a time. Across the year, we’ll be breaking down what the rules say, what regulators expect, and what this all means when you’re actually negotiating a financial services outsourcing contract.

If you are a regulated fintech, scaling payments business, EMI, bank, investment firm, or a service provider selling into one of them, this series is for you.

Because outsourcing is no longer just an operational decision. It is a regulatory event.

Why this series exists

Outsourcing has become core to how fintechs operate.

Cloud infrastructure. Core banking platforms. KYC providers. Payment processors. Fraud tooling. Customer onboarding solutions.

Modern regulated businesses are built on third-party rails.

That’s efficient. It’s innovative. It’s commercially smart.

Outsourcing Explained: Series 1

What actually is “outsourcing” in financial regulation?

Welcome to Outsourcing Explained.

This is our new blog series unpacking the UK financial services outsourcing regime, one practical step at a time. Across the year, we’ll be breaking down what the rules say, what regulators expect, and what this all means when you’re actually negotiating a financial services outsourcing contract.

If you are a regulated fintech, scaling payments business, EMI, bank, investment firm, or a service provider selling into one of them, this series is for you.

Because outsourcing is no longer just an operational decision. It is a regulatory event.

Why this series exists

Outsourcing has become core to how fintechs operate.

Cloud infrastructure. Core banking platforms. KYC providers. Payment processors. Fraud tooling. Customer onboarding solutions.

Modern regulated businesses are built on third-party rails.

That’s efficient. It’s innovative. It’s commercially smart.

But from a regulator’s perspective, it also creates risk. Which is why outsourcing compliance in financial services has become a major focus area for the FCA, PRA and European regulators.

For Series A+ fintechs scaling quickly, outsourcing often becomes one of the first areas scrutinised during investor diligence and FCA authorisation processes. Increasingly, we see questions around vendor risk management, third-party risk management fintech frameworks, and whether particular arrangements constitute material outsourcing UK.

Over this series, we will:

• Outline the regulatory requirements that apply to outsourced services
• Break down the mandatory outsourcing contract provisions regulators expect to see
• Highlight common pitfalls we see in practice
• Share practical drafting and negotiation insights

Our focus will be the contractual phase of the outsourcing lifecycle. Because that is where regulatory theory becomes very real negotiation dynamics.

The foundations: what counts as outsourcing?

We are starting at the beginning.

Under the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which form the core of the UK outsourcing regime financial services framework, outsourcing is defined broadly as:

An arrangement of any form between a regulated entity and a service provider by which that service provider performs a process, service or activity that would otherwise be undertaken by the regulated entity itself.

It is deliberately wide. And deliberately technology-neutral.

If a third party is doing something that you could or would otherwise do internally, that is likely outsourcing under the EBA outsourcing guidelines UK framework.

The definition is designed to catch modern operating models. It recognises that regulated firms today are ecosystems, not monoliths.

Who do the Guidelines apply to?

Primarily, they apply to regulated entities, including:

• Credit institutions
• Payment institutions
• Electronic money institutions
• Certain investment firms

These entities are subject to FCA outsourcing requirements, and in some cases PRA outsourcing rules, depending on their regulatory status.

They do not currently apply to account information service providers authorised solely for AIS.

But if AIS is provided alongside other regulated services under a broader authorisation, the Guidelines still apply to that entity.

The key principle is this:

Regulated firms remain fully responsible for compliance with the outsourcing risk management framework. Even if the work is performed by someone else.

You can outsource the activity.
You cannot outsource the accountability.

And what about service providers?

Service providers are not directly regulated under the Guidelines.

They are not supervised by the FCA or PRA simply because they provide outsourced services.

In theory, they are free to negotiate on commercial terms.

In reality?

If they want to work with regulated clients, they are stepping into a regulatory-shaped framework.

Because the obligations imposed on regulated firms under the material outsourcing UK regime get “passed down” contractually.

That means outsourcing contracts frequently include:

• Outsourcing audit rights clauses
• Regulatory audit rights for the FCA or PRA
• Information access and regulator access rights
• Information security and data protection in outsourcing agreements
• Sub-outsourcing restrictions UK
• Termination and exit planning requirements
• Business continuity outsourcing requirements

Often going well beyond a supplier’s standard template.

Service providers still have leverage. They can negotiate. They can push back. They can walk away.

But if they want regulated business, they need to understand the rulebook shaping the deal.

Not every third-party arrangement is outsourcing

This is where nuance matters.

A common question we hear from scaling fintechs is:
“Does this count as material outsourcing?”

The starting point is whether the service:

• Replaces or supports an internal function
• Is integral to the regulated entity’s activities
• Is provided on an ongoing basis

Office cleaning? Catering? Likely not outsourcing under the EBA/GL/2019/02 outsourcing framework.

Core banking infrastructure? KYC tooling? Risk management support? Much more likely.

ICT services sit in an interesting middle ground. Some standardised, low-risk, off-the-shelf services may fall outside scope if they do not support critical or important functions. But where cloud hosting or SaaS tools underpin regulated activities, they may fall within regulated fintech outsourcing rules.

The assessment ultimately forms part of the regulated entity’s outsourcing due diligence checklist and internal third-party risk assessment.

And getting it wrong has consequences.

Material vs non-material outsourcing

Once something qualifies as outsourcing, the next step is classification.

Is the function “critical or important”?

Broadly, it will be if a failure would:

• Compromise regulatory compliance
• Impact financial soundness or stability
• Disrupt key financial services

If yes, it becomes a material outsourcing arrangement under the FCA outsourcing requirements and EBA framework.

And that matters.

Material outsourcing triggers:

• Deeper pre-outsourcing due diligence
• Stronger internal governance and board approvals
• Enhanced mandatory outsourcing contract provisions

For service providers, this often means:

• Expanded regulatory audit rights
• More detailed SLAs aligned with regulatory expectations
• Stricter sub-outsourcing controls
• Clear outsourcing termination and exit plan obligations

It is also worth noting that classification as supporting a “critical or important function” is primarily a risk and compliance exercise under the outsourcing risk management framework, even though legal teams are frequently asked to document and reflect that assessment contractually.

What are the Guidelines trying to prevent?

At their core, the Guidelines exist to ensure outsourcing does not:

• Weaken governance and internal controls
• Undermine operational resilience for fintech
• Impair supervisory oversight
• Damage consumer protection or market integrity

Regulators are not anti-outsourcing.

They are anti-loss-of-control.

The objective is simple: a regulated firm must remain fully accountable and fully supervisable, even if core systems are delivered via third-party providers.

This is why regulators focus heavily on access rights for regulators outsourcing, audit provisions, and business continuity planning in financial services outsourcing contracts.

And in the UK post-Brexit?

In the UK, the EBA Guidelines continue to form the core framework for many firms as part of the onshored EU regime.

For banks and building societies under the PRA’s remit, the Guidelines sit alongside PRA Supervisory Statement SS2/21, which adds further expectations on outsourcing and third-party risk management.

So:

• A UK bank will typically deal with both the Guidelines and SS2/21 under the PRA outsourcing rules.
• A UK EMI will usually focus primarily on the Guidelines and FCA outsourcing requirements.

The regulatory architecture varies by entity type. But the EBA Guidelines remain central to the UK financial services outsourcing regime.

We will unpack SS2/21 in a later post in this series.

What’s coming next?

Now that we have set the foundations, future posts will move into the contract mechanics.

We will break down key clauses commonly reviewed in a regulated fintech outsourcing contract review, including:

• Services descriptions and SLAs
• Data protection and GDPR in outsourcing agreements
• Confidentiality
• Security
• Audit and regulatory access rights
• Termination and exit planning
• Reporting obligations

Each post will build on the last, creating a practical framework you can actually use when negotiating or reviewing material outsourcing UK agreements.

‍

Over this series, we will:

• Outline the regulatory requirements that apply to outsourced services
• Break down the mandatory outsourcing contract provisions regulators expect to see
• Highlight common pitfalls we see in practice
• Share practical drafting and negotiation insights

Our focus will be the contractual phase of the outsourcing lifecycle. Because that is where regulatory theory becomes very real negotiation dynamics.

The foundations: what counts as outsourcing?

We are starting at the beginning.

Under the EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02), which form the core of the UK outsourcing regime financial services framework, outsourcing is defined broadly as:

An arrangement of any form between a regulated entity and a service provider by which that service provider performs a process, service or activity that would otherwise be undertaken by the regulated entity itself.

It is deliberately wide. And deliberately technology-neutral.

If a third party is doing something that you could or would otherwise do internally, that is likely outsourcing under the EBA outsourcing guidelines UK framework.

The definition is designed to catch modern operating models. It recognises that regulated firms today are ecosystems, not monoliths.

Who do the Guidelines apply to?

Primarily, they apply to regulated entities, including:

• Credit institutions
• Payment institutions
• Electronic money institutions
• Certain investment firms

These entities are subject to FCA outsourcing requirements, and in some cases PRA outsourcing rules, depending on their regulatory status.

They do not currently apply to account information service providers authorised solely for AIS.

But if AIS is provided alongside other regulated services under a broader authorisation, the Guidelines still apply to that entity.

The key principle is this:

Regulated firms remain fully responsible for compliance with the outsourcing risk management framework. Even if the work is performed by someone else.

You can outsource the activity.
You cannot outsource the accountability.

And what about service providers?

Service providers are not directly regulated under the Guidelines.

They are not supervised by the FCA or PRA simply because they provide outsourced services.

In theory, they are free to negotiate on commercial terms.

In reality?

If they want to work with regulated clients, they are stepping into a regulatory-shaped framework.

Because the obligations imposed on regulated firms under the material outsourcing UK regime get “passed down” contractually.

That means outsourcing contracts frequently include:

• Outsourcing audit rights clauses
• Regulatory audit rights for the FCA or PRA
• Information access and regulator access rights
• Information security and data protection in outsourcing agreements
• Sub-outsourcing restrictions UK
• Termination and exit planning requirements
• Business continuity outsourcing requirements

Often going well beyond a supplier’s standard template.

Service providers still have leverage. They can negotiate. They can push back. They can walk away.

But if they want regulated business, they need to understand the rulebook shaping the deal.

Not every third-party arrangement is outsourcing

This is where nuance matters.

A common question we hear from scaling fintechs is:
“Does this count as material outsourcing?”

The starting point is whether the service:

• Replaces or supports an internal function
• Is integral to the regulated entity’s activities
• Is provided on an ongoing basis

Office cleaning? Catering? Likely not outsourcing under the EBA/GL/2019/02 outsourcing framework.

Core banking infrastructure? KYC tooling? Risk management support? Much more likely.

ICT services sit in an interesting middle ground. Some standardised, low-risk, off-the-shelf services may fall outside scope if they do not support critical or important functions. But where cloud hosting or SaaS tools underpin regulated activities, they may fall within regulated fintech outsourcing rules.

The assessment ultimately forms part of the regulated entity’s outsourcing due diligence checklist and internal third-party risk assessment.

And getting it wrong has consequences.

Material vs non-material outsourcing

Once something qualifies as outsourcing, the next step is classification.

Is the function “critical or important”?

Broadly, it will be if a failure would:

• Compromise regulatory compliance
• Impact financial soundness or stability
• Disrupt key financial services

If yes, it becomes a material outsourcing arrangement under the FCA outsourcing requirements and EBA framework.

And that matters.

Material outsourcing triggers:

• Deeper pre-outsourcing due diligence
• Stronger internal governance and board approvals
• Enhanced mandatory outsourcing contract provisions

For service providers, this often means:

• Expanded regulatory audit rights
• More detailed SLAs aligned with regulatory expectations
• Stricter sub-outsourcing controls
• Clear outsourcing termination and exit plan obligations

It is also worth noting that classification as supporting a “critical or important function” is primarily a risk and compliance exercise under the outsourcing risk management framework, even though legal teams are frequently asked to document and reflect that assessment contractually.

What are the Guidelines trying to prevent?

At their core, the Guidelines exist to ensure outsourcing does not:

• Weaken governance and internal controls
• Undermine operational resilience for fintech
• Impair supervisory oversight
• Damage consumer protection or market integrity

Regulators are not anti-outsourcing.

They are anti-loss-of-control.

The objective is simple: a regulated firm must remain fully accountable and fully supervisable, even if core systems are delivered via third-party providers.

This is why regulators focus heavily on access rights for regulators outsourcing, audit provisions, and business continuity planning in financial services outsourcing contracts.

And in the UK post-Brexit?

In the UK, the EBA Guidelines continue to form the core framework for many firms as part of the onshored EU regime.

For banks and building societies under the PRA’s remit, the Guidelines sit alongside PRA Supervisory Statement SS2/21, which adds further expectations on outsourcing and third-party risk management.

So:

• A UK bank will typically deal with both the Guidelines and SS2/21 under the PRA outsourcing rules.
• A UK EMI will usually focus primarily on the Guidelines and FCA outsourcing requirements.

The regulatory architecture varies by entity type. But the EBA Guidelines remain central to the UK financial services outsourcing regime.

We will unpack SS2/21 in a later post in this series.

What’s coming next?

Now that we have set the foundations, future posts will move into the contract mechanics.

We will break down key clauses commonly reviewed in a regulated fintech outsourcing contract review, including:

• Services descriptions and SLAs
• Data protection and GDPR in outsourcing agreements
• Confidentiality
• Security
• Audit and regulatory access rights
• Termination and exit planning
• Reporting obligations

Each post will build on the last, creating a practical framework you can actually use when negotiating or reviewing material outsourcing UK agreements.

Need bespoke support? Get in touch today.

‍