Navigating Outsourcing Rules: MFSA, DORA & EBA Guide

Alejandro Martínez · 2026-03-13

Let's talk about something that's become as common as morning coffee in finance: outsourcing. Whether it's your core banking platform, compliance team, or that API integration with your payments provider, relying on third parties is just how business gets done these days. But here's the thing—since January 2025, the regulatory landscape has gotten significantly tougher. It's not just about finding the right vendor anymore; it's about navigating a complex web of rules that could make or break your compliance status. I've been digging into the latest frameworks—MFSA's FIR/01 and FIR/03, DORA, and the EBA Guidelines—and I want to walk you through what really matters. Think of this as a conversation over coffee about what keeps compliance officers up at night. ### What Makes Outsourcing Critical or Important? Not all outsourcing is created equal. The big question across all three regulatory frameworks is simple: if this service went down, would it materially affect your ability to operate? We're talking about functions where disruption means you can't meet obligations or stay compliant. Classic examples everyone recognizes: - Core banking systems - Payment processing operations - Key IT infrastructure - Compliance and risk management functions But here's where many institutions stumble—they treat compliance and internal audit as secondary functions. Under the new rules, that's a serious misstep. ### MFSA Rules: The Authorization Shift MFSA's Financial Institutions Rulebook applies Banking Rule BR/14 through FIR/01 and FIR/03. The October 2025 overhaul of FIR/01 changed the game completely. Outsourcing arrangements are now assessed during the authorization stage, not just after you've got your license. That means you need your ducks in a row from day one. FIR/03 handles ongoing obligations. You must formally classify every outsourced activity as critical or non-critical, with documented justification. You also need a written outsourcing policy covering oversight, risk management, and escalation protocols. Here's the kicker from MFSA's 2025 review: institutions were consistently misclassifying compliance, risk management, and internal audit as non-critical. Under FIR/03 and BR/14, these are inherently critical functions. Getting this wrong isn't a technical error—it's a substantive compliance failure that could have real consequences. ### DORA's ICT Focus For anything technology-related, DORA brings its own definitions. A service supports a "critical or important function" if its absence would substantially impair your performance, resilience, or regulatory compliance. We're talking about: - Cloud computing services - Data center operations - Managed security services - Any ICT arrangement where dependency creates material risk The definition is intentionally broad. When in doubt, assume it's important. ### EBA Guidelines: The Broad Net The EBA Guidelines define critical functions as those where disruption would severely impair your ability to comply with authorization conditions, meet financial obligations, or maintain internal controls. Their formulation is deliberately broad—they'd rather you over-classify than under-classify. As one compliance veteran told me recently: "When the EBA says 'when in doubt, classify up,' they mean it. That's not suggestion; that's expectation." ### The Concentration Risk Nobody's Talking About Here's something that caught my attention from MFSA's review: multiple institutions were relying on the same small pool of outsourced compliance officers and internal auditors. We're talking about professionals working just a few hours per week across several institutions. This raises serious questions: - Is the function receiving adequate attention? - Are conflicts of interest properly managed? - Does this arrangement truly meet substance requirements? It's not just about checking the compliance box anymore. It's about ensuring these critical functions have the time, attention, and independence they need to actually protect your institution. The bottom line? Outsourcing isn't getting simpler. The frameworks are converging toward stricter oversight, earlier assessment, and clearer classification requirements. What used to be a procurement decision is now a core compliance consideration that needs board-level attention from the very beginning.