Intragroup outsourcing covers several distinct models that supervisors increasingly expect firms to map and manage separately, especially where cross‑border branches and subsidiaries are involved. The key distinctions turn on whether the service provider is part of the same legal entity (branch–head office) or a separate legal entity (parent–subsidiary or affiliate), which then drives how outsourcing rules bite, how contracts are structured, and how local management can evidence control.eba.europa+2
Branch–head office relationships
In a pure branch–head office relationship, both units form a single legal entity, with the head office retaining ultimate responsibility for the whole firm’s governance, risk management, and regulatory compliance. Many frameworks therefore exclude “intra‑entity” arrangements, such as a branch relying on head‑office IT or risk models, from the formal definition of outsourcing, on the basis that these are internal allocations of functions rather than transfers to a third party.twobirds+2
However, some authorities still require branches to document reliance on head‑office or other branch arrangements where this affects local operational resilience, data protection, or reporting obligations. This creates a grey area: while intra‑entity support may fall outside outsourcing rules, branches must still demonstrate that they can oversee services performed elsewhere in the same entity and meet local supervisory expectations.osfi-bsif+2
Parent–subsidiary intragroup outsourcing
Parent–subsidiary outsourcing involves a regulated entity delegating activities to a separate legal entity within the same group, such as a parent company service centre or a shared‑services subsidiary. Most regulators treat this squarely as outsourcing: intragroup providers are subject to essentially the same requirements as external third parties, albeit with some recognition that group control and common governance may mitigate certain risks.pwc+2
Even where a “lighter‑touch” approach is allowed, firms are expected to perform risk‑based due diligence, maintain written agreements, and ensure that intragroup arrangements do not create “letter‑box” entities that retain a licence but no real substance. Supervisors also emphasise that cross‑border intragroup outsourcing to a parent or global hub does not justify weakening exit strategies, concentration‑risk analysis, or data‑location assessments.bis+2
Branch outsourcing vs intragroup
A branch that outsources to a separate group entity—such as a regional service company or the parent bank incorporated abroad—is usually treated as entering into intragroup outsourcing, because the counterparty is a distinct legal person even if it shares ownership and governance. In this case, outsourcing rules apply in full: the branch must identify critical or important functions, maintain a local outsourcing register, and ensure that contractual terms allow it and its home regulator effective access and audit rights.fca+2
By contrast, where one branch relies on another branch or the head office within the same legal entity, some regimes explicitly state that this should not be regarded as outsourcing at all, though they may still expect appropriate documentation under broader governance or operational‑resilience standards. This divergence in treatment means that mapping the legal‑entity perimeter is critical before classifying a given arrangement as branch–head‑office support, intragroup outsourcing, or a combination of both in complex service chains.asifma+3
Supervisory perspectives and arbitrage
Supervisors increasingly highlight that intragroup outsourcing is not inherently less risky than external outsourcing, particularly where critical functions, cross‑border data transfers, or centralised cloud or IT platforms are involved. Guidance from bodies such as the FSB, IOSCO, and the Basel Committee underlines that concentration risk, weak exit strategies, and opaque service chains can all arise within groups and may impair resolvability if not managed.iosco+3
Industry bodies and some national frameworks nevertheless argue for calibrated obligations that reflect shared culture, integrated risk management, and the parent’s ability to influence intragroup service providers, especially for non‑critical support functions. This tension between “same‑risk, same‑rules” and “intragroup proportionality” creates scope for supervisory arbitrage, for example where firms structure services as intra‑entity branch support rather than parent–subsidiary outsourcing to avoid stricter documentation or location requirements.lw+2
Intragroup outsourcing models
| Model | Legal‑entity configuration | Typical direction of services | Outsourcing status in many regimes | Key regulatory focus points |
|---|---|---|---|---|
| Branch–head office (intra‑entity support) | Single legal entity; domestic or cross‑border branches relying on head office or other branches.osfi-bsif+1 | Centralised functions (IT, risk, treasury, compliance) delivered by head office or major branch to local branches.lw+1 | Often not classified as outsourcing (“intra‑entity” or internal allocation), though some regimes require documentation under governance or operational‑resilience rules.asifma+1 | Clear allocation of responsibilities, ability of local management to oversee services, data access for local supervisors, and avoidance of de facto “empty‑shell” branches.lw+1 |
| Parent–subsidiary intragroup outsourcing | Separate legal entities under a common parent; may involve regulated and non‑regulated entities.eba.europa+1 | Parent or shared‑service subsidiary provides operational, IT, risk, or back‑office services to regulated subsidiaries.ebf+1 | Explicitly treated as outsourcing; subject to full outsourcing framework, sometimes with proportional relief recognising group control and integration.eba.europa+1 | Formal contracts, risk‑based due diligence, outsourcing registers, access and audit rights, cross‑border risk (data, supervision), and prevention of “letter‑box” entities.eba.europa+1 |
| Subsidiary–parent (upstream) outsourcing | Regulated subsidiary outsources key functions back to parent bank or holding company.eba.europa+1 | Parent provides senior management, risk, treasury, or compliance functions to subsidiary.ebf+1 | Also treated as intragroup outsourcing; some regulators scrutinise closely where subsidiary’s mind‑and‑management is effectively at group level.eba.europa+1 | Local substance and decision‑making, conflicts of interest between group and subsidiary, resolvability and continuity in resolution, and host–home supervisory cooperation.bis+1 |
| Subsidiary–subsidiary or affiliate outsourcing | Sister entities within the same group (e.g. regional service hubs, specialised IT companies).eba.europa+1 | One subsidiary performs niche or regional functions (payments processing, data centres, call centres) for others.pwc+1 | Intragroup outsourcing; generally subject to standard outsourcing requirements, sometimes benefiting from group‑wide due‑diligence and contract templates.eba.europa+1 | Concentration risk in single hubs, cross‑border data transfers, operational resilience (including third‑country risk), and clear delineation of responsibilities between entities.pwc+1 |
| Branch to separate group entity (branch–affiliate) | Branch of Entity A outsources to legal‑entity B within the same group (parent or affiliate).fca+1 | Centralised service company or parent provides IT, HR, or operations to branch.centralbank+1 | Treated as intragroup outsourcing because the provider is a separate legal person; branch must meet full outsourcing requirements locally.eba.europa+1 | Local branch accountability, host‑state register and notification requirements, enforceability of contracts across borders, and supervisory access to group provider.eba.europa+1 |
-
Basel Committee on Banking Supervision and IOSCO. Outsourcing in Financial Services. February 2005. https://www.bis.org/publ/joint12.pdf.bis
-
- https://www.eba.europa.eu/sites/default/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf
- https://www.fca.org.uk/firms/outsourcing-and-operational-resilience
- https://www.twobirds.com/-/media/pdfs/news/articles/2021/global/bird–bird-pan-european-outsourcing-guide_june-2021.pdf
- https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/outsourcing-business-activities-functions-processes
- https://www.asifma.org/wp-content/uploads/2018/07/leading-principles-for-regulation-of-outsourcing.pdf
- https://www.lw.com/admin/Upload/Documents/Thought%20Leadership/outsourcing-the-legal-and-regulatory-framework.pdf
- https://www.pwc.ch/en/publications/2019/EBA_Outsourcing_Guidelines_EN_web.pdf
- https://www.centralbank.ie/docs/default-source/publications/consultation-papers/cp138/cross-industry-guidance-on-outsourcing.pdf
- https://www.bis.org/publ/joint12.pdf
- https://www.centralbank.ie/docs/default-source/regulation/outsourcing-registers/guidance-notes-outsourcing-register-template-markets-firms.pdf?sfvrsn=582e941d_2
- https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss221-march-21.pdf
- https://www.iosco.org/library/pubdocs/pdf/IOSCOPD687.pdf
- https://www.ebf.eu/wp-content/uploads/2018/09/EBF-final-comments-on-the-EBA-draft-GLs-on-outsourcing.pdf
- https://eyfinancialservicesthoughtgallery.ie/cross-industry-guidance-on-outsourcing/
- https://www.gfsc.gg/sites/default/files/Outsourcing-Risk-Guidance-Note-for-Banks.pdf
- https://www.fsb.org/uploads/P091120.pdf
- https://www.deloitte.com/uk/en/blogs/ecrs/re-evaluating-intra-group-arrangements-for-the-compliance-function.html
- https://www.bankofengland.co.uk/paper/2023/ss/outsourcing-third-party-risk-management-ss-central-securities-depositories
- https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-outsourcing-arrangements
- https://www.cssf.lu/wp-content/uploads/cssf22_806eng.pdf
Leave a Reply