Ten years on from the bankruptcy of Lehman Brothers and its subsequent economic impact, Non-Performing Loans (NPLs) continue to be a strong focus for European regulators. Although the total stock of European NPLs has fallen over the last two years, a combination of factors including poor governance, a lack of clear NPL strategies and a shortage of resolution mechanisms mean that they remain too high.

Since 2016, regulatory requirements have encouraged banks to develop sustainable, proactive and efficient NPL management models that span the credit lifecycle. However it is clear that many banks still need to develop effective NPL reduction strategies. Such strategies typically include adopting a combination of “make or buy”, or internal and external approaches:

  • Internally, banks are working on managing the drivers of NPL growth. This includes, amongst others, revising loan origination and underwriting processes, building fast and efficient early warning systems and stimulating the “credit culture” across the bank.
  • Externally, banks are building strategic options for NPL management (from asset sale to structured credit). This often means 'outsourcing' workout loan activities through a partnership with a specialist third party service provider.

This outsourcing approach - creating platforms or entities to service NPLs and manage creditor repayments - is becoming a well-established way for banks to meet regulatory targets for NPL reduction. Service providers typically offer due diligence and assessment of NPL portfolios, take on NPL management and implement collection strategies through bulk legal and out-of-court processes.

The market for outsourcing NPLs is becoming more developed throughout Europe. There is also an emerging trend for larger investors holding NPLs to acquire the relevant banks' service providers, with the aim of consolidating and expediting the NPL acquisition process. For example, April 2018 saw Intesa Sanpaolo and Swedish credit management company Intrum enter into a long term strategic partnership to service Intesa´s bad-loan portfolios, together with the disposal (and securitisation) of a sizeable NPL portfolio (€10.8 billion GBV) of Intesa to Intrum and CarVal Investors.

The growth of NPL outsourcing has not gone unnoticed by the European banking authorities. Supervisors welcome NPL reduction, but are keen to ensure that the outsourcing of NPL management is a safe and sustainable solution. An example comes from the recent sale of Permanent TSB's €2.1 billion NPL (GBV) portfolio to an external servicer. Following this transaction, the ECB reminded the Central Bank of Ireland that excessive NPL outsourcing could restrict banks' long-term lending abilities and might lead to higher costs for borrowers.

So what are the key regulations that banks should consider when taking strategic decisions over NPL outsourcing? And how should banks prepare for further supervisory focus on this topic?

The EBA's draft guidelines on outsourcing arrangements govern the establishment of outsourcing frameworks and set out regulatory expectations regarding processes relating to outsourcing. The draft guidelines were published in June 2018 and will take effect from 30 June 2019. They cover the implementation and application of credit and payment institution outsourcing, both to external providers as well as intra-group; the due diligence and risk assessments required; and subsequent arrangements that such institutions need to make to ensure the availability, integrity, and security of data and information as well as to maintain ongoing monitoring of such arrangements. In addition, the ECB's guidance on NPLs (PDF 1.98 MB), published in March 2017, also makes reference to the general requirements and Guidelines on the outsourcing of activities by banks of the EBA. 

Based on these guidelines, we see the following as being among the most important points for banks to consider when setting up NPL outsourcing arrangements.


  • Outsourcing cannot result in the delegation of management bodies' responsibilities. Management is fully responsible and accountable for setting strategies and policies, day-to-day risk management and general supervision. Outsourcing policies should be documented, approved by the management board and cover managing body responsibilities, business lines, internal control functions and other aspects of outsourcing arrangements as well as the criticality of the function in the process of being outsourced;
  • The ECB's NPL guidance also states that management boards must approve NPL policies, ensure sufficient internal controls, and oversee and monitor the implementation of the NPL strategy.
  • Banks that outsource NPL functions must therefore ensure, in order to adhere to the regulatory requirements, that they maintain a register that includes for all outsourcing arrangements information such as, a description of the function, its criticality and confidentiality of information as well as information on the last audits etc.

Due Diligence

  • Institutions must ensure that any service provider has the ability, capacity, resources and organisational structure to perform all critical functions. In addition the treatment of data, including personal data and data transfers should be monitored. Banks should be comfortable that service providers have implemented appropriate technical and organisational controls over data.
  • The ECB's guidance requires high NPL banks to regularly review the adequacy of their internal and external NPL workout resources, and to regularly determine their capacity needs.
  • Additionally, since NPLs include detailed data tapes with sensitive information on companies and individuals, institutions that outsource the management of NPLs must be aware that they need to monitor the data privacy and transfer requirements and that service providers comply with appropriate information security standards.

Internal Audit

  • The EBA Outsourcing Guidelines puts a focus on banks' internal audit function, and notes that banks should have the information and rights to audit critical or important functions. At a minimum, internal audit should ascertain that the outsourced institution framework policy is correctly and effectively implemented, and has the appropriate involvement of governance bodies. 
  • Unlike the leveraged finance guidelines, the ECB's NPL guidance does not explicitly set out internal audit responsibilities for the disposal of NPLs. So it is crucial for banks outsourcing NPL functions to recognise the need for audit rights, and to have a dedicated and knowledgeable internal audit function with sufficient understanding of the NPL lifecycle and its related risks.

The above list is not exhaustive, and though the EBA Outsourcing Guidelines are yet to be finalised, banks should be preparing appropriate safeguards to cope with regulatory expectations. The ECB has made it clear that outsourcing could give rise to more supervisory requirements for banks, and that it may need expanded rights to supervise varying aspects of banks' NPL strategies.

That could lead to an increase in regulatory costs, additional complexity in structuring the scope of the transaction (outsourcing vis-à-vis insourcing of certain activities), as well as having potential implications for the SREP for banks that are not fully compliant. At a time where banking supervision is increasingly focused on ICT topics, including an increase in onsite inspections where outsourcing risk is a common finding with costly remediation plans, banks should continue to be aware of the regulatory focus and the potential enlargement of the scope in the supervisors’ weaponry.

Connect with us