ARTICLE
4 September 2025

Cooperation And Outsourcing In The Financial Sector: Practical Lessons For Complex Contract Negotiations

DMR Legal

Contributor

DMR Legal logo
Explore Firm Details
Outsourcing in the financial sector is highly regulated, technically complex and involves many stakeholders. This article highlights key distinctions, negotiation pitfalls and legal focus areas, and gives practical guidance on how to structure cooperation and outsourcing agreements effectively.
Germany Finance and Banking
Alexis Daranyi
Alexis Daranyi’s articles from DMR Legal are most popular:
  • within Finance and Banking topic(s)
  • in United Kingdom
  • with readers working within the Banking & Credit and Business & Consumer Services industries
DMR Legal are most popular:
  • within Finance and Banking and Technology topic(s)
  • with Inhouse Counsel

Abstract: Outsourcing in the financial sector is highly regulated, technically complex and involves many stakeholders. This article highlights key distinctions, negotiation pitfalls and legal focus areas, and gives practical guidance on how to structure cooperation and outsourcing agreements effectively.

A. Introduction

Negotiating and drafting cooperation and outsourcing agreements in the financial sector can be challenging. Such projects tend to be legally and technically complex, involve many different stakeholders, and take place in an environment where errors tend to be avoided at all costs. This article provides a practical overview of the key issues and potential solutions.

Financial companies cooperate for a variety of reasons, such as expanding their product range, gaining access to new technology, improving efficiency and reaching new customers and markets. IT services are especially important in the context of digitalization. While this is not unique to the financial sector, its heavy regulation makes cooperation and outsourcing particularly demanding.

There are three main factors that create difficulties:

  • High complexity: A wide range of legal areas must be taken into account, including national and EU law, regulatory guidance, and industry standards. Furthermore, the IT systems used by banks and financial institutions are extremely complex.
  • Many stakeholders: Negotiations typically involve not only business departments but also compliance, data protection officers, anti-money laundering officers, internal audit, risk control, and legal teams.
  • Low tolerance for mistakes: Because institutions are constantly reviewed by auditors and regulators (BaFin, Bundesbank and ECB), they tend to be risk-averse, which slows down negotiations.

A striking example is the 15-year-long "Unity" IT migration project undertaken by Deutsche Bank and Postbank and involving a technology provider, which was heavily monitored by regulators due to technical problems and customer complaints.

B. Key Distinctions

When negotiating such contracts, it helps to clarify the type of cooperation required:

  • Within the sector or cross-sector: Are both parties financial institutions, or does one come from another industry, such as IT? Cross-sector deals often involve higher compliance risks.
  • Material outsourcing: Strict regulatory requirements apply if outsourced activities are essential for core banking or financial services. In contrast, non-material outsourcing is subject to simpler rules.
  • Different legal areas: For example, data protection involves different roles for controllers and processors, anti-money laundering may involve reliable third parties such as other financial institutions (e.g. banks), and under cyber security (DORA) ICT Third-Party Risk Management is the relevant criterion.
  • Customer perspective: It is important to determine whether end customers have contracts with one or both parties, as this defines how responsibilities are allocated.
  • Provider of the regulated service: Typically, the party that holds the customer contract is also the provider of the regulated service, but this is not always the case.

C. Negotiation Aspects

Besides the legal details, how negotiations are managed is also critical:

  • External lawyers can help with the management of complex documents and and ensure early legal advice.
  • Standard contracts vs. tailored contracts: Standard terms from banks may not fit unique projects so a custom draft could be a faster solution.
  • Identifying and involving all stakeholders early on can prevent late-stage conflicts.
  • Regulator notifications and approvals should be clarified early on.
  • Internal policies should not be used as opaque arguments; requirements should be explained based on mandatory legal requirements.
  • Negotiation style: A principle-based approach, which involves explaining positions with objective criteria, is often better than pure positional bargaining.

Since such negotiations often take 6–18 months, effective process management is as important as the legal content.

D. Key Legal Areas

The following topics regularly arise in negotiations:

  1. Financial Regulatory Law
    • Information and audit rights: Regulators and authorities must be granted unrestricted rights to inspect outsourced activities, while internal and external auditors may be limited to more narrowly defined access rights.
    • Material vs. non-material outsourcing: Only material outsourcing requires a full set of regulatory controls. A careful classification helps avoid unnecessary and extensive obligations.
    • Sub-outsourcing: Any sub-outsourcing must be notified and should be subject to reasonable objection rights rather than mandatory approvals at free discretion of the outsourcing financial institution.
    • Business continuity: Contracts must ensure that essential services remain available during crises, for example through backup providers or escrow agreements.
    • Sustainability (ESG, supply chain laws): This topic is becoming increasingly important, and future contracts will need to address corresponding reporting and compliance obligations.
  2. Anti-Money Laundering Regime and Sanctions Compliance
    • Reliable third parties: The law distinguishes between parties that are deemed reliable automatically (e.g. banks ) and those that require a bespoke contract with certain mandatory stipulations.
    • Due diligence duties: Tasks such as customer identification or checking for politically exposed persons (PEPs) must be clearly defined.
    • Sanctions checks: These obligations are legally separate from AML and usually require a full outsourcing agreement.
  3. IT, Cybersecurity, and Data Protection
    • Bridging law and IT: Lawyers must have a solid understanding of technical details to avoid misunderstandings.
    • Critical infrastructure: If the outsourcing arrangement concerns essential banking services, strict security requirements may apply and necessitate certain standard provisions to be reflected in the agreement.
    • Data protection: Depending on who processes the customer data, the parties may act as processors, controllers, or joint controllers, each with distinct responsibilities. Determining who processes which data in which capacity is key.
    • Cloud services: While widely used, cloud services must be structured to ensure full compliance with EU law, including the use of EU-based data centers and standard contractual clauses for any data transfers outside of the EU.
    • Standards and certifications: Certifications such as ISO standards can help reduce audit efforts.
    • Software escrow: Escrow agreements ensure access to source code if a provider fails, thereby supporting business continuity. The terms must be carefully drafted to balance the legitimate interests of both parties.
  4. Contract and Civil law:
    • Intellectual property: Rights to software and source code must be carefully addressed, especially in SaaS and escrow cases.
    • Change of control clauses: Such clauses allow banks to terminate if the provider is acquired by unsuitable owners (e.g., competitors, companies of bad repute). However, the scope of applicability needs to be clear and concise.
    • Customer contracts: If both parties serve the same customers, their respective rights and responsibilities must be clearly agreed upon, including provisions on what happens when the cooperation or underlying contracts come to an end.
    • Liability and insurance: Liability must be balanced with the provider's insurance coverage. Excessively strict obligations are impractical if the related risks cannot be insured.
  5. Conclusion and Outlook
    • The main challenges are legal complexity, the large number of stakeholders, and a risk-averse culture.
    • Useful distinctions include whether the outsourcing is material, whether both parties are financial institutions, and which party deals directly with customers.
    • Negotiation management is as important as legal content – external advisors, tailored contracts, and early stakeholder involvement are key.
    • The three main legal areas are: (1) financial regulatory law & AML, (2) IT, cybersecurity and data protection, and (3) contract and civil law.
    • Future agreements will increasingly need to address sustainability (ESG, supply chain law and reporting) and artificial intelligence. The EU AI Act requires transparency, fairness and security in the use of AI, which will make contracts even more complex.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alexis Daranyi
Alexis Daranyi
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More