EBA Consultation Paper on Draft Guidelines on the Management of Third-Party Risk
- James Ross
- Jul 9
- 4 min read
1. Executive Summary
The European Banking Authority (EBA) is updating its 2019 guidelines on outsourcing to establish a more comprehensive and harmonised framework for managing risks associated with all types of third-party arrangements, not just traditional outsourcing. The update aims to align with recent EU legislation, including the Digital Operational Resilience Act (DORA), the Markets in Crypto-Assets Regulation (MiCAR), and the Investment Firms Directive (IFD).
Core Objectives & Principles:
Broader Scope: The framework moves beyond "outsourcing" to cover all "third-party arrangements" for non-ICT services. ICT-related risks are now primarily governed by DORA.
Harmonisation: To create a level playing field by applying a consistent set of rules to a broader range of financial entities.
Ultimate Responsibility: The management body of a financial entity remains fully responsible and accountable for all risks, including those arising from third-party arrangements and transactions. The use of a third-party provider (TPSP) does not transfer this responsibility.
Proportionality: The application of the guidelines should be proportionate to the financial entity's size, internal organisation, and the nature, scale, and complexity of its activities and the risks involved.
Focus on Criticality: Stricter, more detailed requirements apply to arrangements involving "critical or important functions," defined as functions whose disruption would materially impair the entity's financial performance, soundness, continuity of services, or regulatory compliance.
Preventing 'Empty Shells': The guidelines aim to prevent financial entities from becoming 'letter-box' entities that lack the substance required to remain authorised.
Supervisory Oversight: To enhance the ability of competent authorities to supervise financial entities and monitor concentration risks at both the firm and systemic levels.
2. Key Requirements and Changes
The draft guidelines introduce several significant requirements organised across the lifecycle of a third-party arrangement.
Title I-II: Scope, Proportionality, and Assessment
Expanded Addressees: The guidelines now apply to:
Credit institutions (CRD)
Most investment firms (IFD)
Payment and electronic money institutions (PSD2/EMD)
Issuers of asset-referenced tokens (MiCAR)
Creditors under the Mortgage Credit Directive (MCD)
Defining Criticality: Financial entities must establish a straightforward methodology to identify critical functions. The guidelines provide specific criteria, including their impact on regulatory compliance, financial performance, and service continuity. Functions related to core business lines or internal controls are likely to be deemed critical to the organisation's operations.
Title III: Governance Framework
Policy on Third-Party Risk: The management body must approve and regularly review a formal, written policy covering the entire lifecycle of third-party arrangements.
Documentation (The Register): Financial entities must maintain an updated register of information on all third-party arrangements. This register is analogous to the one required under DORA for ICT services and should contain detailed information, especially for critical functions (e.g., subcontractors, audit dates, exit plan status).
Business Continuity & Internal Audit: Entities must have robust, tested business continuity plans for critical functions provided by TPSPs. The internal audit function's scope must include a risk-based review of these arrangements.
Title IV: The Third-Party Arrangement Process
Pre-Contractual Phase:
Due Diligence: Thorough due diligence on the prospective TPSP's financial health, capabilities, reputation, and control environment.
Risk Assessment: A comprehensive assessment of all relevant risks, including operational, reputational, legal, and concentration risks.
Third-Country Providers: Stricter conditions apply when using a TPSP in a third country for core activities, including requirements for the TPSP to be supervised and for a cooperation agreement to exist between the EU and third-country authorities.
Contractual Phase:
Written agreements must clearly define rights and obligations. For critical functions, contracts must include specific clauses on service levels, reporting, business continuity, and, crucially, access, information, and audit rights for the financial entity and its competent authorities.
Subcontracting: The contract must specify if subcontracting of critical functions is permitted and under what conditions. The financial entity must be notified of and have the right to object to material subcontracting changes.
Monitoring & Exit:
Ongoing Monitoring: Continuous, risk-based monitoring of the TPSP's performance against agreed service levels.
Exit Strategies: A documented and tested exit plan is mandatory for every critical function. This plan must ensure the entity can transfer the function to another provider or reintegrate it without undue disruption.
3. Key Implications for Financial Entities
Operational Overhaul for Documentation: The requirement to create and maintain a detailed register of all non-ICT third-party arrangements is a significant operational task. Firms must first inventory every relationship, assess its criticality, and then gather and maintain the extensive data points required by the guidelines.
Increased Governance Burden: The management body's direct accountability is intensified. Policies, risk assessments, and decisions on critical arrangements will require formal approval and regular review at the highest level, demanding more time and expertise from senior management and board members.
Contract Renegotiation: Many existing contracts, especially for functions now deemed critical or essential, will likely need to be reviewed and renegotiated to include the mandatory clauses on audit rights, access for supervisors, subcontracting conditions, and exit support. This may prove challenging and costly, particularly with large, established providers.
Broader Risk Management Scope: Risk management frameworks must be expanded to cover all third-party arrangements, not just outsourcing explicitly. This includes assessing concentration risk not only from a single provider but also from multiple arrangements across the entity.
Enhanced Focus on Operational Resilience: The mandate for tested exit plans for critical functions moves this from a theoretical exercise to a practical necessity. Firms must invest in developing and testing realistic transition plans, identifying alternative providers, and ensuring they can recover data and processes effectively.
Scrutiny of Third-Country Arrangements: Firms relying heavily on providers in third countries will face higher hurdles. They must verify the provider's regulatory status and ensure that the necessary supervisory cooperation agreements are in place, which may limit their choice of providers.
4. Implications for Competent Authorities
Data-Driven Supervision: The registers will provide supervisors with an unprecedented level of data, enabling them to identify concentration risks at the entity, sector, and systemic levels (e.g., over-reliance on a single TPSP by many banks).
Harmonised Supervisory Approach: The guidelines provide a common framework for assessing third-party risk management across various types of financial entities and Member States, thereby fostering supervisory convergence.
Increased Supervisory Workload: Authorities will be expected to review information on planned critical arrangements, analyse the registers, and conduct more targeted risk assessments. This may lead to more frequent and in-depth on-site inspections of both financial entities and, where necessary, their third-party providers.
Comments