The European Banking Authority (EBA) is an independent EU Authority that ensures effective and consistent regulation and supervision across the European banking sector. In early 2019, the EBA published revised Guidelines on Outsourcing Arrangements, including specific provisions for financial institutions’ governance of outsourcing arrangements and related supervisory processes. These guidelines are consistent with outsourcing requirements under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II), and the Commission Delegated Regulation (EU) 2017/565.
The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions. Recognizing the vast supplier ecosystem in financial services, the EBA dedicated 70 pages to the management of outsourcing in the financial services industry.
The EBA Guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.
These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.
Distinguish outsourcings that are “critical or important” from those that are not
Perform due diligence in the outsourcing selection process
Enable proper risk assessment, whereby all potential operational risks are identified, managed, monitored and reported
Require contracts that set out rights of access and audit for the banks and their regulators to ensure effective oversight
Perform ongoing assessment and continuous monitoring, with clear reporting to senior management
Make available to authorities all documentation for transparency
Define a clear exit strategy in the event of a failure by the service provider
Align Your TPRM Program with 13 Industry Standards
Download this guide to review industry standards with specific TPRM requirements, and discover best practices for simplifying compliance.
Meeting EBA TPRM Guidelines
Here's how Prevalent can help you address EBA third-party risk management guidelines:
EBA Guidelines | How We Help |
---|---|
Title II – Assessment of Outsourcing Arrangements “Particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines.” |
The Prevalent Assessment solution enables financial institutions to classify third parties based on their importance to the organization. A selection of customizable questionnaires enables you to match the assessment requirements to the level of risk presented by the relationship. |
Title III - Governance Framework “Institutions and payment institutions should have a holistic institution-wide risk management framework to identify and manage all their risks, including risks caused by arrangements with third parties.” |
Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Our solution automates the inside-out process of vendor risk assessments while including proactive continuous monitoring using an outside-in approach to reduce risk and meet the demands of regulatory compliance. |
Title III - Governance Framework “Institutions and payment institutions should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed.” |
The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. |
Title III - Governance Framework "When outsourcing, institutions and payment institutions should at least ensure that:
|
The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance. |
Title III - Governance Framework "The internal audit function’s activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions." |
The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process. |
Title III - Governance Framework “With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation to meet its obligations. Additional factors to be considered include its business model, nature, scale, complexity, financial situation, ownership and group structure.” |
The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk. Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks. Examples include:
|
Title III - Governance Framework "Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis." |
The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance. |
Title III - Governance Framework “Institutions and payment institutions should ensure that the service provider grants them:
|
The Prevalent Assessment solution ensures service providers implement the exact, agreed upon requirements with regular tracking and verification. Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform. |
Title III - Governance Framework "Institutions and payment institutions may use:
|
Prevalent’s Vendor Evidence Sharing Networks are repositories of completed, validated vendor questionnaires and supporting evidence that eliminate the tedious time- and resource-consuming process of collecting data from scratch. Prevalent offers both horizontal and vertical networks to speed assessment and collaboration within the community. |
Title III - Governance Framework "Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function." |
In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, covered entities gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks. |
Title III - Governance Framework "Institutions and payment institutions should ensure that outsourcing arrangements meet appropriate performance and quality standards in line with their policies by: a. ensuring that they receive appropriate reports from service providers; b. evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and c. reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing." |
The Prevalent Assessment service captures and audits conversations and matches documentation or evidence against risks. Visually appealing and coherent dashboards provide a clear overview of tasks, schedules, risk activities, survey completion status, agreements, and associated documents. |
Title III - Governance Framework "If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions." |
The Prevalent solution includes bi-directional workflow and shared communication mechanisms to track findings and remediate issues. |
The EBA Guidelines set out the internal governance arrangements that credit, payment, and electronic money institutions...
With compliance mandated by January 2025, now is the time for organizations to examine their third-party...
Get best-practice recommendations for complying with EBA Guidelines on Outsourcing Arrangements.