Incoming Changes to EBA Outsourcing Guidelines: What You Need To Know

What Are The EBA Outsourcing Guidlines?

The European Banking Authority (EBA) Outsourcing Guidelines aims to establish a more harmonised framework for financial entities, including credit institutions and investment firms subject to the Capital Requirements Directive (CRD), as well as payment and electronic money institutions.

Recently, the EBA published a consultation paper on draft Guidelines for the sound management of third-party risk by financial institutions which will replace the current EBA’s 2019 Outsourcing Guidelines once finalised. The draft guidelines propose guidance on the management of risk when firms rely on third party service providers (TPSPs).

Once adopted it will create a unified framework for non-ICT third-party arrangements. Non-ICT services will face supervisory standards similar to those set for ICT third-party services by the Digital Operational Resilience Act (DORA).

Key Changes To EBA Outsourcing Guidlines

• The EBA Guidelines now cover all third-party non-ICT services, not just outsourcing. Examples include administrative tasks (like document management and payroll services), cash management, customer-facing roles (such as contact centres and complaints), and internal controls (compliance, data protection).
• Financial entities must maintain a register of information of all third-party services arrangements; this aligns with the DORA-equivalent register of information of ICT services.
• Proportionality Principle – Financial entities are required to select and evaluate potential TPSPs, ensuring that their due diligence matches the significance or criticality of the service involved. The 2019 guidelines are expanded to include the assessment of additional risks such as credit risk, market risk, ESG risk, and AML/CFT risk.
• All third party arrangements must include a minimum set of contractual provisions, not just contracts that support ‘critical or important’ functions. Core mandatory contractual requirements, detailed in s4(12) include, but not limited to:
• clear and complete description of all functions to be provided by the TPSP
• location where the function will be provided and where the data is processed including storage
• data that are owned by the financial entity can be accessed, recovered and returned in the case of the insolvency, resolution or discontinuation of business operations of the TPSP
• termination rights

How can we help?

1. Review and draft contracts: Ensuring compliance with the upcoming EBA Guidelines.
2. Risk assessments: Identifying gaps in existing contractual agreements.
3. Regulatory updates: Keeping your business up to date with evolving EU regulations such as supporting you transition smoothly from the 2019 Guidelines to the new regime.

Can Waterfront assist you with any of the above? Reach out to Andrew Gordon.