Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the European Banking Authority (EBA) requirements related to third parties. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.
The European Banking Authority (EBA) is an independent EU authority that works to ensure effective and consistent regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency, and orderly functioning of the banking sector.
In early 2019, the EBA published revised Guidelines on Outsourcing Arrangements, including specific provisions for financial institutions’ governance frameworks within the scope of the EBA's mandate with regard to their outsourcing arrangements and related supervisory expectations and processes. The recommendation on outsourcing to cloud service providers, published in December 2017, is integrated into the guidelines. These guidelines are consistent with the requirements on outsourcing under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II) and the Commission's Delegated Regulation (EU) 2017/565.
The EBA, recognizing the vast ecosystem in financial services and the various types of integrated services used, dedicated 70 pages to the management of outsourcing in the financial services industry, plus another 55 pages for responses to comments on these guidelines.
Highlights from these requirements include a sound outsourcing framework that:
Prevalent can help address these requirements. For the purposes of this blog, however, we have summarized select EBA requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the EBA requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.
To address EBA requirements, Prevalent:
The EBA guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.
Prevalent’s Third-Party Risk Management solution provides a complete framework for implementing management, auditing, and reporting related to third-party supplier risk. Contact us today for a demo to explain how or register to watch a recorded demo of these capabilities.
Next week’s blog examines the HIPAA Security Rule.
VRM programs are usually driven by one of three objectives. In this post, we'll examine these...
The CAIQ assessment offers a standard approach to evaluating cloud provider security controls.