How to Meet European Banking Authority Third-Party Risk Requirements

Editor’s Note: In this week’s edition of our blog series, Third-Party Risk Management: How to Stay Off the Regulatory Radar, we take a look at the European Banking Authority (EBA) requirements related to third parties. Please be sure to review all the blogs in this series, and download the white paper for a complete examination of requirements.

The European Banking Authority (EBA) is an independent EU authority that works to ensure effective and consistent regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency, and orderly functioning of the banking sector.

In early 2019, the EBA published revised Guidelines on Outsourcing Arrangements, including specific provisions for financial institutions’ governance frameworks within the scope of the EBA's mandate with regard to their outsourcing arrangements and related supervisory expectations and processes. The recommendation on outsourcing to cloud service providers, published in December 2017, is integrated into the guidelines. These guidelines are consistent with the requirements on outsourcing under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II) and the Commission's Delegated Regulation (EU) 2017/565.

The EBA, recognizing the vast ecosystem in financial services and the various types of integrated services used, dedicated 70 pages to the management of outsourcing in the financial services industry, plus another 55 pages for responses to comments on these guidelines.

Highlights from these requirements include a sound outsourcing framework that:

• Distinguishes outsourcings that are “critical or important” from those that are not
• Performs due diligence in the outsourcing selection process
• Enables proper risk assessment, whereby all potential operational risks are identified, managed, monitored and reported
• Requires contracts that set out rights of access and audit for the banks and their regulators to ensure effective oversight
• Performs ongoing assessment and continuous monitoring, with clear reporting to senior management
• Makes available to authorities all documentation for transparency
• Defines a clear exit strategy in the event of a failure by the service provider

Meeting EBA Third-Party Risk Requirements with the Prevalent TPRM Platform

Prevalent can help address these requirements. For the purposes of this blog, however, we have summarized select EBA requirements and identified Prevalent Third-Party Risk Management Platform capabilities that demonstrate the breadth and value you can gain from our complete TPRM platform. For a complete listing of the EBA requirements and how Prevalent capabilities map directly into them, please be sure to download the white paper, Satisfying Compliance with Third-Party Risk Management Requirements.

To address EBA requirements, Prevalent:

• Enables financial institutions to classify third parties based on their importance to the organization according to Title II – Assessment of Outsourcing Arrangements, section 4 - Critical or important functions, Paragraph 30.
• Unifies and manages the process of vendor risk assessments to address the requirements in Title III - Governance Framework, section 5 - Sound governance arrangement and third-party risk, Paragraph 32 and Title III - Governance Framework, section 5 - Sound governance arrangement and third-party risk, Paragraph 33.
• Provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance to address Title III - Governance Framework, section 6 - Sound governance arrangements and outsourcing, Paragraph 40(c) and Title III - Governance Framework, section 13.2 Security of data and systems, Paragraph 82.
• Includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management according to Title III - Governance Framework, section 10 - Internal audit function, Paragraph 50 and Title III - Governance Framework, section 13.3 Access, information and audit rights, Paragraph 87 (b).
• Provides repositories of completed, validated vendor questionnaires and supporting evidence to satisfy the pooled audits requirement in Title III - Governance Framework, section 13.3 Access, information and audit rights, Paragraph 91.
• Provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals – to address Title III - Governance Framework, section 12.3 – Due Diligence, Paragraphs 70 & 71 and Title III - Governance Framework, section 14 Oversight of outsourced functions, Paragraph 100.
• Captures and audits conversations and matches documentation or evidence against risks to satisfy Title III - Governance Framework, section 14 – Oversight of outsourced functions, Paragraph 104.
• Includes bi-directional workflow and shared communication mechanisms to track findings and remediate issues per Title III - Governance Framework, 14 – Oversight of outsourced functions, Paragraph 105.

Next Steps

The EBA guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.

Prevalent’s Third-Party Risk Management solution provides a complete framework for implementing management, auditing, and reporting related to third-party supplier risk. Contact us today for a demo to explain how or register to watch a recorded demo of these capabilities.

Our Series Continues…

Next week’s blog examines the HIPAA Security Rule.