NEW WHITE PAPER: See how Prevalent TPRM Platform capabilities map to specific compliance requirements!

EBA Guidelines on Outsourcing Arrangements Compliance

Complying with EBA Guidelines on Outsourcing Arrangements

The European Banking Authority (EBA) is an independent EU Authority that ensures effective and consistent regulation and supervision across the European banking sector. In early 2019, the EBA published revised Guidelines on Outsourcing Arrangements, including specific provisions for financial institutions’ governance of outsourcing arrangements and related supervisory processes. These guidelines are consistent with outsourcing requirements under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II), and the Commission Delegated Regulation (EU) 2017/565.

EBA and Third-Party Risk Management

The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions. Recognizing the vast supplier ecosystem in financial services, the EBA dedicated 70 pages to the management of outsourcing in the financial services industry.

The EBA guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities. 

These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.

Relevant Requirements

The EBA calls for a sound outsourcing framework that: 

  • Distinguishes outsourcings that are “critical or important” from those that are not  
  • Performs due diligence in the outsourcing selection process 
  • Enables proper risk assessment, whereby all potential operational risks are identified, managed, monitored and reported 
  • Requires contracts that set out rights of access and audit for the banks and their regulators to ensure effective oversight  
  • Performs ongoing assessment and continuous monitoring, with clear reporting to senior management
  • Makes available to authorities all documentation for transparency
  • Defines a clear exit strategy in the event of a failure by the service provider

White Paper: Satisfying Compliance with Third-Party Risk Management Requirements

Discover the key third-party risk management requirements in common regulatory and security frameworks, and learn how the Prevalent Third-Party Risk Management Platform maps to specific mandates enabling you to achieve compliance while mitigating vendor risk. 

Read Now

Meeting EBA Third-Party Risk Management Guidelines

Here's how Prevalent can help you address EBA third-party risk management guidelines:

EBA Guidelines on Outsourcing Arrangements

EBA Guidelines How Prevalent Can Help

Title II – Assessment of Outsourcing Arrangements
4 – Critical or important functions
Paragraph 30

“Particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines.”


The Prevalent Assessment solution enables financial institutions to classify third parties based on their importance to the organization. A selection of customizable questionnaires enables you to match the assessment requirements to the level of risk presented by the relationship.


Title III - Governance Framework
5 - Sound governance arrangement and third-party risk
Paragraph 32

“Institutions and payment institutions should have a holistic institution-wide risk management framework to identify and manage all their risks, including risks caused by arrangements with third parties.”


Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Our solution automates the inside-out process of vendor risk assessments while including proactive continuous monitoring using an outside-in approach to reduce risk and meet the demands of regulatory compliance.


Title III - Governance Framework
5 - Sound governance arrangement and third-party risk
Paragraph 33

“Institutions and payment institutions should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed.”

The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels.


Title III - Governance Framework
6 - Sound governance arrangements and outsourcing
Paragraph 40(c)

"When outsourcing, institutions and payment institutions should at least ensure that: 

the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech).”


The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.


Title III - Governance Framework
10 - Internal audit function
Paragraph 50

"The internal audit function’s activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions."


The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process.


Title III - Governance Framework
12.3 – Due Diligence
Paragraphs 70 & 71

“With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation to meet its obligations.

Additional factors to be considered include its business model, nature, scale, complexity, financial situation, ownership and group structure.”


The Prevalent Cyber & Business Monitoring service provides both snapshot and continuous vendor monitoring for immediate notification of high-risk issues, prioritization, and remediation recommendations. Data security and business risk monitoring enables you to look beyond tactical vendor health for a more strategic view of a vendor’s overall information security risk.  

Prevalent is unique in that it offers business risk monitoring that leverages human analysts to interpret potential operational, brand, regulatory, legal, and financial risks.

Examples include:

  • Insider threats
  • Financial problems
  • M&A activity
  • Layoffs
  • Data breach cases
  • Reputational metrics 

Title III - Governance Framework
13.2 Security of data and systems
Paragraph 82

"Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis."


The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party's performance.

Title III - Governance Framework
13.3 Access, information and audit rights
Paragraph 87 (b)

“Institutions and payment institutions should ensure that the service provider grants them:

  • unrestricted rights of inspection and auditing related to the outsourcing arrangement (‘audit rights’), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements”


The Prevalent Assessment solution ensures service providers implement the exact, agreed upon requirements with regular tracking and verification. Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform.

Title III - Governance Framework
13.3 Access, information and audit rights
Paragraph 91

"Institutions and payment institutions may use:

  • pooled audits organized jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organizational burden on both the clients and the service provider"


Prevalent’s Vendor Evidence Sharing Networks are repositories of completed, validated vendor questionnaires and supporting evidence that eliminate the tedious time- and resource-consuming process of collecting data from scratch. 

Prevalent offers both horizontal and vertical networks to speed assessment and collaboration within the community.


Title III - Governance Framework
14 Oversight of outsourced functions
Paragraph 100

"Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function."


In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. 

With the integration of internal assessments, external cyber monitoring and penetration testing, covered entities gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks.


Title III - Governance Framework
14 Oversight of outsourced functions
Paragraph 104

"Institutions and payment institutions should ensure that outsourcing arrangements meet appropriate performance and quality standards in line with their policies by:

a. ensuring that they receive appropriate reports from service providers;

b. evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and

c. reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing."


The Prevalent Assessment service captures and audits conversations and matches documentation or evidence against risks. Visually appealing and coherent dashboards provide a clear overview of tasks, schedules, risk activities, survey completion status, agreements, and associated documents.

Title III - Governance Framework
14 Oversight of outsourced functions
Paragraph 105

"If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions."


The Prevalent solution includes bi-directional workflow and shared communication mechanisms to track findings and remediate issues.


The Prevalent Difference

Prevalent’s Third-Party Risk Management Platform provides a complete framework for implementing management, auditing, and reporting related to third-party supplier risk. Vendor tiering enables third parties to be managed according to the risk they present with different assessments, frequencies, and scoring as warranted. Customizable surveys with documented evidence enable the assessment and monitoring to be carried out relative to the risk and function of each third party. Workflows ensure assessments are managed to completion and re-assessments are automatically kicked off when required. The completed questionnaires and documentary evidence are easily managed, maintained and reported when needed internally or for examiners. Risk scoring and analytics raise important risks that need to be addressed to the attention of those responsible for managing processors. Reporting provides the compliance information necessary in multiple forms as required for different levels of the organization.