Third-Party Risk Management Fundamentals in European Regulations: Highlights from the EBA

It can be challenging to stay informed of all the various regulations that govern third-party risk management in today's global business environment. The past few years have been incredibly eventful for regulators in the European Union (EU), with the General Data Protection Regulation (GDPR) in 2018 followed by Brexit in early 2020, and more recent events such as the Russian invasion of Ukraine have regulatory implications. Now is an excellent time to brush up on European regulations to ensure that your third-party risk management program remains compliant.

EBA rules apply to financial firms operating wholly or in part under the jurisdiction of the European Union. This includes credit institutions, such as banks and investment firms, that must adhere to the Capital Requirements Regulation, specifically those with regulatory permissions to hold client money or trade on their account. All e-money firms and payment institutions (fintech) are also in scope.

Key Components from the EBA

As many regulators look to each other for best practices, it's common to find similarities throughout different guidelines. To improve our understanding of important regulatory concepts, let's take a closer look at the European Banking Authority (EBA) guidelines on outsourcing arrangements.

• Outsourcing: On page 25 of the guidelines, the EBA states that organizations, “should establish whether an arrangement with a third party falls under the definition of outsourcing.” Consideration should be given to whether the function is performed on a recurring or ongoing basis and whether the institution could perform the activity. Certain functions will generally not be considered outsourcing, including those legally required to be performed by a service provider. Market information services, global network infrastructures, like Visa and MasterCard, and correspondent banking services are also not considered outsourcing.
• Material: This refers to a vendor that provides "critical or important" functions. The following is extracted from page 26-27 of the EBA guidance, which covers the different situations in which a function should be considered critical or important:
  
  
  1. Where a defect or failure in its performance would materially impair:
     
     1. Their continuing compliance with the conditions of their authorization or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations;
     2. Their financial performance; or
     3. The soundness or continuity of their banking and payment services and activities;
  2. When operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function;
  3. When they intend to outsource functions of banking activities or payment services to the extent that would require authorization by a competent authority, as referred to in Section 12.1.
• Exit strategy: Organizations must have a documented exit strategy when outsourcing their critical or important functions. This strategy should align with their outsourcing policy and business continuity plan to ensure that they can leave the arrangement without excessive disruption to their business activities or limiting their regulatory compliance. The EBA guidance also notes the importance of testing an exit strategy on page 52, stating that organizations should:
  
  Develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g., by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider).
• Pre-contract requirements: EBA guidance highlights several different provisions that should be included in a critical or important vendor contract. Aside from the basics like a description of the outsourced function, start date and end date and financial obligations, the contract should also address the requirement to implement and test a business contingency plan.
  
  The importance of a pre-contract exit strategy for material vendors is the key takeaway from these European regulations. The exit strategy isn't executed until the offboarding stage of the third-party risk management lifecycle. However, European regulators expect organizations to implement and test these plans before signing a vendor contract with a "critical or important" vendor.

3 Tips to Monitor Regulatory Compliance

Many organizations see regulatory compliance as a leading risk in third-party risk management. It can impact other financial, operational and reputational risk areas. Here are some tips to help protect your organization from third-party regulatory risk:

1. Perform initial and recurring due diligence. Collecting and reviewing a vendor's due diligence information and documents is a necessary process that evaluates the efficiency of the controls they have in place. Business continuity, information security and data protection are all areas that should be evaluated in this process.
2. Establish a healthy routine of ongoing monitoring. A vendor's risk and performance must be monitored throughout the engagement to ensure they remain consistent and acceptable to your organization's standards.
3. Review and test your exit plan strategy. Your exit plan should include a detailed timeline of required steps to ensure minimal business disruption. The plan should also be tested before signing the vendor contract to be aware of any issues that need to be remediated.

Regulators across various industries, countries and political unions set the standards for managing third-party relationships. Staying informed of your current regulatory landscape is a best practice for protecting your organization from third-party risk.