There are many types of third-party vendors whose activities, as they relate to European banking and the financial market, are regulated by the European Banking Authority (EBA). These include cloud-based web hosts, call center providers, bookkeepers and various maintenance providers and software companies, among others. Working with these third-party vendors has many advantages, as it reduces costs and improves flexibility and efficiency. But doing so also presents risks.
In that vein, the EBA issued regulations regarding third-party compliance. When banks and other financial institutions in the EU elect to utilize third-party vendors, they must ensure that the vendors are providing the same level of protection for their customers as they, the financial organizations, are required to provide. In addition to ongoing monitoring, banks must implement a vendor risk management program to mitigate security risks inherent in third-party relationships.
Because banking is a highly interconnected industry, there are greater cybersecurity risks. The interconnected entities often have third-party relationships. The increased dependence on third-party vendors has resulted in an increase in cyber risks and vulnerabilities. Implementing an effective third-party risk management process has become increasingly important for bank management, regulators, and regulatory authorities.
Understandably, the challenge of certifying that all of a bank’s third-party vendors are complying with the EBA’s regulatory requirements is real. Therefore, the EBA provides third-party outsourcing regulations to help guide financial institutions when selecting third-party vendors. Companies must remediate vendors hired before October 1, 2019 by the close of 2021. This means that banks and financial institutions must reevaluate their third-party vendors’ compliance to the EBA regulations or face fines.
Here is a brief summary of the EBA’s outsourcing process expectations for banks, financial and payment institutions:
Qualify inherent risk
The process in this phase is based on data collected by internal stakeholders, including the business owner of the relationship. At this point, you must identify if the supplier’s inherent risk level is critical or important, assess whether the vendor meets the criteria needed to be considered for an outsourcing arrangement, collect supplier arrangement and operational details, and determine how frequently to repeat service provider reviews.
Assess service providers
Next, you must implement an external due diligence process to assess service providers’ security and risk profile. This phase includes collecting provider and outsourcing details, analyzing results and reaching conclusions, performing remediation tasks and summarizing the results gleaned from the assessment.
Prepare relevant reports
The reporting portion of the process, if done correctly, is essentially the output of the two previous phases above. Financial institutions must maintain an updated register of all current relationships with vendors and outsourcing arrangements and provide the register upon demand by regulators. Reporting for authorities that includes assessment results and details is also required, as well as an EBA Guidelines compliance report.
Continuously monitor service providers
The EBA Guidelines specify that continuous monitoring of third-party outsourcing arrangements is required as part of the risk management of vendors. Financial organizations must continuously monitor and manage third parties throughout the lifecycle of these vendor relationships.
Repeat the review process
To stay compliant with EBA Guidelines, it is imperative to repeat the review according to a cadence that is determined at the beginning of the process according to the inherent risk. It is considered best practice to periodically review the inherent risk to make sure that it reflects the current operational relationship with the third party.
Complying With EBA Guidelines for Third-Party Risk Management
Panorays can help your organization achieve compliance with the EBA Guidelines and ensure your third parties’ security aligns with your company’s security policies and regulations.
First, Panorays offers an efficient framework that helps collect and report crucial documentation of outsourcing arrangements, which is necessary for EBA compliance. Second, our automated Smart Questionnaire™ can be utilized to assess third-party security controls that consider both the demands of the EBA Guidelines and your unique relationship with each service provider. Finally, your vendor’s digital perimeter is evaluated through Panorays’ non-intrusive attack surface evaluation based on the analysis of externally available data.