< Back to Blog
The Impact of EBA Guidelines on Third-Party Risk Management
Standards & Regulations

The Impact of EBA Guidelines on Third-Party Risk Management

By Dov Goldman Aug 12, 20214 min read

There are many types of third-party vendors whose activities, as they relate to European banking and the financial market, are regulated by the European Banking Authority (EBA). These include cloud-based web hosts, call center providers, bookkeepers and various maintenance providers and software companies, among others. Working with these third-party vendors has many advantages, as it reduces costs and improves flexibility and efficiency. But doing so also presents risks.

In that vein, the EBA issued regulations regarding third-party compliance. When banks and other financial institutions in the EU elect to utilize third-party vendors, they must ensure that the vendors are providing the same level of protection for their customers as they, the financial organizations, are required to provide. 

Understandably, the challenge of certifying that all of a bank’s third-party vendors are complying with the EBA regulation is real. Therefore, the EBA provides third-party outsourcing regulations to help guide financial institutions when selecting third-party vendors. Companies must remediate vendors hired before October 1, 2019 by the close of 2021. This means that banks and financial institutions must reevaluate their third-party vendors’ compliance to the EBA regulations or face fines.

Here is a brief summary of the EBA’s outsourcing process expectations for banks, financial and payment institutions:

Qualify inherent risk

The process in this phase is based on data collected by internal stakeholders, including the business owner of the relationship. At this point, you must identify if the supplier’s inherent risk level is critical or important, assess whether the vendor meets the criteria needed to be considered for an outsourcing arrangement, collect supplier arrangement and operational details, and determine how frequently to repeat service provider reviews.

Assess service providers

Next, you must implement an external due diligence process to assess service providers’ security. This phase includes collecting provider and outsourcing details, analyzing results and reaching conclusions, performing remediation tasks and summarizing the results gleaned from the assessment.

Prepare relevant reports 

The reporting portion of the process, if done correctly, is essentially the output of the two previous phases above. Financial institutions must maintain an updated register of all current outsourcing arrangements and provide the register upon demand by regulators. Reporting for authorities that includes assessment results and details is also required, as well as an EBA Guidelines compliance report.

Continuously monitor service providers

The EBA Guidelines specify that continuous monitoring of third-party outsourcing arrangements is required as part of the risk management of vendors. Financial organizations must continuously monitor and manage third parties throughout the lifecycle of these vendor relationships.

Repeat the review process

To stay compliant with EBA Guidelines, it is imperative to repeat the review according to a  cadence that is determined at the beginning of the process according to the inherent risk. It is considered best practice to periodically review the inherent risk to make sure that it reflects the current operational relationship with the third party. 

Complying with EBA Guidelines 

Panorays can help your organization achieve compliance with the EBA Guidelines and ensure your third parties’ security aligns with your company’s security policies and regulations. 

First, Panorays offers an efficient framework that helps collect and report crucial documentation of outsourcing arrangements, which is necessary for EBA compliance. Second, our automated Smart Questionnaire™ can be utilized to assess third-party security controls that consider both the demands of the EBA Guidelines and your unique relationship with each service provider. Finally, your vendor’s digital perimeter is evaluated through Panorays’ non-intrusive attack surface evaluation based on the analysis of externally available data. 

Learn more about how Panorays can help you and your third parties comply with the EBA Guidelines.

Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
4 NIST Standards Your Organization Should Align With
May 27, 2020 4 NIST Standards Your Organization Should Align With Dov Goldman
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe