Financial entities face contract update exercise over third-party risks

Yvonne Dunn of Pinsent Masons was commenting after the EBA opened a consultation on draft new guidelines on the sound management of third-party risk.

The new guidelines, once finalised, will sit alongside the EU’s Digital Operational Resilience Act (DORA) and will update the EBA’s 2019 guidelines on outsourcing, though they will be broader in scope.

The draft guidelines apply to both outsourcing and non-outsourcing arrangements for non-information and communication technology (ICT) services. ICT services will be governed by DORA. The draft guidelines also apply to a broader range of financial entities, including issuers of asset referenced tokens, than the 2019 EBA outsourcing guidelines.

“The rationale for updating the existing guidelines is to address risks for financial institutions associated with third-party relationships and to ensure that financial institutions maintain robust oversight of all third-party suppliers, not just those relating to ICT services,” Dunn said.

“The contractual requirements under the draft new guidelines are broadly similar to those in the 2019 outsourcing guidelines. However, an important distinction is that the draft guidelines include contractual requirements for all third-party contracts plus an additional set of contractual requirements for critical or important functions, whereas the contractual requirements in the outsourcing guidelines only applied to critical or important functions. Therefore, the EBA is proposing that a broader range of service arrangements will need to comply with the new guidelines, when they are finalised. For example, contracts relating to facilities management or customer services may now need to meet the new contractual requirements proposed,” she said.

According to Dunn, the draft guidelines include more detailed exit requirements. She said this reflects growing regulatory scrutiny of the way financial firms manage transitions between different suppliers and in moving functions back in-house.

The draft guidelines also contain a longer list of specific requirements for the supplier to meet in relation to subcontracting, such as obligations for the subcontractor to ensure continuity of critical or important functions throughout the chain of subcontractors, Dunn said.

Beyond contractual requirements, the draft guidelines require financial institutions to implement appropriate governance around third-party arrangements, create policies on third-party risk management, carry out due diligence and risk assessments on potential third-party suppliers, and maintain registers of third-party arrangements. Dunn said these requirements are consistent with the requirements entities will already be familiar with from the 2019 outsourcing guidelines.

The EBA’s consultation on its draft guidelines closes on 8 October. The EBA is expected to issue finalised guidelines in the coming months, after considering the feedback it receives. Once in force, the new guidelines will apply to new third-party arrangements entered into after the entry into force date, and financial institutions will be expected to remediate existing contracts to adhere to the guidelines at the next point those contracts are renewed or, if earlier, two years from a date that the EBA will specify in due course.

Dunn said: “For financial institutions operating in the EU, the guidelines envisaged will bring additional services arrangements, such as facilities management or business process support, into scope for potential remediation. These services arrangements are not ICT services and therefore not subject to DORA remediation, nor do they constitute outsourcing arrangements that would be subject to the 2019 outsourcing guidelines.”

“Financial institutions should review their third-party service arrangements, especially those previously excluded from EBA outsourcing and DORA remediation exercises, as these may now require remediation to meet the requirements of the draft guidelines,” she said.