The European Banking Authority (EBA) recently published a consultation paper (Consultation) that proposes to expand third-party risk management requirements for certain EU-regulated financial entities. The Consultation would extend the EBA’s current guidelines around outsourcing arrangements (EBA Guidelines) to all third-party services arrangements, excluding those services that are within scope of the EU Digital Operational Resilience Act (DORA), and would add further requirements to the existing guidelines, aligning with those requirements introduced under DORA.
Immediate Considerations
- This is a consultation and so does not require any immediate action. However, if implemented, the proposals would require financial entities to remediate contracts that fell outside of DORA and outsourcing remediation projects and extend their third-party risk management frameworks to new categories of service providers.
- Third-party (non-ICT) service providers to EU-regulated financial entities should monitor developments and may need to update their standard contract terms.
- The Consultation is open for feedback until October 8, 2025. Stakeholders may submit feedback via the EBA’s webpage.
Scope and Background
The EBA Guidelines apply to a wide range of EU-regulated financial entities, including, among others, credit institutions, investment firms, payment institutions, and electronic money institutions. The Consultation would extend the scope to small investment firms and certain issuers of asset reference tokens.
Outsourcing has been a key focus area of EU regulators, particularly as it relates to regulated entities’ critical or important functions, and the EBA Guidelines specify internal governance arrangements and sound risk management practices, including specific contractual terms, that entities are expected to implement in respect of their outsourcing arrangements. “Outsourcing” refers to arrangements under which a service provider performs a task, function, or service that would otherwise be performed by the customer.
Since January 2025, EU-regulated financial entities have also been subject to DORA, which imposes requirements around sound risk management in respect of information technology and communication (ICT) services, including mandatory contractual terms. DORA overlaps with many concepts under the EBA Guidelines and introduces similar, if not many of the same, mandatory contractual terms that apply to outsourcings. We previously highlighted similarities and key gaps between DORA and the existing EBA Guidelines.
Key Changes
- EBA Guidelines would not overlap with DORA: While the applicable requirements to ICT services under DORA and non-ICT services under the Consultation would be broadly similar, if not the same, financial entities would need to categorize third-party arrangements as either ICT services or non-ICT services and then internal third-party risk management policies and risk assessments may, as proposed, need to distinguish between compliance with those regimes. This would likely lead to duplication, as it is difficult to envisage services without some form of ICT component, and it is not entirely clear under the Consultation how those should be managed.
- Broader scope of (non-ICT) services: The EBA Guidelines would extend to all third-party non-ICT services, not just outsourcing. The Consultation includes examples of such non-ICT services, such as administrative services (e.g., document management and archiving, payroll services), cash management services, customer-facing services (e.g., contact centers, complaint management), and internal control functions (e.g., compliance functions, data protection), among others. That being said, the Consultation largely retains the list of services that are expressly excluded from scope, including functions that are required by law to be undertaken by a service provider (e.g., statutory audit), payment network infrastructures, clearing and settlement arrangements, and utilities services, among others. The Consultation introduces a new category of excluded services that “do not have material impact on the financial entities’ risk exposures or on their operational resilience”; this may allow financial entities to adopt a risk-based view of certain low-risk services, although there is some discrepancy between this and the examples of in-scope services listed in the Consultation, noted above.
- Contract requirements apply to all services, not just those supporting critical or important functions: Under the EBA Guidelines, mandatory contract terms apply specifically to outsourcings for critical or important functions. The Consultation adopts a DORA-equivalent approach such that all in-scope third-party services arrangements must comply with a ‘base’ level of contract terms. These would cover, among other areas, service descriptions, service locations (and changes to the same), provisions on the availability, authenticity, integrity and confidentiality of data, performance standards, regulatory cooperation, and specific termination rights. For third-party services supporting critical or important functions, there are additional, more prescriptive mandatory terms around, among other areas, access and audit rights, subcontracting, reporting obligations, business contingency planning, and exit strategies.
- New contract requirements for non-ICT services: The Consultation adds new or more detailed contract requirements to those under the existing EBA Guidelines, aligning with the requirements under DORA, around exit strategies, sub-contracting of critical or important functions, and participation of third-party service providers in the financial entity’s business continuity plan testing. For third-party outsourcing contracts that were out of scope of DORA remediation, this would require contract remediation even if the contract is compliant with the existing EBA Guidelines.
- Register of information: Financial entities must maintain a register of information of all third-party services arrangements, which is consistent with the DORA-equivalent register of information of ICT services.
Analysis
One of the Consultation’s objectives is to look holistically at third-party risk management, wider than just outsourcing, given that non-outsourcing arrangements may also pose a material or high risk to a firm’s operational resilience. Arguably, the EBA is catching up with other regulators and standard-setting bodies: in the United States, the Interagency Guidance on Third-Party Relationships: Risk Management, published in June 2023, applies its expectations to all third-party relationships of relevant entities and, in December 2023, the global standard-setting Financial Stability Board published its Enhancing Third-Party Risk Management and Oversight in which it also looks holistically at third-party risk management. The UK Prudential Regulation Authority’s Supervisory Statement 2/21 on Outsourcing and Third Party Risk Management also addresses third-party risk management holistically.
However, the practical application of the EBA Guidelines to non-ICT services, alongside DORA for ICT services, may create a material burden on financial entities to document compliance with two separate, albeit very similar, regimes.
Certain details in the Consultation could exacerbate this burden. For example, the Consultation proposes (similarly to DORA) that the service provider must flow down certain contract terms to its subcontractors of critical or important functions, but the Consultation does not include the important principle under DORA of focusing on those subcontractors that “effectively underpin” the relevant services. Also, a separate register of information for non-ICT services will likely result in duplication of efforts where complex services include both ICT service towers and non-ICT service towers; it is not entirely clear how a financial entity should document these across the registers.
The Consultation expands the scope of certain requirements, such as mandatory contract terms and detailed due diligence expectations, not only beyond outsourcings but also beyond critical or important functions, to all (non-ICT) third-party services arrangements on a mandatory basis. A more flexible approach might apply such requirements to non-critical services on a proportionate basis, depending on the level of risk and suitability of such controls, akin to the approach of the UK Prudential Regulation Authority in respect of non-outsourcing services arrangements.
As to complying with the expanded scope, financial entities already subject to DORA may be able to reapply their DORA remediation playbooks for any revised EBA Guidelines, if implemented. However, those entities may find themselves negotiating with new categories of non-ICT service providers that are unfamiliar with such financial services-specific terms, and perhaps unwilling to grant the termination rights, exit periods, and other terms that may not be suitable for the services.