EBA Guidelines and Supplier Risk Management

regulations and guidelines

Today’s distributed, business environment is defined by third-party relationships. The boundaries of the organization have become vaguer, and management and executives in the organization need to consider the extended enterprise when implementing governance, risk management, and compliance frameworks. Given the vast depth, variety, and dependency on third-party relationships in the modern business – and the potential damages caused by third-party risks – third-party risk management (TPRM) has transitioned into a serious function within the organization, one that has to be fully governed by processes, policies, and procedures that are automated and continuously monitored.

Recently, regulators have taken a more proactive role in the management of third parties, suppliers, and vendors by establishing and revising guidelines for organizations (specifically in the financial services sector) to assist organizations in establishing and maintaining best practices for TPRM to reduce their risk exposure.

In late 2019, the European Banking Authority (EBA) published revised Guidelines on the governance of outsourcing arrangements and third-party relationships. The EBA Guidelines set out the best governance practices and framework that financial institutions should implement when outsourcing internal services and/or functions to third parties.

The Guidelines outline a series of robust requirements and controls to enable financial services organizations to manage supplier risks and relationships and mitigate their risk exposure, firms now have until December 2021 to update all existing documentation to meet these standards. Policies for managing risk include internal control-based assessments and continuous monitoring of third-party relationships scattered throughout the organization and its functions. These policies need to be agreed to in a contract between the organization and third-party, with appropriate documentation and reporting guidelines for both remediation efforts and internal audit oversight to provide assurance.

The Guidelines also outline the critical role of internal audit to build awareness and oversight over third parties as a part of the organizations business functions. There is an emphasis that management within the organization is still responsible for implementing and/or maintaining appropriate controls and the governance of all data flows across third-party relationships and business functions in accordance with European regulations.

Outsourcing arrangements require policies and documentation that detail the third-party on-boarding and off-boarding process, the delivery of outsourced services, and the processes and controls to meet regulatory requirements and standards throughout the lifecycle of the relationship. These policies need to represent a full set of controls implemented across the organization and its third-party relationships. The requirements outlined by the EBA represent controls that are to be implemented across third-party relationships. These include but are not limited to controls that:

  • Identify key or critical third parties and potential conflicts of interest
  • Ensure the “location” of the service or storage location is documented
  • Perform ongoing assessments and continuous monitoring
  • Establish a clear reporting process to senior management
  • Enable proper risk assessment to identify and manage all potential risks

To address these requirements, organizations need a holistic third-party risk management framework and architecture that extends across the extended enterprise – this allows the organization to manage and monitor all their risks across the business and its functions. This should enable the organizations understanding of third-party risk exposure and enable management to make better, more well-informed decisions and ensure that risk management controls are appropriately implemented across the business functions and operations.

Understanding TPRM in Financial Services

Financial services firms have been dependent on third parties to carry out many of its functions for many years. Developments in technology, increasing regulation, globalization etc. have only amplified the complexities and interconnectedness of the modern organization. Third-party relationships can be crucial to providing critical business services in today’s complex environment, and many organizations are reactive to rising risk exposure and fail to reach the maturity and visibility to manage TPRM effectively.

Developing an understanding and complete visibility into the interconnectedness of different parties scattered throughout business operations is key to identify gaps in controls and procedures and understand dependencies between third parties that support critical business services and functions. Continuous monitoring and assessment of these third parties with oversight of the resilience capabilities and tolerance levels of third parties are critical in building a robust framework to manage third-party relationships.

Many organizations are going beyond just understanding the capabilities of suppliers and third parties as regulators increasingly push organizations to test end-to-end incident response and continuity arrangements within outsourcing arrangements. Close to Europe and extending beyond the EBA Guidelines, the UK Financial Conduct Authority (FCA), Bank of England (BoE) and the UK Prudential Regulation Authority (PRA) have demonstrated the growing importance of operational resiliency in the financial services and third-party management by publishing the paper ‘Building the UK financial sector’s operational resilience’. There is also greater accountability for third-party risk in senior management functions (SMFs) for third-party risk because of the UK Senior Manager Regime and Certification Regime (UK SMCR).

The FCA and PRA Guidelines make reference to the increased risk from outsourcing arrangements with third parties and a growing need for continuous monitoring and governance of this risk. Risk exposure grows as the number of third parties providing critical business services grows. This exacerbates the complexities of TPRM, and organizations are responsible for mapping and identifying critical services supporting critical functions and implementing appropriate controls and policies stretching across those functions.

Unfortunately, responsibility and potential consequences within TPRM cannot be outsourced, and organizations must integrate these functions into a technology architecture that delivers a holistic approach – providing complete visibility and awareness into risk scattered across relationships and supply chains and breaking down siloes within manual solutions and inadequate processes.

Key Takeaways to Consider with New EBA Guidelines

Some of the key takeaway’s organizations need to consider in order to be compliant with the new Guidelines include but are not limited to:

  • Follow the EBA’s definition of outsourcing when charting your TPRM framework
  • Look towards the EBA’s criteria for assessing critical third parties
  • Identify any other relevant regulatory authorities that could have jurisdiction over the relationship

Understand the full set of requirements for outsourcing arrangements such as:

  • Proper due diligence on potential supplier or vendor, including conducting a full risk analysis into the potential third-party and identifying any conflicts of interest.
  • Develop a contract in any outsourcing agreement that ensures both sides meet regulatory requirements and common standards and are in line with the organizations policies.
  • Identifying critical business functions in outsourcing arrangements.
  • Continuously monitor and manage third parties and emerging risks throughout the lifecycle of the relationship.
  • Update controls and policies as gaps and inefficiencies are identified.

The Path to Third-Party Maturity

Many challenges have emerged that are now associated with managing risks in outsourcing arrangements to deliver business services, and the EBA and FCA Guidelines on Third-party risk management seek to address many of these emerging issues. However, not every organization has the same risk considerations, and there is no universal best-practice model to give organizations a benchmark to evaluate the true effectiveness of their Third-party risk management and supplier management program. Some of the key challenges the EBA Guidelines are meant to address though are to deliver:

  • Effective internal control framework across third-party relationships
  • Sufficient plans for on-boarding and off-boarding of third parties
  • Proper identification of critical third parties throughout the organization’s functions
  • Well-founded outsourcing policies and processes that reflect the organization’s risk profile and broader business strategies
  • Efficient oversight by management and senior executives
  • Protection of data across the whole organization and its functions

Whether you are in the U.S. and responsible for vendor risk management or in the UK and responsible for supplier risk management, a strong and integrated Third-party risk management process, supported by an information and technology architecture, is increasingly becoming a necessity for organizations. An effective approach requires complete visibility and understanding of the interconnectedness of business relationships and their risk exposure. Third-party risk management is likely to become more integrated across risk management, business operations, and resiliency.

An integrated approach to TPRM will further drive increased effectiveness and efficiency, specifically in regard to identifying key third parties in the organization’s extended enterprise and the risks associated with the services they provide. Collaboration is also paramount across organizations as technology solutions become a more mainstream way to manage third-party relationships to monitor and mitigate third-party risk exposure.