ARTICLE
31 July 2025

EBA Consults On Outsourcing Guidelines For Non-ICT Related Services

Financial entities have been increasingly using third-party service providers (TPSPs) for various reasons, however, this increases risk overall.
Malta Finance and Banking

Guidelines on non-ICT related services

Introduction

Financial entities have been increasingly using third-party service providers (TPSPs) for various reasons, however, this increases risk overall. This is especially true when the TPSP is in a third country with a lack of supervision power from authorities and provides either a critical or and important function to the financial entity. This has led to a need to evolve the traditional notion of outsourcing and to strengthen the governance arrangements of financial entities.

The European Banking Authority (EBA) has issued draft guidelines to replace the EBA's current guidelines on outsourcing which were published in 2019. The guidelines focus on third-party arrangements in relation to non-ICT related services which are provided by TPSPs and their subcontractors with a particular focus on the provision of critical or important functions.

The guidelines are meant to strengthen the management of risks arising from TPSPs across the financial sector through harmonization of governance practices, their oversight and accountability of financial entities.

Proportionality

The first aspect that this guidelines cover is that of proportionality. Compliance to these guidelines should follow the proportionality principle and therefore should be applied in a manner that is appropriate to the size of the financial entity, internal organisation and the nature, scope and complexity of its activities.

Moreover, the guidelines must be followed across the entire financial group and so they should have a robust internal governance arrangement with a clear organisational structure (which includes third-party arrangements).

Assessment of third-party arrangements

Each financial entity would have to assess to see if a TPSP would fall under the definition of a third-party arrangement and as part of this assessment the functions and continuity of services should be taken into consideration.

A function of the TPSPs is critical or important 'where its disruption, discontinuity, defect or failure in its performance would materially impair: their continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, their financial performance and the soundness or continuity of their services and activities'.

Governance framework

Management bodies of financial entities should establish and periodically reassess strategies to effectively manage third-party risks identified in accordance with the proportionality principle as the management body would still be responsible for its activities and have to ensure that the company does not end up lacking substance.

As part of the financial entities' governance obligations, they should be able to control and challenge the quality and performance of functions of the TPSPs which are written in the third-party agreement through periodical testing for business continuity. This includes carrying out a risk assessment and ongoing monitoring, keeping in mind that certain organisational structures are likely to result in additional challenges. They should also identify and manage any conflicts of interest with TPSPs.

The proposed guidelines set out guidance on the relationship with the TPSPs, specifying that each third-party agreement should contain certain rights (such as the right to audit etc.) given to financial entities, which are extended to competent authorities. Financial entities should always have the right to terminate the contract if there would be an adverse effect on the functions provided through planned changes.

As part of their risk management framework, financial entities should maintain an updated register of information on all third-party arrangements, with additional information required when the functions are considered to be critical or important. This information should also be available to the competent authority. Ultimately, arrangements with TPSPs do not lower the financial entities' obligation to comply with legal and regulatory requirements and internal corporate values.

Third-party arrangements process

Financial entities should assess the TPSP, prior to entering into any third-party arrangements, making sure that the TPSP is authorized and registered as required by law and what onboarding risks the TPSP brings with it.

Additionally, financial entities are obliged to have a written policy (which is updated yearly) on the sound management of third-party risks and the relative process to manage them. Here financial entities are required to define internally what is a critical or important function which can have a material impact on their risk profile, include the phases of a life-cycle of a third-party arrangement, a definition of the principal responsibilities and processes and an exit strategy documented.

The written policy should be available to parties either on paper or electronically and set out in one written agreement, available to the parties on paper or electronically in a durable, immutable and accessible format. Further obligations arise out of third-party arrangements which allow for sub-contracting.

Competent Authorities

Competent authorities are required to monitor and supervise financial entities' third-party arrangements through identifying and monitoring risks arising from individual TPSPs and assessing whether they can pose a risk to the stability of the financial system through any identified concentration risks. Reliance on the same TPSPs, especially for critical functions may lead to widespread service disruptions and systematic risk if these providers fail or experience significant disruptions.

For this, comprehensive documentation on third-party arrangements complied by financial entities is essential and will allow supervising authorities to exercise a supervisory power. Furthermore, competent authorities should track progression of any concentration risks identified and evaluate their potential impact.

Competent authorities are also tasked with monitoring compliance of financial entities' conditions for initial authorisation, to see if any third-party arrangement will amount to a material change to the institutions' initial authorisation.

Financial entities are also encouraged to engage in dialogue with their competent authorities in regard to planned or amended third-party arrangement when it comes to critical or important functions, but ultimately the final responsibility for the arrangements with TPSPs will remain with the financial entity.

Further Remarks

The guidelines are to be read alongside relevant EBA and ESMA guidelines on internal governance, outsourcing, and supervisory practices, as well as applicable requirements under relevant legislation.

The proposed guidelines are currently open to comments on the consultation paper until the 8th of October. Following their implementation, financial entities falling under the guidelines' scope will have a transitional period of 2 years to amend their existing third-party arrangements and to update the register for non-ICT third-party arrangements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More