Key points for your compliance teams on the new proposed draft EBA Guidelines

• Ensure robust governance and risk management of third-party arrangements.
• Reinforce accountability i.e. firms retain full responsibility for outsourced services of the proposed guidelines

Governance & Oversight:

• Ensure the management body approves and monitors third-party risk strategy.
• Confirm internal audit reviews critical third-party arrangements.
• Avoid “letter-box” institutions. Entities must retain operational substance.

Due Diligence & Risk Assessment:

• Conduct pre-contractual risk assessments and conflict of interest checks.
• Assess criticality of functions and third-country risks.
• Ensure proportionality based on risk, size, and complexity.

Contractual Safeguards:

• Include clauses for:
  • Audit and access rights
  • Termination and exit strategies
  • Subcontracting controls (especially for critical functions)

Ongoing Monitoring:

• Implement performance monitoring and risk reassessment.
• Maintain regular reporting to senior management.

Exit Strategies:

• Develop and test documented exit plans for critical services
• Ensure business continuity during transitions

• Maintain a comprehensive register of all third-party arrangements. The register should include criticality, subcontracting, audit history, and cost.
• Be prepared to submit the register to regulators upon request
• Policies and process will need to be updated, as these guidelines will supersede EBA’s 2019 outsourcing guidelines 

• Defined by potential impact on:
  • Financial performance
  • Regulatory compliance
  • Service continuity
• Require enhanced controls and supervisory scrutiny

• Regulators will:
  • Review third-party risk as part of their supervisor review and evaluation processes
  • Monitor concentration risk and systemic dependencies
  • Enforce compliance with substance requirements (i.e. entities must retain operational substance)

• Legislation to make DPC agreements regulated and empowering the FCA to regulate DPC lenders was enacted on 14 July 2025
• Consultation closes: 26 September 2025
• Policy Statement: Expected early 2026
• Temporary Permissions Regime (TPR): Opens for registration 2 months before regulation day and will close 2 weeks before Regulation Day

Governance & Oversight:

• Management body has approved a third-party risk strategy.
• Roles and responsibilities for third-party risk are clearly defined.
• Internal audit includes third-party arrangements in its audit plan.
• Entity maintains operational substance (not a “letter-box” institution).

Pre-Contractual Phase:

• Risk assessment completed for each third-party arrangement.
• Due diligence conducted, including financial, operational, and legal checks.
• Conflicts of interest identified and mitigated.
• Third-country risks assessed and documented.
• Criticality of function determined and recorded.

Contractual Requirements:

Contracts include:

• Clear allocation of responsibilities
• Audit and access rights
• Termination rights and exit strategy provisions
• Subcontracting conditions (especially for critical functions)
• Contracts reviewed by legal and compliance teams.

Monitoring & Reassessment:

• Ongoing performance monitoring of third-party providers.
• Periodic reassessment of function criticality and risk exposure.
• Regular reporting to senior management and internal audit.
• Issues and breaches escalated and tracked.

Exit Strategy & Continuity:

• Documented exit strategies for critical/important functions.
• Exit plans tested and updated regularly.
• Business continuity plans aligned with exit strategies.

Register & Documentation:

• Comprehensive register maintained with:
• Provider details
• Function description and criticality
• Subcontracting arrangements
• Audit history
• Cost and contractual data
• Register updated regularly and available for supervisory review.

Regulatory Engagement:

• Prepared for supervisory review under supervisor review and evaluation processes
• Able to demonstrate compliance with substance and governance requirements.
• Ready to submit register and documentation upon request.