Overview of new proposed draft EBA Guidelines

The consultation:

• Aims to strengthen governance and risk management of third-party service provider (TPSP) arrangements by financial entities.

• Applies to credit institutions, investment firms (excluding small/non-interconnected), payment institutions, electronic money institutions, issuers of asset-referenced tokens, and certain creditors. As such the scope of outsourcing guidelines is extended to cover more investment firms, MiCAR authorised issuer of asset reference tokens and non-bank creditors under the Mortgage Credit Directors.

• Covers non-ICT services; ICT services are governed by The Digital Operational Resilience Act.

• Firms remain fully responsible for all outsourced functions.
• Use of TPSP must not result in “empty shell” institutions lacking substance.
• Proportionality principle applies based on size, complexity, and risk profile.

• Management body must:

• Approve and oversee TPSP risk strategy.

• Ensure adequate resources and internal controls.

• Maintain business continuity and exit strategies.

• Internal audit must review TPSP arrangements, especially critical ones.

1. Pre-Contractual Phase

• Risk assessment, due diligence, conflict of interest checks.

• Supervisory conditions for TPSPs, especially in third countries.

2. Contractual Phase

• Clear allocation of responsibilities.

• Audit, access, and termination rights.

• Subcontracting conditions for critical functions.

3. Monitoring

• Ongoing performance evaluation.

• Reassessment of criticality and risk.

• Regular reporting to management.

4. Exit Strategies

• Documented plans for critical functions.

• Ensure continuity during transition or termination.

• Defined as functions whose disruption would:

• Impair financial performance.

• Affect compliance or service continuity.

• Stricter requirements apply (e.g., audit rights, exit plans, due diligence).

• Maintain a detailed register of all TPSP arrangements.

• Include criticality, subcontracting, audit history, and cost data.

• Submit register and updates to competent authorities upon request.

• Supervise third-party arrangements through supervisory review and evaluation processes.
• Monitor concentration risks and systemic implications.
• Ensure entities are not operating as “letter-box” institutions.

• Annex I of the proposed guidelines provide a set of examples to help firms with the classification of functions provided by TPSPs. The list is not exhaustive, and firms are encouraged to use their own classification methods if those are more suitable or accurate.

• Consultation open until 8 October 2025

• Guidelines apply from a future date (TBD), with a 2-year transitional period for existing arrangements