• EBA launches consultation on draft third-party risk guidelines
• New rules expand beyond outsourcing to cover wider supplier contracts
• Non-ICT services such as facilities management may now be in scope
• All supplier contracts must meet minimum requirements, with extra rules for critical services
• Draft guidelines tighten exit and subcontracting provisions to ensure continuity
• Firms must implement governance, risk assessment, and registers of arrangements
• Consultation closes 8 October, with final rules expected soon
• Existing contracts must comply at renewal or within two years

Financial institutions across Europe could soon face significant changes to the way they manage supplier contracts after the European Banking Authority (EBA) launched a consultation on new guidelines for third-party risk.

The draft guidelines are designed to broaden the scope of existing EBA outsourcing rules issued in 2019, updating them to align with the EU’s Digital Operational Resilience Act (DORA). 

Unlike the earlier framework, which focused on outsourcing arrangements, the new guidelines apply to both outsourcing and non-outsourcing contracts that fall outside the remit of DORA. 

This means services such as facilities management or customer services may now fall under regulatory oversight for the first time.

According to Yvonne Dunn of Pinsent Masons, the EBA’s intention is clear. 

“The rationale for updating the existing guidelines is to address risks for financial institutions associated with third-party relationships and to ensure that financial institutions maintain robust oversight of all third-party suppliers, not just those relating to ICT services,” she said.

One of the most notable changes is the widening of contractual requirements. Previously, these applied only to critical or important outsourced functions. 

Under the new draft rules, every third-party contract will need to meet baseline requirements, while critical or important functions will also be subject to additional obligations. This would bring a wider range of agreements, including those unrelated to technology, within regulatory scope.

The draft guidelines also propose tougher rules on supplier transitions. Regulators have grown increasingly concerned about how financial firms manage exits and changes in providers, particularly when services are brought back in-house. 

As a result, the EBA has introduced more detailed exit requirements and stricter obligations for subcontracting, requiring continuity of critical functions across entire supply chains.

Beyond contractual terms, the guidelines impose governance obligations on financial entities. 

These include creating comprehensive policies for third-party risk management, conducting due diligence and risk assessments before engaging new suppliers, and maintaining detailed registers of all third-party arrangements. 

While these echo elements of the 2019 outsourcing framework, they apply to a far broader universe of service relationships.

The consultation will run until 8 October, after which the EBA is expected to finalize the guidelines. Once adopted, they will apply immediately to new supplier arrangements. Existing contracts will need to be updated either at renewal or within two years of a date yet to be specified.

Dunn warned that firms must act now to assess exposure. 

“Financial institutions should review their third-party service arrangements, especially those previously excluded from EBA outsourcing and DORA remediation exercises, as these may now require remediation to meet the requirements of the draft guidelines,” she said.

If enacted, the changes will significantly increase the compliance burden for banks and insurers, extending regulatory oversight to areas of third-party risk that have previously escaped attention. 

For many institutions, it could mean an extensive review and renegotiation of supplier agreements in the months ahead.