Another contract remediation exercise for EU financial entities

The European Banking Authority (EBA) is currently consulting on its draft guidelines on the sound management of third party risk (Draft Guidelines), which are intended to replace the 2019 guidelines on outsourcing arrangements (2019 Guidelines).

The Draft Guidelines aim to:

• Remove the overlap with the requirements for technology service arrangements in the Digital Operational Resilience Act (DORA).
• Ensure consistency between the regulatory frameworks for the management of tech and non-tech third party risk.

EU financial entities who have recently assessed and revised their risk management frameworks and tech services contracts in order to comply with DORA (which came into force in January 2025) are likely to need to do a similar exercise for non-tech services once the Draft Guidelines have been finalised and adopted. Here we examine some of the changes the Draft Guidelines contemplate.

• Changes to in-scope service arrangements
• Requirements for in-scope contracts
• Remediations
• Want more information?

Changes to in-scope service arrangements

In comparison with the 2019 Guidelines, the types of service arrangements covered by the Draft Guidelines are narrowed in one respect but widened in another:

1. Removal of non-tech services: The Draft Guidelines do not apply to third-party service arrangements that are covered by DORA i.e. those for ICT services. ICT services are:

"digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services".

The EU Commission, in its guidance on the types of services that should be considered ICT services, has stated that the definition is intentionally broad with the aim of maintaining a high level of digital operational resilience and that it is for financial entities to assess whether their arrangements fall within this definition.

2. Extension to non-outsourcing arrangements: The Draft Guidelines apply to "third party arrangements", of which outsourcing arrangements covered by the 2019 Guidelines are a subset:

"A third party arrangement means an arrangement of any form between a financial entity and a third-party service provider (TPSP), including intragroup TPSPs, for the provision of one or more functions to the financial entity. This includes outsourcing arrangements as a subset."

"An outsourcing arrangement means an arrangement of any form between a financial entity and a TPSP, including intragroup TPSPs, by which the TPSP performs, on a recurrent or an ongoing basis, a function that would otherwise be undertaken by the financial entity itself."¹

A "third-party arrangement" is defined broadly, but the Draft Guidelines exclude its application to:

• Certain types of services, including functions that are legally required to be performed by a third party (e.g. statutory audit), clearing and settlement and correspondent banking.
• Services that "do not have material impact on the financial entities' risk exposures or on their operational resilience".²

There are no separate or specific requirements relating to outsourcing, and it may be that the distinction has been retained simply to emphasise that the Draft Guidelines apply to a wider range of (non-tech) service arrangements than the 2019 Guidelines.

Such extension of third-party risk management principles beyond outsourcing follows a general regulatory trend of focussing on financial entities' operational resilience more broadly. The Prudential Regulation Authority (PRA) had already taken a similar approach when implementing the 2019 Guidelines for UK banks and insurers in its Supervisory Statement SS2/21 on Outsourcing and Third Party Risk Management, which states that the PRA expects firms to assess the materiality and risks of all third party arrangements irrespective of whether or not they fall within the definition of outsourcing and to implement proportionate and risk-based, suitable controls for non-outsourcing arrangements that are deemed to be material or high-risk.³ DORA does not distinguish between outsourcing and other third party arrangements for ICT services at all.⁴

Requirements for in-scope contracts

The Draft Guidelines prescribe certain provisions to be included in contracts governing in-scope service arrangements.⁵ The majority of these provisions remain as they were in the 2019 Guidelines, with two key differences:

1. Materiality threshold: Materiality is still assessed with reference to whether or not the arrangement supports a critical or important function of the financial entity. However, certain provisions that the 2019 Guidelines require only in outsourcing contracts supporting critical or important functions are extended to all third party arrangements - for example, provisions that ensure that data owned by the financial entity can be accessed in the case of insolvency, resolution or discontinuation of the service provider's operations. For more information in relation to the legal issues in relation to accessing outsourced data, see our article, Can you access your outsourced data?
2. Subcontracting: Additional provisions are introduced with respect to the subcontracting of services supporting critical or important functions, which mirror those contained in the Regulatory Technical Standards on subcontracting under DORA.

Remediations

Overall, EU financial entities and their EU member state regulators are likely to welcome the EBA's approach as it eliminates the need to comply with, or supervise compliance with, two regulatory frameworks which have overlapping but slightly different, requirements. This issue was raised in the consultations on DORA as being impractical and burdensome for financial entities in terms of effort and cost. Financial entities should be able to streamline their third party risk management frameworks and contract templates for new service arrangements (both tech and non-tech) going forward.

Unfortunately, the timing means that financial entities will still need to conduct a separate analysis and remediation of their existing non-tech service arrangements to bring them into compliance with the Draft Guidelines if adopted in their current form. A transitional period of two years after the guidelines come into force is proposed for this.

Practical implications

Among other things, the analysis and remediation of existing non-tech service arrangements will involve re-classifying existing non-tech service arrangements along the following lines:

1. Excluded: Arrangements that are excluded because they do not have a material impact on a financial entity's risk exposures or on its operational resilience (or are of a service type that is otherwise excluded). Arrangements falling into this category are unlikely to have been caught by the 2019 Guidelines in any event.
2. In-scope (non-material): Arrangements that have a material impact on a financial entity's risk exposure or operational resilience, but do not support a critical or important function. However, operational resilience and critical or important functions are linked by definition,⁶ so this category appears to be limited to arrangements with a material impact on a financial entity's risk exposure in another sense, such as financial, regulatory or reputational exposure. We suspect that comments on this will be provided in consultation. In any event, this category should at least include arrangements that were classified as outsourcing but not supporting a critical or important function for purposes of the 2019 Guidelines.
3. In-scope (material): Arrangements that have a material impact on the financial entity's risk exposure or operational resilience and support a critical or important function. This category should be easier to assess, given that the criteria for determining critical or important functions are already in place. It will be interesting to see whether financial entities find that any arrangements that were not previously classified as "outsourcing supporting a critical or important function" for purposes of the 2019 Guidelines now fall into this category - we think this is unlikely.

Contractual impacts

Service contracts falling within category 3 above will need be amended to include the additional requirements on subcontracting. It is unlikely that any non-tech contracts would include these already as they were novel for tech contracts under DORA.

Contracts falling within category 2 above may require more extensive remediation to address the longer list of prescribed requirements in the Draft Guidelines.

Want more information?

For more information in relation to:

• Regulatory compliance, contract remediation and outsourcing, see NRF Outsourcing Toolkit.
• DORA, see Digital Operational Resilience Act.

Footnotes