Third-Party Risk Management and the EBA Guidelines on Outsourcing Arrangements


In early 2019, the European Banking Authority (EBA)” issued the EBA Guidelines on Outsourcing Arrangements (“the EBA Guidelines”) for credit institutions, investment firms, payment institutions, and electronic money institutions. OneTrust Vendorpedia helps these institutions operating in the EU adhere to these guidelines with purpose-built software for compliance and the management of outsourced third-party risk.

Governance Arrangements and
Third-Party Risk Management Under the EBA

The EBA Guidelines recommend that institutions and payment institutions implement a holistic risk management framework. This includes the management of third-party risks to help make intelligent decisions regarding cyber risks. OneTrust Vendorpedia can help institutions and payment institutions manage the outsourcing process, including assessing the risks of outsourced service providers, ensuring that proper contractual provisions are in place, as well as safeguarding the privacy and security of information.

Meet Compliance Obligations, Demonstrate Accountability

The EBA Guidelines specify that institutions and payment institutions cannot delegate responsibility to outsourced service providers. Accountability remains with the institution itself. OneTrust Vendorpedia helps institutions and payment institutions maintain records of all outsourcing arrangements to demonstrate accountability. With OneTrust Vendorpedia, institutions and payment institutions can identify risks and compliance gaps, automate assessment and mitigation workflows, and maintain a detailed audit trail for compliance.

Identify Third-Party Risks with Assessment Automation

Outsourced service provider or third-party risk assessments are a critical aspect of the EBA Guidelines. With OneTrust Vendorpedia, your institution or payment institution can leverage templated assessments, as well as configurable workflows to send, receive, review, and document the entire process when engaging in outsourcing arrangements.

Maintain Oversight and Manage Outsourcing Risks

A third-party risk management program should evolve as outsourcing arrangements change. The EBA Guidelines emphasize the ongoing oversight of outsourcing arrangements and associated risks. OneTrust Vendorpedia adds context to risks, giving institutions and payment institutions the ability to understand how data is processed, which outsourced service providers and sub-contractors have access to it, what controls are in place, and where it resides.

Process Data in Accordance with the GDPR

The EBA Guidelines expressly refer to institutions’ and payment institutions’ obligations under the EU’s General Data Protection Regulation (GDPR), a landmark data protection law. OneTrust is a pioneer in privacy management and has helped thousands of organizations demonstrate GDPR compliance. Vendorpedia helps streamline third-party risk compliance with the GDPR as it relates to outsourced service providers and their sub-contractors.

Refining your third-party risk management program to adhere to the EBA Guidelines on Outsourcing Arrangements?

See How Vendorpedia Can Help

Key Capabilities for Managing Third-Party Risks
to Meet EBA Outsourcing Obligations

Outsourcing Governance

Gain visibility into all third-party risks associated with outsourcing to prioritize and address compliance gaps as required

Control Tracking

Oversee the internal implementation of security and privacy controls, while tracking the controls outsourced service providers have in place

Risk Management

Identify, assess, monitor, manage, and report on third-party risks, as well as track mitigation, all in a single platform