The EBA and Third-Party Risk Management
The European Banking Authority (EBA) is an independent EU Authority that ensures effective and consistent regulation and supervision across the European banking sector. In early 2019, the EBA published revised Guidelines on Outsourcing Arrangements, including specific provisions for financial institutions’ governance of outsourcing arrangements and related supervisory processes. These guidelines are consistent with outsourcing requirements under the Payments Services Directive (PSD2), the Markets in Financial Instruments Directive (MiFID II), and the Commission Delegated Regulation (EU) 2017/565.
The EBA Guidelines set out the internal governance arrangements that credit institutions, payment institutions and electronic money institutions should implement when outsourcing internal services, activities or functions. Recognizing the vast supplier ecosystem in financial services, the EBA dedicated 70 pages to the management of outsourcing in the financial services industry.
The EBA Guidelines require robust management and tracking of service provider risks. They specify that a policy for managing risk should be in place, including internal controls-based assessments and continuous monitoring of third-party outsourcing arrangements. The policy should be codified in a contract between the financial institution and the outsourcing relationship, with proper documentation and reporting for both remediation efforts and audit capabilities.
These requirements represent a full set of controls implemented across the outsourcer organization and are well beyond the scope of a simple automated scan of external-facing infrastructure.
相关要求
- Distinguish outsourcings that are “critical or important” from those that are not
-
Perform due diligence in the outsourcing selection process
-
Enable proper risk assessment, whereby all potential operational risks are identified, managed, monitored and reported
-
Require contracts that set out rights of access and audit for the banks and their regulators to ensure effective oversight
-
Perform ongoing assessment and continuous monitoring, with clear reporting to senior management
-
Make available to authorities all documentation for transparency
-
Define a clear exit strategy in the event of a failure by the service provider
Meeting EBA TPRM Guidelines
Here’s how Prevalent can help you address EBA third-party risk management guidelines:
| EBA Guidelines | 我们如何提供帮助 |
|---|---|
| Title II – Assessment of Outsourcing Arrangements 4 – Critical or important functions Paragraph 30 “Particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines.” |
The Prevalent Assessment solution enables financial institutions to classify third parties based on their importance to the organization. A selection of customizable questionnaires enables you to match the assessment requirements to the level of risk presented by the relationship. |
| Title III – Governance Framework 5 – Sound governance arrangement and third-party risk Paragraph 32 “Institutions and payment institutions should have a holistic institution-wide risk management framework to identify and manage all their risks, including risks caused by arrangements with third parties.” |
Prevalent delivers the industry’s only purpose-built, unified platform for third-party risk management. Our solution automates the inside-out process of vendor risk assessments while including proactive continuous monitoring using an outside-in approach to reduce risk and meet the demands of regulatory compliance. |
| Title III – Governance Framework 5 – Sound governance arrangement and third-party risk Paragraph 33 “Institutions and payment institutions should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed.” |
The Prevalent Assessment service offers security, privacy, and risk management professionals an automated platform to manage the vendor risk assessment process and determine vendor compliance with IT security, regulatory, and data privacy requirements. It employs both standard and custom questionnaires to help collect evidence and provides bi-directional remediation workflows, live reporting, and an easy-to-use dashboard for efficiency. With clear reporting and remediation guidance, the platform ensures that risks are identified and escalated to the proper channels. |
| Title III – Governance Framework 6 – Sound governance arrangements and outsourcing Paragraph 40(c) “When outsourcing, institutions and payment institutions should at least ensure that:
|
The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party’s performance. |
| Title III – Governance Framework 10 – Internal audit function Paragraph 50 “The internal audit function’s activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions.” |
The Prevalent Third-Party Risk Management platform includes effective reporting to satisfy audit and compliance requirements as well as to present findings to the board and senior management. The entire risk profile can be viewed in the centralized live reporting console, and reports can be downloaded and exported to determine compliance status. Deep reporting capabilities include filters and click-through interactive charts. The solution includes a complete repository of all documentation collected and reviewed during the diligence process. |
| Title III – Governance Framework 12.3 – Due Diligence Paragraphs 70 & 71 “With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation to meet its obligations. Additional factors to be considered include its business model, nature, scale, complexity, financial situation, ownership and group structure.” |
Prevalent Cyber & Business Monitoring 服务提供快照和持续的供应商监控,以便立即通知高风险问题、确定优先级和提出补救建议。数据安全和业务风险监控使您能够超越战术性的供应商健康状况,从更具战略性的角度审视供应商的整体信息安全风险。 Prevalent 的独特之处在于,它提供业务风险监控,利用人工分析师解读潜在的运营、品牌、监管、法律和财务风险。 Examples include:
|
| Title III – Governance Framework 13.2 Security of data and systems Paragraph 82 “Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis.” |
The Prevalent Third-Party Risk Management platform provides a complete solution to perform assessments including questionnaires; an environment to include and manage documented evidence in response; workflows for managing the review and address findings; and robust reporting to give each level of management the information it needs to properly review the third party’s performance. |
| Title III – Governance Framework 13.3 Access, information and audit rights Paragraph 87 (b) “Institutions and payment institutions should ensure that the service provider grants them:
|
The Prevalent Assessment solution ensures service providers implement the exact, agreed upon requirements with regular tracking and verification. Robust reporting and full audit capabilities streamlines proper performance review. Access to completed assessments and audits can be delegated to auditors via standard RBAC capabilities in the platform. |
| Title III – Governance Framework 13.3 Access, information and audit rights Paragraph 91 “Institutions and payment institutions may use:
|
Prevalent’s Vendor Evidence Sharing Networks are repositories of completed, validated vendor questionnaires and supporting evidence that eliminate the tedious time- and resource-consuming process of collecting data from scratch. Prevalent offers both horizontal and vertical networks to speed assessment and collaboration within the community. |
| Title III – Governance Framework 14 Oversight of outsourced functions Paragraph 100 “Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function.” |
In addition to facilitating automated, periodic internal control-based assessments, the platform also provides cyber security and business monitoring – continually assessing the third-party networks to identify potential weaknesses that can be exploited by cyber criminals. Prevalent also offers penetration testing as-a-service to help customers investigate vendor network operations at a much more granular level. With the integration of internal assessments, external cyber monitoring and penetration testing, covered entities gain a complete view of vendor risks plus clear and actionable remediation guidance to address those risks. |
| Title III – Governance Framework 14 Oversight of outsourced functions Paragraph 104 “Institutions and payment institutions should ensure that outsourcing arrangements meet appropriate performance and quality standards in line with their policies by: a. ensuring that they receive appropriate reports from service providers; b. evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and c. reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing.” |
The Prevalent Assessment service captures and audits conversations and matches documentation or evidence against risks. Visually appealing and coherent dashboards provide a clear overview of tasks, schedules, risk activities, survey completion status, agreements, and associated documents. |
| Title III – Governance Framework 14 Oversight of outsourced functions Paragraph 105 “If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions.” |
The Prevalent solution includes bi-directional workflow and shared communication mechanisms to track findings and remediate issues. |
SP 800-53 r5 供应链风险管理 (SR) 控制
下表包括 SP 800-53 r5 供应链风险管理控制的摘录以及 Prevalent 平台如何满足这些要求。如需完整的映射,请下载完整的NIST 指南。
| SP 800-53 r5 供应链风险管理 (SR) 控制 | 我们如何提供帮助 |
|---|---|
| SR-1 政策和程序 | Prevalent 计划设计服务可确定并记录您的第三方风险管理计划。您将获得一份明确的计划,该计划既能满足您的特定需求,又能纳入端到端 TPRM 的最佳实践。 |
| SR-2 供应链风险管理计划 | Prevalent 计划优化服务可帮助您不断改进 Prevalent 平台部署,确保您的 TPRM 计划保持所需的灵活性和敏捷性,以满足不断变化的业务和监管要求。 |
| SR-3 供应链控制和流程 | Prevalent 计划设计服务可确定并记录您的第三方风险管理计划。您将获得一份明确的计划,该计划既能满足您的特定需求,又能纳入端到端 TPRM 的最佳实践。 |
| SR-5 采购战略、工具和方法 |
Prevalent 可帮助采购团队降低供应商选择过程中的成本、复杂性和风险。我们的RFx Essentials解决方案可集中分发、比较和管理 RFP 和 RFI。它还能通过人口统计、第四方和环境、社会和公司治理评分,以及可选的业务、声誉和财务风险洞察,帮助您提前发现潜在的供应商风险。因此,您能够迈出重要的第一步,解决第三方生命周期中的风险问题。 一旦完成供应商选择,PrevalentContract Essentials将集中分发、讨论、保留和审查供应商合同。它还包括工作流功能,可自动完成从入驻到离职的合同生命周期。有了 Contract Essentials,采购和法律团队就有了管理供应商合同、简化管理和审查、降低成本和风险的单一解决方案。 |
| SR-6 供应商评估和审查 |
Prevalent 平台包括 600 多个标准化风险评估调查模板(包括 NIST、ISO 和其他许多模板)、一个自定义调查创建向导,以及一个可将回复映射到任何合规法规或框架的问卷。所有评估均以行业标准为基础,涉及与供应链合作伙伴和业务弹性安全控制相关的所有信息安全主题。 PrevalentVendor Threat Monitor(供应商威胁监控器)可持续跟踪和分析针对供应商和其他第三方的外部可观测威胁。该服务通过监测互联网和暗网的网络威胁和漏洞,将评估结果与运营、财务、法律和品牌风险研究关联起来,形成统一的风险登记册,实现集中的风险分流和响应,从而补充和验证供应商从 Prevalent 平台报告的安全控制数据。 |
| SR-8 通知协议 | 利用 Prevalent 平台,您可以通过内置的版本控制、任务分配和自动审查程序,对文档、协议和认证(如 NDA、SLA、SOW 和合同)进行协作。您还可以在集中的供应商档案中管理整个供应商生命周期内的所有文档。 |
| SR-13 供应商库存 |
Prevalent offers an inherent risk assessment questionnaire with clear scoring based on eight criteria to capture, track and quantify risks for all third parties. Assessment criteria include:
利用固有风险评估,您可以自动对供应商进行分级,设定适当的进一步尽职调查级别,并确定后续定期评估的范围。 基于规则的分层逻辑可根据一系列数据交互、财务、监管和声誉方面的考虑因素对供应商进行分类。 |
