What is the EBA Regulation and How Can You Ensure Third-Party Compliance?
Around the world, every major region and financial system has its own regulatory body and norms. Sometimes these overlap, as is the case with the International Organization for Standardization (ISO), while other times they are specific to the country or region. This is the case with the European Banking Authority (EBA) whose regulations not only affect your organization, but your third parties as well.
The EBA is responsible for overseeing banking activities in the European Union, but unlike the Office of the Comptroller of the Currency (OCC) in the United States, the EBA is a relatively new organization. Established in 2011, the EBA inherited tasks formerly covered by the Committee of European Banking Supervisors (CEBS), and is now housed in Paris. Among its responsibilities, the EBA acts as a mediator in cross-border disputes, provides consumer protections, ensures market transparency and maintains a secure financial system. As the nature of modern banking changes, the EBA has also taken on a much more substantial number of responsibilities and issued new regulations regarding third-party compliance.
Third-Party Vendors and the EBA
There are many types of third-party vendors whose activities, as they relate to European banking, are regulated by the EBA. These include cloud-based web hosts, call center providers, bookkeepers, various maintenance providers and software companies, among others. Working with these third-party vendors has many advantages; these are businesses with specific expertise, and working with external providers often saves banks money. But it also presents risks.
When banks choose to work with third-party vendors, they are required to ensure that those third-party operations provide their clients with the same protections that they, as financial organizations, have to those same individuals. That’s a heavy load to carry and can be difficult for banks to verify which security practices their third-party vendors are using.
How is it possible for banks to verify that their vendors are operating in ways approved by the EBA? The simple answer is that the EBA provides third-party outsourcing regulations meant to guide banks, Fintech organizations and other groups under their jurisdiction with the information they need to select trustworthy partners.
Established and Changing Regulations
Until recently, banks, building authorities and a number of other services had their third-party outsourcing practices overseen by the Financial Conduct Authority (FCA). However, while the FCA is independent of the UK government, it remains a UK body. Therefore, since Brexit, EU banking authorities have had to modify their oversight processes. This has caused some confusion, but as of the EBA’s July 2018 publication, there is new and clear information regarding how EU banks should handle cloud-based outsourcing contracts, in particular.
What do the new regulations require banks to do regarding third-party organizations? Among other practices, the EBA suggests that banks should be able to access the premises of service providers, but does not include third-parties’ data centers in this expectation. This exclusion is because it wouldn’t be feasible for clients to constantly be visiting third-party data centers and doing so may present more compliance issues than it would solve. Instead, the EBA allows for pooled audits, in which multiple banks that share a third-party provider could require data center access during a single visit.
According to the new EBA guidelines, any vendor that enters into or amends a contract on or after October 1, 2019, must comply with these new EBA guidelines. In addition, vendors hired before October 1 must be remediated by the close of 2021. In other words, every bank in the EU will need to reevaluate its contracts in light of the EBA guidelines or else face penalties. This isn’t a long-term undertaking, but something which will require significant reevaluation of processes—both internal and external—and banks will require assistance.
Finally, while the EBA recognizes the value of third-party contracts and outsourcing, it places a heavy burden on banks to avoid excessive outsourcing of critical functions and require banks to specify if they are outsourcing such functions. That means that they should not be overly reliant on a limited number of service providers, nor outsource multiple critical functions to the same third party. Furthermore, according to EBA regulations, sub-outsourcing or fourth-party risk is unacceptable. In addition, banks may not rely exclusively on other certifications, such as ISO 27001 compliance, as a stand-in for appropriate third-party data management.
All of this adds up to a lot of additional work for banks that even skilled IT departments may not be prepared to handle. It is a distraction from serving customers, but is also necessary, which is why you need to cut through the noise and find a better solution to your compliance challenges.
Better Banking Management
How can banks meet these new operational demands going forward? Realistically, many will not have the tools necessary to reevaluate all relevant third-party contracts within the allotted time, nor will they be able to monitor all of these contracts for full EBA compliance in the future—and that’s why today’s banks need Panorays.
Panorays enables better banking management by acting as a central repository for third-party banking partners and their processes. We are fully versed in EBA expectations and all associated documentation, making it easier for banks to manage all EBA-related forms. When you’re faced with an audit or asked to prove compliance, we have everything you need on hand—and we will alert you immediately if we notice any compliance issues. Particularly as digital banking becomes more common as well as more complex, Panorays is ready to help you navigate these changing norms while ensuring your data, including your third parties’ data, is protected.
How Panorays Can Help
If your organization is struggling to adapt to the new EBA guidelines or is seeking a better way to organize compliance documentation before the 2021 deadline, Panorays has the solution you need. Contact us today to request a demo and learn more about how our third-party security platform can support your needs. With guidelines changing all the time and banks being held responsible for their third-parties’ security programs, why tackle this alone? Panorays is here to help you navigate your way to EBA compliance, for you and your third parties.