Editorial

The Clock Is Ticking: Why Financial Institutions Must Act Now on Third-Party Risk

The European Banking Authority (EBA) has sounded the alarm and it’s not one to be ignored. In its newly released Consultation Paper on the Sound Management of Third-Party Risk, the EBA lays bare a stark reality: financial institutions across Europe are increasingly exposed to operational vulnerabilities through their reliance on third-party service providers (TPSPs). The message is clear: act now, or risk becoming an empty shell.

Contributor

Liliana joined Delta Capita in September 2021. She is a highly motivated; multilingual operations professional with a broad range of knowledge and experience within the Financial Services industry.

Liliana Hillebrand-Measures
Principal Consultant

A New Era of Accountability

Gone are the days when outsourcing was a mere operational convenience. The EBA’s draft Guidelines, open for consultation until 8 October 2025, mark a decisive shift from traditional outsourcing frameworks to a holistic governance model that encompasses all third-party arrangements, excluding ICT services, which are now governed under the Digital Operational Resilience Act (DORA).

This is not just regulatory housekeeping. It’s a strategic imperative. The Guidelines demand that financial entities reassert control over their outsourced functions, especially those deemed “critical or important.” These are not optional tweaks; they are structural reforms aimed at safeguarding the integrity of the financial system.

Why the Urgency?

The EBA’s rationale is compelling. Financial institutions have leaned heavily on TPSPs to cut costs and boost efficiency. But this dependency has bred concentration risks, governance gaps, and operational fragility, particularly when services are sourced from providers outside the EU.  

The Guidelines warn against the rise of “empty shell” institutions where entities outsource so extensively, they lose the capacity to manage their own risks. This is not just a compliance issue; it’s a threat to authorisation status and supervisory oversight.  

What Must Be Done?

The Guidelines prescribe a full lifecycle approach to third-party risk management:

  • Pre-contractual analysis: rigorous due diligence and risk assessments.
  • Contractual safeguards: clear audit rights, termination clauses, and subcontracting controls.
  • Ongoing monitoring: continuous oversight and documentation.
  • Exit strategies: robust plans for disengagement without disruption.  


Moreover, financial entities must update their registers to reflect non-ICT third-party arrangements, ensuring alignment with DORA’s ICT register.

A two-year transitional period has been granted, but the clock is already ticking.  

The Call to Action

This is not a box-ticking exercise. It’s a call to rebuild trust, fortify resilience, and reclaim governance. The EBA is inviting comments, but more importantly, it is demanding leadership. Financial entities must not wait for the final Guidelines to be published. They must begin the transformation now.

The stakes are high. The risks are real. And the time to act is now.

Delta Capita: Practitioner-Led Third-Party Risk Management Expertise

As independent third-party providers, we bring unique insights grounded in real-world delivery. Our practitioner-led team has deep experience navigating regulatory complexity and operational risk across financial services.

Our Third-Party Risk Management (TPRM) Health Check is a rapid, targeted engagement that delivers a clear, actionable view of your current risk posture. We help you:

  • Identify gaps
  • Benchmark resilience maturity
  • Prioritise next steps


Whether you're a financial institution or tech provider, our Health Check enables you to strengthen your TPRM framework and build digital resilience - quickly and confidently.

To learn how Delta Capita can support your organisation in meeting upcoming TPRM requirements, please contact:
Karan Kapoor – Partner & Global Head of Regulation and Risk
Martin Hillier – Partner & Global Head of Transformation and Change

Editorial

See more insights from the Delta Capita team

T+1 in Practice: How Securities Lending & Repo Avoid Becoming the Bottleneck

Delta Capita joined peers at the Securities Finance Symposium in London to discuss how securities finance will adapt to T+1. Our Report Hub team had the opportunity to demo the product, and our Global Head of Regulatory and Risk, Karan Kapoor, joined the panel on “T+1 Settlement: Transforming Securities Finance Operations” alongside Andrew Douglas, outlining how SFT processes must evolve to support the transition.

Putting Right Old Wrongs: Why the FCA’s Motor Finance Redress Proposal Is a Landmark for Consumer Fairness

The Financial Conduct Authority’s recent announcement of a consultation on a sweeping compensation scheme for motor finance customers represents a watershed moment in the evolution of consumer protection. This is not merely a matter of financial redress, it is a bold step towards restoring trust, reinforcing integrity, and rebalancing the scales in a sector where transparency and fairness have too often been found wanting.

Are current CCR frameworks still fit-for-purpose given the increasing size of NBFIs?

George Petropoulos, Chief Product Officer at Delta Capita, outlines how Non-Bank Financial Institutions are growing in scale and complexity - putting traditional counterparty credit risk (CCR) models under mounting pressure. 

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward
We use cookies to improve your experience and deliver personalized content. By using our website, you agree to our Cookie Policy.
Got it