Flavors of Regulations Impacting TPRM

Flavors of Regulations Impacting TPRM

Jul 30, 2021 | Public Policy

Regulations TPRM

July is coming to an end, and with it goes National Ice Cream Month.  Take a moment to savor the flavor of the season. Cookies-and-cream? Mint-chocolate chip? Or…Neopolitan?

There are a variety of flavors of risk to consider in third party partnerships, too, and not least among them is compliance risk.  Generally speaking, when a company outsources a function to a third party, that company’s regulatory compliance obligations follow.  In short, you need to worry about your third parties’ regulatory compliance.

While there are a plethora of laws and regulations across multiple jurisdictions that outsourcers must consider, below is a list and infographic of some of the most notable regulations impacting Third Party Risk Management.

Regulations Impacting TPRM

Regulations and Guidelines


General Data Protection Regulation (GDPR)

Adopted in April 2016 and enforceable in May 2018, the European Union’s General Data Protection Regulation, or GDPR, is widely known for its comprehensive data protection and privacy mandates.  It is no overstatement to say that many companies only started considering privacy protections for their customers because of GDPR.

Being the first such regulation of its kind, GDPR has become a model for similar national laws outside of the EU, such as the United Kingdom, Chile, Japan, and Brazil.  While the United States has yet to adopt its own national comprehensive data privacy law, its most populous state has enacted comprehensive consumer privacy legislation with many similarities to GDPR.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, and, in the absence of a federal comprehensive privacy law in the U.S., is one of the most impactful legislative developments in the country.  And given California’s status as the world’s fifth largest economy, the reach of this law extends far beyond the Golden State’s borders.

However, it’s important to note that, while the CCPA has some similarities to GDPR, there are a number of important distinctions, including regarding the nature and extent of collection limitations, and rules concerning accountability.  In other words, GDPR compliance does not equate with CCPA compliance, so companies must ensure specific CCPA compliance for both themselves and their third parties.

OCC Bulletin 2013-29

Published on October 30, 2013 (and supplemented by Bulletin 2020-10 in March 2020), the Office of the Comptroller of Currency’s Bulletin 2013-29 applies to banks and other financial institutions.  It provides specific guidance (read: expectations) to financial institutions “for assessing and managing risks associated with third-party relationships.”

The bulletin is one of the most significant standards for financial institutions in managing third-party risk, and the guidance contained in the document is invaluable for its intended purposes – even to those organizations that aren’t financial institutions.

EBA Guidelines on Outsourcing Arrangements

The European Banking Authority (EBA) has promulgated a number of guidelines on a variety of topics.  Two of are particular import to managing third-party risk.  The first of which is the EBA Guidelines on Outsourcing Arrangements, which provides guidance for financial institutions on – you guessed it – their outsourcing arrangements.

The guidelines are expansive in their scope and comprehensive in their subject matter, and compliance with them for any organization subject to EBA oversight likely requires substantial attention.

EBA Guidelines on ICT and Security Risk Management

The second of the EBA’s important guidelines are those on Information and Communication Technology (ICT) and Security Risk Management.  As the name suggests, these guidelines are more technical in nature, but are no less broad and comprehensive than the EBA’s Outsourcing Guidelines.

As with the Outsourcing Guidelines, any financial institutions subject to the EBA’s oversight are (or should be) well aware of these guidelines and their directives.  However, both remain extremely relevant for any business operating in the EU, and both should be reviewed and considered in any applicable third-party risk management programs.

Additional Resources For Regulations Impacting TPRM

GDPR Privacy Guidelines and Checklists

CCPA Privacy Guidelines and Checklists


Jeremy Byellin

Jeremy Byellin is Vice President of Legal and Regulatory Affairs at The Santa Fe Group. Jeremy is insightful and meticulous in his work, and uses his legal expertise to write relevant blogposts.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics