NBU Introduced New Requirements for Third-Party Risk Management for Banks, Payment Institutions, and Insurers
The NBU has comprehensively updated the regulatory framework for risk management by introducing requirements for third-party risk management. The new rules apply to banks and banking groups, providers of financial payment services, and insurers, but do not impose regulatory requirements on business entities that are not supervised by the NBU.
Why the NBU Introduced New Requirements
The National Bank noted that the changes are aimed at strengthening the operational resilience of the financial sector and ensuring its continuous operation amid increasing risks associated with the active use by banks, payment institutions, and insurers of services from external suppliers, contractors, agents, technology operators, and other counterparties.
The regulator emphasizes that external suppliers can be a source of additional risks to the continuity of institutions' operations, fulfillment of their obligations, information protection, cybersecurity, compliance with legislation, financial stability of institutions, and the stability of the financial system as a whole. Moreover, operations involving client funds and access to banking or financial secrecy, as well as personal data, require proper guarantees for the protection of information and the interests of depositors and creditors.
The NBU stated that the changes were developed taking into account international standards and European approaches, including recommendations of the Basel Committee on Banking Supervision, directives on payment services (PSD2), and insurer solvency (Solvency II).
What Will Change for Banks
For banks and banking groups, the amendments to the Regulation on the Organization of the Risk Management System establish requirements regarding:
- identification, assessment, control, monitoring, and minimization of risks associated with engaging third parties;
- organization of management decision-making processes, assessment of counterparties' reliability, control over their fulfillment of obligations, and timely response to circumstances that may pose a threat to the stable operation of the bank;
- preliminary assessment of counterparties, analysis of their financial condition, business reputation, and operational capacity, continuous monitoring, compliance with minimum contractual requirements without interfering in their commercial component, and development of termination plans;
- definition of criteria under which cooperation with a third party may create critical risks to the continuity of the bank's operations and its clients.
The changes were approved by the Board of the National Bank of Ukraine on June 30, 2026, Resolution No. 70, which came into force on July 1, 2026.
Requirements Established for Payment Service Providers
Amendments to the regulations on the authorization of activities and management system of financial payment service providers provide for:
- creation of effective mechanisms for third-party risk management in compliance with the proportionality principle;
- assessment of third-party risk at all stages of interaction with the supplier;
- verification of the supplier before concluding a critical contract;
- proper documentation of risk assessment procedures;
- continuous monitoring of suppliers' compliance with established requirements;
- definition of actions in case of supplier non-compliance with established requirements;
- ensuring the continuity of payment services considering third-party risk.
These changes were approved by the NBU Board Resolution No. 72 dated June 30, 2026, which came into force on July 1, 2026.
What Will Change for Insurers
For insurers, the amendments to regulatory documents provide for:
- definition of criteria for important functions and processes of the insurer;
- requirements for checking potential outsourcers before transferring important functions to them;
- expansion of contract requirements with outsourcers regarding the performance of important functions;
- updating requirements for the content of the insurer's business continuity plan.
These changes were approved by the Board of the National Bank of Ukraine on June 30, 2026, Resolution No. 73, which came into force on July 1, 2026.
Subscribe to our Telegram channel t.me/sudua and to Google News SUD.UA, as well as to our VIBER and WhatsApp pages on Facebook and Instagram to stay informed about the most important events.





