Third-Party Risk Management Guideline

This guidance is intended to promote sound and prudent management of third-party risk and ultimately enhance financial institutions’ resilience. The expectations span the entire lifecycle of a third-party arrangement.

Scope

The expectations in this guideline apply to all third-party arrangements. They should be implemented considering:

proportionality principle, meaning the financial institution’s size, nature, complexity and risk profile; and
criticality and risk level specific to each arrangement.

This guideline will take effect on April 1, 2027, one year after it is published. Arrangements entered into on or after that date will have to take all its provisions into account.

With respect to arrangements entered into before the effective date, the AMF considers it is reasonable for financial institutions to implement the expectations entailing contractual amendments in the context of the next renewal.

If there is a renewal between the guideline’s publication date and its effective date, institutions are nonetheless encouraged to incorporate sound risk management practices into the contractual arrangements. For long-term arrangements, a criticality- and risk level-based approach should be considered when updating the arrangement.

It will replace the current Outsourcing Risk Management Guideline, which will be revoked as soon as the new Guideline takes effect.

What is a third-party arrangement?

A third-party arrangement is any arrangement entered into by a financial institution with an individual or another legal entity for the provision of goods or services, whether commercial or strategic in natureThird-party arrangements generally pertain to products or services, but there are other kinds of thirdparty arrangements, including strategic partnership arrangements..

Third-party arrangements include, without being limited to:

outsourcing arrangements;
use of independent professional consultants;
intra-group arrangements;
distribution arrangements; and
other business relationships involving the provision of goods and services or the storage, use or exchange of dataFor example, cloud services or software arrangements.

They exclude:

arrangements with clients (depositors, policyholders, etc.); and
employment contracts.

Takes effect on April 1, 2027

Third-party Risk Management Guideline (pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026

Implementation

The AMF reminds financial institutions that they are responsible for adopting and appropriately implementing the principles and expectations set out in the guidelines while considering the principle of proportionality (based on the nature, size and complexity of the institution’s activities and its risk profile).

Overview of AMF's expectations

Expectations relating to governance(pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026"Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle", Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle
The AMF expects the financial institution to implement a robust governance structure enabling sound management of third-party risk.
Risk appetite(pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026"Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle", Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle
The AMF expects the financial institution to determine its third-party risk appetite and set tolerances to ensure its operationalization across the organization.
Third-party risk management framework(pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026"Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle", Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle
The AMF expects the financial institution to implement a third-party risk management framework that spans the entire lifecycle of an arrangement.
Expectations relating to third-party risk management(pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026"Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle", Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle
Third-party risk management comprises various stages that span the lifecycle of a third-party arrangement. The following diagram depicts these stages.

Directory of third-party arrangements(pdf - 438 KB)This link will open in a new windowUpdated on April 24, 2026"Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle", Third-party,risk management,guideline,board,third-party strategy,tolerance,corporate governance,risk appetite,disruption,operetional resilience,register,subcontracors,data,exit strategies,lifecycle
The AMF expects the financial institution to keep an inventory of its third-party arrangements and to update it on an ongoing basis.

Back to Guidelines

References

Public consultation (Comments received and comments handling table)

Regulations