Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
Introduction:
As the Draft introduces the definition of a “third-party arrangement”, understood as arrangement of any form between a financial entity and a third-party service provider, including intragroup third-party service providers, for the provision of one or more functions to the financial entity, proposed extension of the material scope of the Draft Guidelines adversely affects the established rules of interpretation and disproportionately to the expected goals, imposes an obligation on financial institutions to re-evaluate arrangements subject to supervision, which will lead to excessive administrative burdens and costs for the entire financial sector.
Additionally, due to material changes in the Draft Guidelines, such as proposed broader scope and profound changes in the Draft Guidelines will create extensive practical implications in relation to:
- Applicability of the Draft Guidelines and other legal regimes:
- imprecise implication of the principle of proportionality interrupts institution’s ability to tailor requirements to the scale and nature of their activities, which may result in excessive burdens for entities with a smaller risk profile – the principle of proportionality will be crucial for better understanding which types of arrangements should be excluded from the scope of the Guidelines, due to their limited impact on the safety and resilience of financial institutions .
- classification of the agreements and effectively application of different regulatory regimes —particularly hybrid ones —under the appropriate regulatory regime, which complicates contractual and supervisory processes (further explained in point 2.2.).
- the treatment of regulated financial services as a special category of arrangements falling within the scope of the Guidelines, where in our view, it would be more appropriate to collectively exclude them as regulated activities for which the institution is responsible by virtue of an authorization or license, which obviously entails the need to meet strict requirements.
- Regulatory compliance costs by:
- Duplicating contractual obligations and effectively rising the prices of the services under new regulatory requirements,
- Broadening the scope of agreements which should be processed under internal regulations.
1.1. Issue with distinguishing between a "third-party agreement" and an "outsourcing agreement" for the correct application of regimes
As the Draft introduces the definition of a “third-party arrangement”, which includes outsourcing arrangements as a subset. The definition of outsourcingarrangement has also changed, now formulated as arrangement of any form between a financial entity and a third-party service provider, including intragroup third-party service providers by which the third-party service provider performs, on a recurrent or an ongoing basis, a function that would otherwise be undertaken by the financial entity itself.
With regards to the extended definition of outsourcing in the Draft Guidelines, it is particularly noteworthy that the following elements have been added to the:
- intra-group providers have been included in the scope of the definition,
- the criterion of continuity or repetitiveness of the provision of a function that would otherwise be performed by the financial institution itself has been included.
The comparison of these two definitions leads to significant consequences for financial institutions, impacting both the qualification of specific third-party arrangements, but also creating imprecise criteria for evaluating individual agreements. A literal interpretation of the indicated definitions suggests that a third-party arrangement should encompass every agreement not explicitly excluded from the scope of the Guidelines based on paragraph 32 of the Guidelines. At the same time, the definition of "third-party arrangement" itself does not directly determine whether the functions performed by the third party are to be carried out continuously or repeatedly, which contradicts the established framework for outsourcing agreements thus far. Even though such a requirement – of repetitive action - can be derived from the paragraph 30 the lack of term “ongoing” or “recurrent” contrary to the definition of outsourcing, can be misleading in case of third party arrangements.
The changes introduced in the Draft Guidelines negate previous achievements and established doctrinal principles, thereby necessitating a redefinition of the scope of arrangements subject to oversight. This should be assessed as a negative change, which appears not only ill-conceived but also fails to resolve existing practical problems.
Additionally, the interpretation of these definitions becomes more challenging while considering the exemplary types of functions that can be performed by a third-party provider, as indicated in the Annex I. The functions listed in the Annex imply that, regardless of the financial institution's assessment, activities that previously held no significant impact on ensuring business continuity and operational risk will now constitute an element of agreements subject to supervision.
Adopting such a broad scope of application seems to be a disproportionate measure relative to the goal intended to be achieved, as the existing rules for supervising outsourcing agreements fulfilled the objective of eliminating risks associated with using third parties to perform activities that would otherwise be undertaken by the financial institution.
Conclusion:
The material scope of the Guidelines should be limited by:
- maintaining focus of the Guidelines on outsourcing agreements and indicating a closed catalogue of type of arrangements with third parties which, due to the risk-based approach, should be subject to additional supervision;
- further elaborating the exclusions set out in paragraph 32 of the Guidelines.
Alternative conclusion:
If the material scope of the Guidelines is to be maintained to third party arrangements:
- it is necessary to address the problems (such as proportionality principle use cases) that have existed to date and to create conflict rules for overlapping regimes covered by the scope of application,
- Scope of the Guidelines should be more precise and allow to supply the Guidelines only when it is necessary for example by:
- Indication of examples of functions that would automatically be considered as out of third-party arrangements scope due to their low impact on the security of the financial institution,
- Narrowing the scope of actions of third party providers, preferably to the closed catalogue and in particular certain types of activities that should be included due to the risk related to their performance,
- allowing for the non-application of certain rules specified in the Guidelines to the contract's provisions, provided their objective is achieved through alternative measures.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
Introduction:
Multiple legal standard criteria between DORA and national regulations for ICT services classified as outsourcing of critical/important functions creates significant regulatory challenges for financial institutions. This results in heightened efforts from financial institutions related to harmonizing requirements, managing the risk of double reporting, and avoiding inconsistencies, especially in agreements with an ICT component. This ambiguity increases regulatory uncertainty, the risk of duplicated obligations, and implementation difficulties.
2.1. Required change of the “whitelist” scope to the current level in the 2019 EBA outsourcing Guidelines
The new exclusion criterion introduces a criterion of material impact of a discretionary nature (material impact on the financial institution’s risk exposure and operational resilience), subject to the financial institution’s subjective judgement, which may lead to non-uniform market practice in its application – in particular, in assessment methodology criteria - and thus differing assessments by supervisory authorities.
The Draft Guidelines' criteria cannot be standardised in practice without additional objective assessment measures. Impact assessment and monitoring place added demands on already highly regulated financial institutions. Clear, objective Guidelines are necessary for application if the criterion remains unchanged to minimise this burden. The Draft disproportionately emphasises proportionality, undermining clarity about when the Guidelines apply. Proportionality should only be considered after clear, objective criteria establish the Guidelines’ relevance to a service.
Introducing new criteria for assessing acquired services of a discretionary nature carries the risk of arbitrariness in the methodology of their application and thus the arbitrary exclusion from the application of the Guidelines, which has far-reaching consequences for market stability as such and the level of compliance of entities individually.
Neither the Draft Guidelines nor the EBA Guidelines on outsourcing arrangements (hereinafter as “2019 Guidelines”) envisaged exclusions for local providers of market data services and network infrastructure services. The omission of local or domestic providers of market data services and network infrastructure from the list of exclusions may result in discriminatory practices and provide undue advantage to the largest global providers. For these reasons, the exclusions are discriminatory towards local providers, for whom the cost of implementing the required changes under the Guidelines will represent a much higher proportion of operating costs than for global entities, for whom it will be relatively minor. For the former, it may be a market barrier and, in the worst-case scenario, result in them ceasing operations. Hence the call to exclude providers of market information services and network infrastructure, regardless of their size.
2.2. Issue with the interaction and prioritisation of Digital Operational Resillience Act (hereinafter “DORA”) and EBA regimes for ICT services subject to both regulations, specifically aligning EBA TPA functions (critical/important) with DORA ICT services (supporting critical/important functions)
The Draft Guidelines are intended to supplement the framework for managing arrangements with third parties, complementing the requirements of the DORA Regulation, which entered into force on January 17th 2025. Both regimes impose obligations regarding in particular risk management, function classification, and contractual requirements, but differ in scope, definitions, and approach to outsourcing. In case of ICT services that simultaneously qualify as outsourcing under the EBA and are covered by DORA, a question arises as to whether both regimes should be applied simultaneously, or whether one should take precedence. The lack of clear prioritization criteria leads to regulatory uncertainty, the risk of duplicating obligations, and difficulties in implementing consistent contractual clauses. As a result, financial institutions must develop complex compliance strategies, considering both harmonization of requirements and practical aspects of implementation, such as updating existing contracts, managing subcontractors, or reporting to supervisory authorities.
Interpretive conflict will be particularly visible in agreements with third parties that cover both ICT and non-ICT services. Such convergence may, in practice, lead to situations where, within a single arrangement, the function provided to the financial institution is classified differently. Furthermore, this also implies a problem with identifying specific arrangements within information registers, where financial institutions will be obliged to disclose such arrangements in both the register of third-party arrangements and the information register maintained for the purposes of the DORA regulation.
Additionally, a significant challenge in this regard will also be the consideration of national regulations. Under Polish legislation, this will manifest in situations where a contract involves ICT Services supporting critical or important functions of the Bank and simultaneously constitutes regulated outsourcing (banking or investment).
Conclusion:
Given the circumstances outlined above, it is suggested to:
- establish precise conflict rules between the scope of the respective regulations;
- develop clear principles and requirements for the register of arrangements with third parties, as well as specific Guidelines to standardise it with the register maintained for the purposes of the DORA Regulation.
- reinstate the objective, market-established criterion for the exclusion of acquired services as specified in the 2019 Guidelines, namely the financial institution’s inability to provide those services internally;
- expand the list of exclusions within the Guidelines to include local providers of market information services (paragraph 32d) and network infrastructure (paragraph 32b).
Removing the global activity criterion from paragraphs 32b and 32d prevents discrimination against local market data or network infrastructure providers by ensuring the Guidelines also apply to those of domestic importance.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
Introduction:
The Draft Guidelines require financial institutions to develop a strategy for managing third-party risk, but do not clarify how the internal management functions should be governed within the institution. The rules covered in the document are too general and way too broad for the institutions to be fully responsible for internal management of all risks related to third- party arrangements. Additionally, institutions must establish a function to oversee all third-party arrangements (excluding those under DORA), with flexibility to assign this across multiple units due to the diverse nature of services. There is also a call for standardized contractual clauses from a high-authority body like the EBA to support negotiations with suppliers.
3.1. Issue with effective implementation of third-party risk management, including the creation and implementation of policies and strategies, taking into account the practical application of regulations, including the issue of internal responsibility within the organisation
The Draft Guidelines, in paragraph 38, specify the obligation to establish a strategy for the sound management of third-party risk. Such a strategy should include policies for sound third-party risk management, as referred to in Section 6, and should apply on an individual basis and, where applicable, on a sub-consolidated or consolidated basis. However, the Draft Guidelines themselves do not specify how these interactions should occur; that is, whether a financial institution should have a single policy for managing external providers, covering both ICT services and other arrangements with third parties, and consequently, whether the scope of responsibility within such a policy in the Bank's structure should be assigned to a single unit within the Bank. In practice, this may also lead to different internal units of the financial institution, supervised by different Management Board members, being responsible for ICT agreements and other agreements.
Paragraph 45c requires the institution to establish a function for monitoring and supervising all third-party arrangements, with the exclusion of arrangements subject to the DORA regulation. Given the broad scope of application of the Draft Guidelines to various services and arrangements (broader than established for outsourcing), institutions should have the possibility to assign such responsibility to more than one unit within the institution. This is particularly relevant due to the diverse nature of services falling under the Guidelines regime (e.g., the risk associated with market information service providers has its own specific characteristics, inter alia, due to the global reach of such entities).
Moreover, there was a need identified to create market standard of model contractual clauses. A standard from an unquestionable body of unquestionable rank, such as EBA, would strengthen the negotiating position of financial entities in the process of implementing these clauses in contracts with suppliers.
Conclusion:
- Title III of the Draft Guidelines should be clarified with regards to the risk management framework within the financial institution internal procedures;
- It is anticipated that EBA will explicitly reconfirm the approach on the policy as presented in 'Summary of responses to the consultation and of the EBA's analysis', and that financial institutions can decide whether they want to combine the outsourcing policy (introduced according to the EBA Guidelines on outsourcing from 2019) with the third-party risk management policy and have one document or two separate ones.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Introduction: Draft Guidelines introduce obligations in the contractual phase that are excessively detailed. This level of granularity imposes a significant burden on financial institutions, as it requires them to obtain information from their service providers that is often either too granular or inherently difficult to estimate with precision, such as the total annual expense or estimated cost of each direct TPSP.
4.1. Issue with the strategy for implementing new contractual clause requirements (i.e., depending on how broadly the definition of TPA is interpreted problem with the remediation of existing contracts)
Renegotiating contractual clauses under the 2019 EBA Guidelines and DORA Regulation was already a massive and time-consuming task for banks and service providers. EBA should facilitate the process of adapting contracts to new requirements by allowing financial institutions to determine the appropriate set of contractual clauses within a specific contractual relationship. This flexibility would enable institutions to tailor agreements more effectively to the nature and risk profile of each relationship. Moreover, the renegotiation approach should be based on a risk-based methodology, ensuring proportionality and efficiency in implementation.
4.2. Scope of information provided to the supervisory authorities
Paragraph 67 refers to the scope of the notification information on any planned contractual arrangement on the provision of critical or important functions by TPSPs by reference to paragraphs 63 and 64. The requirement to notify the planned costs of the contract (par. 63k) or the date of the criticality/relevance assessment of the function of the alternative entity (par. 63j) is redundant.
Conclusion:
- The extent of information and obligations concerning contracts with third parties should be aligned with the level of risk associated with using those third parties. This method should take into account the principle of proportionality (section Background and rationale, par. 12) and allow financial institutions to apply these obligations according to the complexity and practical applicability of the established Guidelines. Leaving the scope of the notification information as proposed would infringe the proportionality principle, intended to align governance arrangements - including those for managing third-party risk - with the specific risk profile, business model, and operational scale and complexity of the financial institution, ensuring that regulatory objectives are met effectively (Title 1, section Proportionality, par. 22-24).
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
Introduction:
The list of functions included in Annex 1 of the Guidelines on third-party risk management appears overly extensive. It contains examples of tasks that do not significantly contribute to the safety or stability of financial institutions. Including such functions may lead to unnecessary administrative efforts and divert attention from areas that truly require close monitoring. A more focused approach—highlighting functions that directly affect financial security, data protection, or regulatory compliance—would help institutions manage third-party risks more effectively.
5.1. Overly extensive catalogue of services listed in Annex I
Many of the examples listed in Annex 1—such as advertising and marketing, secretarial services, postal and mailing operations, or travel and entertainment—are administrative in nature and do not pose material risks to the continuity or integrity of financial institutions. Including such functions in the scope of third-party risk management may lead to disproportionate compliance efforts and distract from monitoring genuinely critical areas. Similarly, services like ATM maintenance or customer contact centers, while operationally relevant, typically follow standardized procedures and are subject to well-established controls already covered by outsourcing arrangements. Treating these on the same level of control with core financial operations—such as credit decision-making, investment portfolio management, or regulatory reporting—may dilute the effectiveness of risk oversight. A more risk-based and proportionate approach should help financial institutions focus resources on functions that truly impact financial stability and regulatory compliance.
Moreover, the exemplary list of the functions implicates that all the functions that are being mentioned in the Annex I will be automatically treated as third-party arrangements, without carrying out a risk-based approach to the qualification of supervised activities. This may create an assumption that even activities of low risk profile, that otherwise wouldn’t be treated as third party arrangements subject to nature, scope or complexity of the activities.
Conclusion:
- Lack of clarity in this case may lead to inconsistent classification across institutions, increased administrative burden, and potential regulatory gaps. A more refined definition—based on the nature, continuity, and criticality of the function—would help ensure proportionality and alignment with existing outsourcing frameworks.