Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
N/A - the transitioning period seems appropriate.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
The consequence of 32(f) would be that a risk or materiality assessment would need to be made to classify if a service is in scope of the Guidelines or not. Effectively it would mean that the items within Section 11.2 would need to be performed on all services purchased before being able to assess if the service is in or out of scope of the Guidelines.
As for para 33, it would be appreciated if the guidelines could be more clear or provide examples of when something is "material", inspiration could be obtained through how classification of "Major" is made under DORA Major Incident RTS.
This could potentially be avoided if a specific references where inserted to the CIF assesments made in DORA. Or does the EBA assess that there will be two distinct lists of CIF's, one for DORA and one for the Guidelines?
As for para 36 - suggest inserting "material" before adversal impact, the qualify the statement since we are talking about critical or important functions.
As for para 37 suggest clarifying that the criterias are alternative and not cummulative. both in the main para, but also by inserting "or" in 37(b)(v).
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
As for para 49, we suggest that this section is amended to reflect the wording in the EBA Guidelines and DORA. Especially that the role can be delegated similar to what we see in the EBA Outsourcing Guidelines 38(c) and DORA Art. 5(3).
As for para 49(e), unclear what is meant with "ii. the definition of business requirements regarding third-party arrangements". Suggest this is clarified in the text and made explicit.
As for para 50, we are unsure how to understand (a) - why is it relevant to distinguish between the services, if the materiality of the policy, approach and TPRM governance complies w. DORA or the Guidelines?
As for para 52, it would be helpful to have some sort of clarification on what the EBA considers typical conflicts of interest outside IGA setups already mentioned in para 54.
As for para 67, suggest considering if the notification requirements can be removed, as there is no similar requirement under DORA it seems strange to be "misaligned" here. We note that this may be due to PSD2 requirements, but would encourage alignment here.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
N/A
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
We would recommend a specific reference to Para 32(f) is included in the addendum to avoid misinterpretation and conflicts within the Guidelines and allow for a uniform approach to scope and applicability across the financial sector. This could also be satisfied with qualifying Annex I with "To the extend the acquisition of services has a material impact on the financial entities risks exposures or on their operational resilience".
Example: Inclusion of "Marketing" and other similar services as an example of a Non-ICT Service in scope of the Guidelines, seems not in line with the general consensus around applicability of regulation such as this. Marketing is not something operationally relevant for most FE's and should therefore not be subject to the requirements setout in these guidelines. The examples listed seems to contradict the principles setout in Para 32 (f) and also lists services, which in para 32(f) is used as examples of excluded services, as they "do not have a material impact on the financial entities risks exposures or on their operational resilience"
Finally - ESA's seems to previously have had the opinion that services covered by a license should not also be in scope of TPRM guidelines under DORA. This is evident from Q&A DORA030 - 2999. The services listed in Annex one will effectively mean that Financial Services - with ICT components - will be subject to the Guidelines and in reality therefore similar rules as sub-contracting of ICT Services under DORA. Is this intentional?