Response to consultation on draft Guidelines on the sound management of third-party risk

Go back

Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear? 

The Futures Industry Association (FIA) is the leading global trade organization for the futures, options and centrally cleared derivatives markets. FIA’s member firms include clearing firms, exchanges, clearinghouses, and trading and commercial firms that operate in the exchange-traded derivatives markets. FIA Members appreciate the opportunity to provide feedback to the European Banking Authority (EBA) Consultation Paper on draft Guidelines on the sound management of third-party risk.

In our response, FIA highlights issues for consideration by the EBA for the Guidelines to more proportionately enhance third party oversight in the EU financial sector landscape. FIA stands ready to give further feedback as requested by the EBA on the issues raised in this response.

Scope of application 

FIA comments: Recognising the regulatory objective of the EU authorities for the harmonization of third-party risk management (TPRM) across the EU, the frameworks established by the Digital Operational Resilience Act (DORA) and the EBA create a distinction between ICT and non-ICT third-party arrangements. This distinction lacks practical value from a risk management standpoint—especially considering the shared oversight expectations. In practice, this split is likely to generate uncertainty for organisations, compelling them to make subjective judgments about what qualifies as “predominantly” ICT. Such ambiguity adds unnecessary layers of complexity and operational strain, particularly for services that integrate both ICT and non-ICT components. We therefore recommend that regulators permit some degree of overlap or flexibility in classification, allowing firms to adopt a consistent, risk-based oversight approach without having to retroactively reclassify arrangements under DORA or justify their classifications to supervisory bodies.

To ensure the Guidelines (GLs) achieve their stated objective, it is critical that National Competent Authorities (NCAs) are influenced to implement and supervise the Guidelines in a consistent manner. This will be particularly important as firms operationalise requirements for the broader population of arrangements now in scope. This includes actively avoiding national gold-plating or additional supervisory expectations that go beyond the common framework established by the EBA - a challenge seen in the application of the 2019 Outsourcing GLs. The ESAs should proactively monitor and guide NCAs toward uniform interpretation and application of the GLs under their mandate for supervisory convergence.

Proportionality

FIA Members agree that expanding the scope from outsourcing to all non-ICT third-party arrangements aligns with broader third party risk management regulatory trends. We welcome the regulators’ guidance that financial entities and competent authorities should, when complying or supervising compliance with these Guidelines, have regard to the principle of proportionality. 

However, given the sheer volume and diversity of arrangements now in scope, applying a proportionate and risk-based approach is more critical than ever to ensure expectations remain operationally feasible. FIA Members highlight the remediation burden and potential uplift required to implement these Guidelines across a broader population of third-party arrangements. 

Moreover, there is scope to strengthen proportionality further—particularly in the areas of contractual requirements and the register of information —to ensure the framework remains both effective and practical (see response to Questions 3 and 4). 

 

Interaction with DORA 

FIA comments: FIA strongly supports alignment of the EBA Guidelines with DORA to ensure a level playing field and consistent TPRM standards across ICT and non-ICT arrangements in the EU. However, the 2025 Guidelines’ hybrid model—retaining elements of the 2019 Outsourcing Guidelines alongside DORA provisions—risks diluting these objectives. By introducing requirements that exceed DORA, applying divergent methodologies, and adding unnecessary complexity, the layered framework could undermine the EBA’s objective of simplification, harmonization and supervisory convergence. For Critical and Important Functions (CIFs) in particular, this approach threatens to complicate assessments and disrupt firms’ ability to maintain consistency with DORA. In view of this, FIA recommends alignments in various areas throughout our response to this consultation. 

Terminology

FIA comments: To minimise overlap and ambiguity, we strongly urge the EBA (and EU supervisory bodies) to implement and harmonise a unified, tiered terminology framework.

  • Function:  refers to the financial entity’s own functions, operations or business lines (i.e., consistently with ‘critical or important functions’ which are framed around the key services provided by a financial entity);
  • Service: refers to the service delivered by the third-party service provider to support the financial entity’s functions;
  • Arrangement: refers to the contractual relationship with the third-party provider under which a service is provided;
  • Activity: refers to the specific processes or tasks within a function, which may be supported by third-party services.

FIA notes the inconsistent and interchangeable application of this terminology introduces complexity, as illustrated by the following examples:

  1. Para 54:When functions are provided by a TPSP…the conditions…for the service provided by a TPSP..”
  • There is a lack of clarity around whether the EBA aims to differentiate between outsourcing of a whole function the provision of a supporting service to that function, or if these terms are being treated as synonymous.
  1. “critical or important functions provided by TPSPs” (multiple references in the Guidelines)
  • This phrasing is inaccurate, as third-party providers do not directly “provide” a financial entity’s function. A more precise terminology would be: “services provided by TPSPs that support critical or important functions.”
  1. Para 63.i.:  “whether or not (yes/no) the function provided by a TPSP is considered critical or important…”
  • It remains unclear whether the reference pertains to the firm's evaluation of the criticality of the financial entity’s function that the third-party service supports, or to the firm's risk assessment of the third-party service itself—including its materiality to the critical or important function (CIF). It’s important to note that a service supporting a CIF does not inherently qualify as critical.

Definition of critical or important function (CIF): 

(16) A function, the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law.

FIA Comments: Although the guidelines contain a definition of Critical or Important Function that is consistent with DORA, the application of that definition in Para 33 is not. The guidelines expand the application of discontinued, defect or failed (in addition to disruption) to both (b) financial performance and (c) the soundness of continuity of service activities.  In DORA these tests would only apply to (a) continuing compliance of the financial entity.

Transitional arrangements

(19) Where the review of third-party arrangements of critical or important functions is not finalised by [date: 2 years from the date of application], financial entities should inform their competent authority of that fact, including the measures planned to complete the review or the possible exit strategy.

(20) Financial entities should complete the documentation of all existing third-party arrangements in line with these Guidelines following the first renewal date of each existing third-party arrangement, but by no later than [date: 2 years from the date of application].

FIA comments: FIA highlights a two year timeline may not be sufficient to remediate all relevant contracts. As a minimum timeline, we recommend that the EBA revise the transitional arrangement to require remediation by whichever is later: the next contractual event or two years following the effective date. Since not all contracts adhere to a standard 1–2 year renewal cycle, setting the next contracting event as the final deadline would help prevent unnecessary administrative complexity. Many firms are already substantively compliant, having adopted contractual terms consistent with the 2019 EBA Guidelines and national outsourcing regulations. Therefore, firms should not be compelled to reopen or renegotiate existing contracts solely to update language in line with the revised Guidelines. Additionally, we would propose a 9-month window between finalization of the guidelines and the commencement of two year implementation period.

Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?

Sound management of third-party risks

FIA Comments: From the list of functions excluded from the scope of these Guidelines (paragraph 32), FIA recommends adding ‘services falling in scope of other EU regulations, or third country regulations’[1].

Given existing regulatory coverage, FIA recommends increased proportionality should be applied to the treatment of regulated financial services under these guidelines. This would reduce the compliance burden for firms with multiple intra-financial arrangements, without detriment to sectoral resilience. This would also align with broader supervisory convergence goals, namely for regulated financial services to avoid duplicative regulatory oversight. 

In particular, we note that although ‘clearing’ and ‘settlement’ are excluded from the scope of these Guidelines, these regulated financial services appear in the Annex of the EBA Guidelines. We urge policymakers to clarify clearing and settlement do not fall within the scope and the references to these services should be removed from the Annex. Moreover, the proportionality principle should be embedded within Section 11.1 on supervisory conditions for contracting to deliver consistency with DORA, while the exclusion of clearing and settlement arrangements provided at paragraph 32.c should be expanded to include a broader range of regulated Financial Market Infrastructure entities (e.g. trading venues, investment firms).

We acknowledge the helpful clarification provided by the EBA that the prudential focus, and intent of the exclusion at paragraph 32.f is to focus the scope of the Guidelines that have a material impact on the firm’s operational risk and operational resilience. However, we remain concerned that the current language may not clearly convey a materiality threshold aligned with that stated prudential objective.

The reference to “risk exposures” is potentially too broad – particularly in contrast to the substantially higher threshold of impact to a firm’s operational resilience. If the intention is to set a relatively high bar – focusing on services that could, if disrupted, materially impair the financial entity’s ability to deliver its critical service or functions – we urge the EBA to clarify this threshold. 

The expanded scope of the Guidelines risks capturing short-term arrangements that could foreseeably meet the materiality threshold under paragraph 32.f. These arrangements do not justify the application of all the contractual and oversight requirements as the financial entity is not placing continuing reliance on the third-party. For example, sponsorship arrangements are typically short term (i.e. less than a year) and event-specific. Another example is proof of concept or evaluation agreements which are designed to test a supplier’s technology or service before a longer term arrangement is entered into. These types of arrangements may not clearly fall within the exclusions under paragraph 32(f) but arguably do not reflect the kind of third-party reliance the framework is intended to address. We encourage clarification that such arrangements fall outside scope.

 

Critical or Important Functions

FIA comments: During the DORA consultation process, the ESA’s received feedback from industry, noting concern that the lack of convergence in the definition of 'critical or important' functions in both the EBA Guidelines on Outsourcing and DORA, could “result in dualism in outsourcing systems in financial entities.” The ESA’s responded to confirm that the “definition of critical or important is provided by DORA and the definition under the [EBA outsourcing] guidelines is consistent also. There is no contradiction between the two”. 

However, while the revised definition proposed for the 2025 Guidelines is the same as under DORA, the additional criteria and categories of functions risk divergence in methodologies and approaches in how firms categorise their CIFs under DORA versus the EBA Guidelines. While we welcome the EBA’s clarification at the recent public hearing that the CIF criteria in the Guidelines are non-mandatory and intended to support firms in assessing their CIFs, this clarification alone is not sufficient to mitigate the risk of divergence in supervisory implementation. In practice, supervisory authorities historically treat these considerations as de facto requirements, leading to inconsistent implementation under the DORA and EBA frameworks.

FIA strongly recommends removing paragraphs 34 to 37 to allow firms to continue utilising and evolving their existing methodologies. These additional criteria introduce a presumption of criticality where the same factors were framed as guidance to inform risk-based decisions in the 2019 EBA Guidelines (not to predetermine them). FIA highlights this will lead to diverging internal classification methodologies between DORA and the EBA Guidelines, and it is not in keeping with the intended purpose of these Guidelines to invite the possibility of reassessment of firms’ CIFs under DORA.

Alternatively, if the EBA chooses to retain these paragraphs, it might be helpful to provide an explicit statement in the final Guidelines that: 

  1. confirms the CIF assessment methodology is intended to be fully aligned with DORA; and
  2. clarifies that the considerations provided in paragraphs 34 to 37 are not intended to be mandatory/exhaustive and are not to be interpreted as expanding the scope of CIFs beyond DORA.

However, even if such a statement is included, we anticipate further complexity for firms in determining their CIFs and the risk of divergence between CIFs within a third-party risk management context and CIFs within an operational resilience context. The CIF definition is already expansive due to the inclusion of the second limb in paragraph 33.a – i.e., where the failure of the function would materially impair the continuing compliance of a financial entity with its obligations under applicable financial services law

A large portion of operations within a financial entity (i.e. bank) could be considered as having the potential to impair continuing compliance given the range of various laws under which the financial sector operates (e.g. employment law, tax law, environmental rules). While this is clearly an important consideration in a firms’ broader risk and control frameworks, it introduces a low threshold for CIF designation – one that risks capturing a wide range of functions that may have a high inherent risk (and may require the application of enhanced due diligence, monitoring and control requirements), but do not support resilience-critical operations and therefore do not need to be subject to resilience-related controls (e.g., scenario analysis, joint resilience testing or incident reporting – which are widely recognised as being the most complex and resource intensive to execute). In practice, financial entities are likely to address this by creating a multi-tier structure of “functions” considered CIFs for the purpose of compliance and those which are considered CIFs for the purpose of truly managing the resilience of the entity. This creates additional governance and complexity for financial entities while not benefitting risk management or resilience. 

This applies specifically to internal control functions which should not presumptively be considered or classified as a CIF – as suggested by paragraph 34 – because not every function or every task supporting would typically give rise to the kind of operational risk or resilience concerns that would warrant their classification as a CIF. For example, internal audit functions or the operational tasks supporting them, are important to ensure oversight and risk management frameworks are working as intended – but their disruption would not lead to the kind of impact that would threaten the firm’s operational continuity. 

[1] We would note European Commission guidance on regulated entities not being ICT service providers under DORA to avoid duplicative regulatory oversight under certain conditions: https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/dora030-2999_en

Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?

Business continuity plans (BCPs)

58. Financial entities shall have their business continuity plans in line with the EBA Guidelines on internal governance under Directive 2013/36/EU56, the EBA Guidelines on internal governance under IFD (EBA/GL/2021/14) and the EBA GLs on the minimum content of the governance arrangements for issuers of ARTs.

FIA Comment: The 2025 guidelines introduce an explicit requirement (paragraph 58) that BCPs related to third party arrangements must align with the internal governance GLs. We understand this stems from additional guidance by the Prudential Regulatory Authority and the Central Bank of Ireland to the 2019 rules. FIA Members highlight this diverges and applies a different standard than DORA contractual expectations, creating additional complexity for financial institutions.

 

Documentation requirements

FIA Comments: The broadened scope for the register of information marks a substantial increase in reporting requirements compared to the prior guidelines. This expansion risks imposing a considerable operational burden although we appreciate the EBA’s intention to provide flexibility in the alignment with the DORA register and to take a “lighter touch” to the reporting requirements. However, in practice, this approach risks creating complexity for firms and the possibility of divergence in implementation across firms and member states – therefore undermining harmonization objectives. Without the clear expectation of an aligned approach, firms may face supervisory scrutiny and pressure to justify decisions not to merge or fully align registers, undermining rather than supporting the broader EU simplification and convergence agenda. A unified, but proportionate register for all third-party arrangements could be achieved by: 

  • ensuring the broader population of third-party arrangements are not subject to unnecessary reporting requirements – i.e., flexibility or exclusion of data requirements for lower-risk arrangements, especially non-ICT, non-outsourcing arrangements; and
  • providing optionality for data fields that are not applicable to all third-party arrangements – i.e., ensuring any data-related or ICT-specific fields are optional where not applicable; 

The documentation requirements (paragraph 61) also require firms to retain documentation for terminated contracts “for an appropriate period of at least 5 years”. FIA Members highlight this retention period was deliberately removed from DORA during the legislative process. Reintroducing it in the 2025 Guidelines would increase divergence and apply a different standard than DORA. 

FIA highlights the following comments linked to the requirements for register data fields under paragraph 63: 

a. a reference number for each third-party arrangement and the type of contractual arrangement chosen (“Standalone arrangement”, “Overarching arrangement”, or “Subsequent or associated arrangement”; for the latter option, the reference number of the overarching arrangement should be specified)

FIA comment: Regulatory requirements such as this at times appear to conflate the third-party service with the contractual arrangement through which it is delivered. These are distinct concepts and conflating the two can lead to operational and compliance challenges for firms, particularly where a single contract covers multiple services. Oversight, classification and register reporting requirements should attach to the service, not the legal contract that gives effect to it. We encourage regulatory expectations to reflect this distinction more clearly.

b. the start date and, as applicable, the next contract renewal date, the end date including the reason of the termination or ending of the contractual arrangement and/or notice periods for the TPSP and for the financial entity;

FIA comment: The requirement to provide an end date and reason for the termination should not apply as services that have been terminated during the reporting period would not be captured in the register. There is no clear risk management benefit, and historical versions of the register could be reviewed by authorities if needed. Retaining this requirement adds unnecessary complexity and should be removed. Additionally, DORA only requires a notice period for third-parties supporting CIFs which should be reflected in the Guidelines.

e. a brief description of the functions provided by the TPSPs;

FIA comment: As noted above, this should be amended to refer to the “services” provided by the TPSPs. Additionally, DORA only requires notice periods for third-parties supporting CIFs which should be reflected in the Guidelines.  

g. the name of the TPSP, an identifier (LEI, EUID for legal persons, alternative codes – eg. VAT number, Passport Number, National Identity Number - for individuals acting in a business capacity), the corporate registration number, the registered address and other relevant contact details, and the name of its ultimate parent company and an identifier (LEI, EUID) (if any);

FIA comment: This requirement goes beyond DORA by asking for “other relevant contact details” and “name of its ultimate parent company”. It is unclear what the benefit to supervisory oversight and objectives third-party (TP) contact details provides – noting that these are also constantly changing.  These should be removed.

We support the use of LEIs to support supervisory and oversight objectives. However, the industry is concerned that extending the requirement to procure LEIs for all third-party arrangements will present significant challenges in practice. Notably, there is currently no standardised approach to the information entities could be required to submit to obtain an LEI – in some cases, the information requested is onerous and has no bearing on LEI issuance.  This is particularly problematic for private companies. To ensure the requirement remains proportionate and does not impose an undue operational burden on financial entities (whilst also supporting supervisory objectives), we propose limiting mandatory LEI collection to third-parties delivering services supporting CIFs, and/or introducing flexibility in the requirement for non-CIFs (e.g., “if applicable”).

h. the country or countries where the function is to be performed and where the data is processed including storage;

FIA comment: As noted above, this should be amended to refer to the “services” performed by the TPSPs to avoid ambiguity. Additionally, DORA only requires the country where the services is provided for third-party services supporting CIFs which should be reflected in the Guidelines.

i. whether or not (yes/no) the function provided by a TPSP is considered critical or important, including, where applicable, a brief summary of the reasons why this function is considered critical or important;

FIA comment: As above, the reference to the criticality of the “function provided by a TPSP” is misleading and creates ambiguity as to whether the EBA is referring to the firm’s assessment of the criticality of the function that the third-party service supports. This should be amended to “whether the function is considered critical or important”.

Additional comments on the requirements for register data fields for third-party services supporting CIFs under paragraph 64 are as follows: 

d. the outcome and date of the last assessment performed of the TPSP’s substitutability (as easy, medium, highly complex or impossible to substitute);

FIA comment: This requirement should be removed as it goes beyond both DORA and the ECB Outsourcing Register for Significant Institutions. Additionally, the date of the last criticality assessment is already provided, which should sufficiently evidence this data field.   

e. the summary and date of the last assessment performed of the possibility of reintegrating a critical or important function into the financial entity or the impact of discontinuing the critical or important function together with the recovery time objective of the function and the recovery point objective of the function.

FIA comment: The summary and date of the last assessment performed of the possibility of reintegrating should be removed – it is not required in DORA and the ‘last assessment date for criticality’ is already asked and should sufficiently evidence this requirement.

h. the estimated annual budget cost of the third-party arrangement for the past year

FIA comment: This requirement is operationally challenging to assess – particularly at service level – and is potentially commercially sensitive. It is also unclear what supervisory value this information provides. The cost of a third-party arrangement does not meaningfully reflect its inherent risk or criticality (i.e., a high-cost contract may relate to non-critical service, while a lower-cost contract may underpin essential services). Cost also does not reliably indicate the degree of operational dependency or the extent to which a service may be substitutable. As such, cost should not be treated as a proxy for risk exposure and it is unclear what supervisory value this data provides – particularly given the challenges of accurately apportioning service-level cost across multiple legal entities.

Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?

Subcontracting of critical or important functions

FIA Comments: The 2025 Guidelines retain the 2019 definition of subcontracting (previously “sub-outsourcing”)—covering subcontractors that provide or support CIFs—but stop short of adopting DORA’s Level 1 more targeted framing of subcontractors that “effectively underpin services supporting CIFs” (i.e., material subcontractors). This has the potential to result in an overly broad interpretation of what constitutes a “material subcontractor.” 

As FIA has highlighted in relation to DORA’s Register ITS and Subcontracting RTS, treating every subcontractor linked to a CIF as equally material—regardless of their role, significance, or potential impact—moves away from a risk-based approach. Such an approach can undermine supervisory priorities and diverts resources from monitoring providers that present the highest risks. To ensure supply chain oversight remains proportionate and effective, the 2025 Guidelines should align their terminology and underlying concepts with DORA (including the RTS on subcontracting), enabling a consistent approach across regulatory regimes.

With reference to the change management relative to written agreements between the financial entity and the TPSP that supports critical or important functions (paragraph 90, last subparagraph), and to support proportionality, we would welcome communication from the EBA that it is for firms to demonstrate how they have met the requirement to act in a timely manner. 

 

Contractual provisions and Termination rights

FIA Comments: The expectations on contractual provisions outlined in the 2025 Guidelines largely mirror the requirements set forth in Article 30 of DORA, including the heightened standards for arrangements supporting Critical and Important Functions (CIFs). However, the Guidelines also preserve elements from the 2019 framework, with some provisions only partially aligning with DORA’s language and intent.

FIA strongly recommends that the 2025 Guidelines achieve full consistency with DORA, except where provisions specifically address ICT-related issues. It is encouraging that the EBA has removed the additional data security clauses and penetration testing mandates from the 2019 Guidelines, as well as the ICT risk-related termination scenarios previously included in DORA. Yet, retaining outdated 2019 phrasing where the substance matches DORA’s provisions lacks justification—for instance, the phrase “impediments capable of altering performance” should be replaced with the clearer wording in DORA’s Article 28(7)(c), which references “circumstances evidenced throughout monitoring deemed capable of altering performance,” including the associated termination rights.

Moreover, given the expanded scope now encompassing a wide array of third-party arrangements beyond traditional outsourcing, certain requirements become impractical or irrelevant in some contexts. Obligations related to data processing and storage locations, data confidentiality, and access controls—as set out in sections 85(c), (g), and (h)—may not apply meaningfully to many non-ICT service arrangements, particularly those involving only inbound data flows. 

Finally, we acknowledge and support the risk-based approach to the requirements applying to CIFs and non-CIFs. However, the current baseline expectations may still prove overly burdensome when applied to third-party arrangements more broadly than outsourcing arrangements. Certain lower risk third-party arrangements that may now fall in scope of the Guidelines, may not warrant certain contractual standards (e.g. a sponsorship arrangement would not require provisions relating to data location or certain termination rights).  We therefore recommend strengthening proportionality and expressly clarify that financial entities should adopt a risk-based approach when determining which provisions are appropriate for the broader population of non-CIF third-party arrangements (provided a legally binding agreement is in place). 

 

Risk Assessment of third party arrangements

FIA Comments: The updated guidelines broaden the scope of risk assessment to go beyond operational risk alone, explicitly including reputational, legal, and concentration risks as distinct risk categories (paragraphs 73 and 74). This expands the scope beyond what is considered a risk-based and practically implementable approach. According to DORA (Article 5 of the RTS on ICT Policy), the specified risk factors are narrowly focused on ICT services that support critical or important functions (CIFs). In contrast, Paragraph 74 introduces a more general expectation for financial institutions to evaluate the impact of all third-party arrangements across all relevant risks. To avoid unnecessary operational burden, the risk assessment framework should be clearly aligned with DORA’s provisions.

We acknowledge the importance of identifying and managing concentration risk. However, it is important to recognise that third-party arrangements are often contracted at group level.  As such, meaningful assessment of concentration risk is typically most effective at the group level.  Requiring individual legal entities to conduct entity-level concentration risk assessments may therefore not materially improve risk outcomes, particularly where those entities have limited ability to manage or mitigate group-level arrangements. We therefore propose a proportionate approach that allows entities to rely on group-level assessments where appropriate – otherwise, this could result in a compliance exercise with limited value for actual risk management and supervisory oversight.

 

Due diligence 

FIA Comments:  The due diligence expectations should support clear alignment with DORA to avoid gold-plated expectations. This will create regulatory divergence, leading to operational complexity for firms. For instance, paragraph 81.c requires firms to assess geographic risk dependencies (i.e. relating to the economic, financial, political, legal and regulatory jurisdictions where the service is provided).  Whilst financial entities routinely assess location-related risks (including risks linked to the jurisdiction where services are delivered and data is processed / stored), this requirement introduces a granular and disproportionate burden which goes beyond current practice and is not required under DORA.

Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?

FIA comment: Considering the current proposed Level 1 and Level 2 Categories and considering the exclusionary text noted in paragraph 32.f: “As a general principle, the following functions are excluded from the scope of these Guidelines… the acquisition of services that do not have material impact on the financial entities’ risks exposures or on their operational resilience”,  a strong argument could be made for excluding most if not all of Level 1 Category “Administrative services” on the basis that they do not have a material impact on risk or operational resilience.

FIA does not believe that the costs will be "negligible" given the application of requirements at the level of the financial entity rather than on a consolidated basis. This is not current practice and will see considerable uplift for financial entities operating in the EU.

Upload files

Name of the organization

Futures Industry Association