Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
The Global Legal Entity Identifier Foundation (GLEIF) welcomes the opportunity to provide feedback to the European Banking Authority’s (EBA) draft guidelines on sound third-party risk management under DORA.
GLEIF particularly welcomes the requirement for financial firms to collect the ISO 17442 Legal Entity Identifier of their third-party service providers (TPSPS) – including subcontractors performing critical or important functions – when establishing their dedicated register of third-party arrangements.
Leveraging the right digital tools is key for establishing robust risk management protocols. From an entity identification standpoint, the LEI can strengthen this framework by providing a seamless and effective means of verifying a TPSPs identity without creating additional administrative burdens for either party.
The growing digitalisation of the economy raises new challenges from an identification perspective. The verifiable LEI (vLEI) – which serves as a cryptographic evolution of the LEI – offers a decentralised means of authenticating both an entity’s identity and the credentials of its authorised representatives. This is particularly relevant in the context of the information disclosure requirements set out in Title III, notably those concerning the identification of individuals acting in a professional capacity for TPSPs.
To ensure that financial firms can truly benefit from the global LEI framework, GLEIF suggests the following clarifications to promote the most efficient use of the standard:
- LEI data quality and renewal: The LEI of each TPSP should comply with the Regulatory Oversight Committee (ROC) policy, meaning that the TPSP should regularly renew its LEI and ensure the reference data is kept up to date to reflect any changes in circumstances. That means at least once a year, even if no changes occur.
- Avoidance of redundant data reporting: To simplify the reporting process, GLEIF recommends removing the requirement for TPSPs that provide their LEI to also provide overlapping data points, such as legal name and registered address. This would eliminate the need for duplicate reporting of the same information.
- Use of the verifiable LEI (vLEI): Individuals representing TPSPs should be able to use their vLEI as part of the information disclosure process, ensuring greater trust and efficiency through verifiable digital credentials.
GLEIF remains at the EBA’s disposal to discuss and support its work. Please do not hesitate to engage us in discussions and questions related to the LEI and/or the vLEI in current and future consultations.