Response to consultation on draft Guidelines on the sound management of third-party risk

Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear? 

Generally yes. But we noticed some clarity issues with the definition "third party arrangement" in p. 16. EBA guidelines define the term "third party-arrangement" as an arrangement of any form between a financial entity and a third-party service provider, including intragroup third-party service providers, for the provision of one or more functions to the financial entity. This includes outsourcing arrangements as a subset. In the EBA guidelines itself, the term "TPSP supporting a function" is also used. DORA uses the term "TPSP providing services supporting critical functions". It is unclear whether the third-party arrangement also covers the support of FI functions or it only covers the provision of the functions. Some clarity is needed and alignment with DORA on this matter is highly suggested. Also, the same principles as in DORA should apply - namely the support of the TPSP services to critical functions of financial institution should be considerable and not just slightly related to the underlying critical functions. If it's only mildly related to the underlying function, it should not qualify as supporting the critical function.

Also, we understand that "outsourcing" is now a sub-category of a "third party arrangement", and the reason is that the term "outsourcing" is already described in several related EU regulations and directives. Does this mean we are still expected to assess which of our third party arrangement also fall under the old "outsourcing" definition, including for AML purposes? Perhaps it would be easier to redefine the term "Outsourcing" using the definition of "third party arrangements" in the guidelines and covering also DORA third party arrangements. Currently only MiFID 2 and Solvency 2 include the definition of "outsourcing" in addition to EBA guidelines on outsourcing. The others (e.g. PSD2, EMD2, UCITS, AIFMD, AMLD) are merely using the word "outsourcing" or "delegation", without actually defining it. Also notice that the original word "outsourcing" also included ICT-services and therefore it makes more sense to just redefine the word "outsourcing" replacing it with third-party arrangements under EBA guidelines and DORA - this way both parts are properly covered.

Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?

In general, Yes. But we do have some comments.

1. Some examples used in the guidelines are related to ICT services and do not make much sense in the context of the new guidelines: e.g. p. 32-b functions excluded from the scope: global network infrastructures (e.g. Visa, Mastercard); p 32-d SWIFT; p 32-e correspondent banking services etc. Some better examples in the context of non-ICT services should be added, especially regarding the exemptions list in p. 32.
2. (p. 37-b(v) of the Guidelines) When assessing the criticality of the functions, it is also required to take into account the impact a disrupted service might have on all our relevant risks, e.g. ESG risks. We recommend not extending the scope to ESG risks when determining the criticality of the functions. It is a relevant risk to assess overall, but should not determine whether any of the underlying functions are critical or not.
3. EBA guidelines p. 37 list factors which must be taken into account when assessing if any of our functions are considered critical. However, those factors are connected to TPSP-s (e.g. whether the arrangement with TPSPs is directly connected to the provision of banking and investment services; the potential impact of any disruption to the function provided by TPSPs or failure of TPSPs to provide the service at the agreed service levels). Criticality factors of our functions should be more objective and not be presented in the context of TPSP-s providing those functions.
4. There should be more clarity on the expectations on services providers providing both ICT and non-ICT services, especially when companies have different processes for ICT and non-ICT service providers, especially given that EBA guidelines and DORA third party requirements do not align 100%. 

Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?

In general, yes. But we do have some comments.

1. Point 63 (g) and point 64 (c) - do we understand correctly that unlike DORA, the EBA guidelines do not see LEI and EUID as the only mandatory identification options for legal entities and critical subcontractors and ultimate parents and we can also use other identifiers (e.g corporate registration number) for those who do not have LEI nor EUID? If not and the LEI or EUID must be included for legal entities, we highly recommend changing such approach, since it is already very problematic under DORA, especially regarding such sub-contractors and suppliers' ultimate parents, who do not have LEI codes nor EUID (located outside of EU). Expanding that problem only makes things worse for financial institutions.
2. Point 63: More detailed EBA guidance is needed for using the possibility of merging the DORA register and non-ICT TPSP register, e.g. whether such register can be reported as part of DORA register without removing the non-ICT TPSP part from the register; combined template example.
3. Point 67: EBA guidelines require to notify the authorities about onboarding critical non-ICT TPSP-s or when they become critical together with a detailed extensive information. DORA (article 28 (3)) does not require so extensive information when notifying about critical ICT service providers. We recommend using a similar approach as does DORA and limit the information to the same extent, especially if a combined DORA and non-ICT TPSP register is used by a financial institution - this way the authorities get the full information either way when the combined register is reported. The wording in DORA: "Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important."

Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?

In general, yes. But we do have some comments.

1. Title 4- para 11, 11.2, 11.3: There is a detailed risk assessment requirement for non-ICT service providers who do not provide or support critical functions. This is a similar requirement for the current non-critical outsourcing service providers. However, there is not a detailed risk assessment requirement for non-critical ICT service providers in DORA. If we want to align these processes between non-ICT and ICT service providers, which we should, we highly recommend following the DORA path and remove the detailed risk assessment requirements for non-ICT service providers who are not providing or supporting a critical or important function. That way there will be more flexibility and risk based approach opportunities regarding the non-critical non-ICT service providers, more alignment with DORA and the detailed focus would be in the right place - critical suppliers.

Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?

In general, yes. But we do have some comments.

1. Do we understand correctly that the IT and ICT related functions have been excluded due to the reason that these guidelines do not cover ICT service providers? However, there can be non-ICT service providers who also support ICT related functions. And that way it would also be a useful example in DORA context as well - although we understand that the purpose of EBA guidelines is not covering DORA, but unified approach is beneficial for both EBA guidelines and DORA context.

Name of the organization