Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
The provisions in Title I are generally clear. Nevertheless, certain elements merit further clarification to ensure proportional application and to avoid unnecessary administrative burden, especially in the light of the European Commission's stated goal of simplifying the legal framework and burden reduction:
Subject matter: According to the consultation text, the Guidelines are intended to apply to credit institutions, investment firms that do not meet all the conditions to qualify as small and non-interconnected under Article 12(1) of Regulation (EU) 2019/2033 (IFR), payment institutions, electronic money institutions, issuers of asset-referenced tokens (ARTs), and creditors as defined in point (2) of Article 4 of Directive 2014/17/EU (MCD). At the same time, comparable rules governing ICT services have already been established through binding legislative acts at Level 1 (the Digital Operational Resilience Act, DORA) and Level 2 measures, thereby ensuring a harmonised and directly applicable framework across the Union. In contrast, the draft Guidelines now propose to introduce similar obligations for non-ICT services through Level 3 instruments, which are not underpinned by corresponding primary or secondary legislation. The Guidelines themselves make reference only to the general risk-management provisions contained in existing EU financial sector legislation. This regulatory layering raises fundamental questions regarding the consistency of the proposed approach with the principles of legal certainty and proportionality that underpin the EU legislative process. Whereas DORA establishes a comprehensive regime for the management of third-party risk that applies to all financial entities, the draft Guidelines would impose requirements on only a limited subset of financial market participants, even though third-party risk is a concern common to all entities within the financial sector. The introduction of non-ICT requirements via non-binding Level 3 instruments, without a parallel legislative mandate, may therefore result in divergent supervisory expectations and an uneven regulatory playing field across jurisdictions and market participants. Furthermore, it must be observed that ESMA recently released their Principles for third-party risk supervision that are also focussing on investment firms and questions arise regarding the distinction between the Guidelines and this principles paper.
Scope of “third-party arrangements”: The current wording may be read to capture all external service providers, including services without material risk relevance. Institutions could be compelled to perform risk assessments and maintain registers for contracts that pose no prudential concern. It is recommended to specify that the term should only relate to contractual arrangements involving banking or ancillary services that are capable of affecting the institution’s sound and prudent management that pose a material risk, while excluding external services of a purely non-financial nature or with only a low risk. A clarification regarding the wording in this section would also be in line with para 32 (f) of the Draft Guidelines, according to which “the acquisition of services that do not have material impact on the financial entities’ risks exposures or on their operational resilience” is excluded from the scope of the Guidelines.
It should also be clarified that industry associations that provide their members with information on topics such as compliance-related developments do not fall within the scope of the guidelines, as this would otherwise place a disproportionate burden on institutions and associations and prevent effective representation of interests.
Transitional arrangements: The implementation periods currently envisaged for existing contracts may be insufficient, particularly for institutions maintaining extensive and complex third-party portfolios. In such cases, the compressed timeline could necessitate substantial renegotiation efforts and operational adjustments, potentially diverting resources from core risk management activities. Extending the transitional period to a range of three or four years would allow institutions to implement the new requirements in a phased and orderly manner, thereby minimizing administrative burden and operational disruption. A proportionate extension would facilitate thorough assessment and adjustment of contractual arrangements with third parties, ensuring continuity in the management of third-party risks. We therefore consider that such a timeframe would support effective compliance while preserving the overarching regulatory objectives of financial stability, sound risk management, and resilience in the financial sector.
Sub-contracting: The phrase “any form of sub-contracting” is overly open and may lead to divergent interpretations. The Guidelines should clarify that sub-contracting within scope refers the contracted critical or important function and for which a corresponding outsourcing agreement is in place, and distinguish this from other external procurement or ancillary services.
We request clarification regarding the regulatory treatment of outsourcing arrangements related to anti-money laundering (AML) in light of the forthcoming repeal of the EBA Guidelines on Outsourcing and their replacement by the new Guidelines on Third-Party Risk. The Consultation Paper indicates that AML-related arrangements will fall outside the scope of the new Guidelines and will instead be governed by Article 18 of the AMLR, which will apply as of 10 July 2027. At the same time, the EBA Guidelines on the role of the AML/CFT Compliance Officer continue to make reference to the existing Outsourcing Guidelines. In this context, we request precise clarification on how AML-related outsourcing arrangements should be treated once the new Guidelines take effect and until Article 18 of the AMLR becomes applicable.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
In general, Title II is clear in its content and, in principle, appropriate for the purpose of these Guidelines. However, certain elements may give rise to disproportionate operational burden, in particular for large and cross-border groups:
- Dual levels of application
The requirement to implement these Guidelines at the level of individual institutions, sub-consolidated entities, and at full group consolidation may result in extensive duplication of documentation and internal coordination processes. Supervisory authorities should take account of these considerations when assessing proportionality in the application of the Guidelines. - Scope of application
The definition of third parties is broad and may encompass all external service providers, not only those engaged in critical or important functions. This broad scope significantly increases the monitoring and reporting obligations imposed on institutions, without necessarily providing additional benefits in terms of risk mitigation. - Cross-border inconsistencies
For institutions with cross-border operations, differing national supervisory practices may lead to conflicting implementation and reporting requirements. Given that these Guidelines are non-binding and rely on the discretion of national competent authorities (NCAs) for interpretation, institutions may encounter challenges in ensuring consistent application across jurisdictions. - Proportionality assessment and documentation
The obligation to document a reasoned proportionality analysis for each entity may create a significant administrative burden, particularly for arrangements that are non-critical. Supervisory authorities should consider proportionality and materiality when assessing the extent and depth of documentation required.
Furthermore, these concrete proposals should be taken into account:
- General classification of third-party arrangements within the sound management of third-party risks (Section 3, para. 30)
The current wording may create practical difficulties for institutions in determining whether a particular arrangement qualifies as a third-party arrangement under these Guidelines. Supervisory authorities should recognise that proper contract management, in line with established internal governance principles, may be sufficient for non-critical arrangements. - Maintaining the list of functions to be excluded from the scope of the Guidelines (Section 3, para. 32)
We recognise that the existence of a clearly defined catalogue of exemptions constitutes a cornerstone of a predictable and proportionate regulatory framework. In order to reinforce legal certainty for all stakeholders and to alleviate unnecessary administrative burdens, it is essential that this list of exemptions might be subject to a comprehensive reassessment even after the public consultation, as regulatory perspectives can change over time. Accordingly, we propose that the exemption list be examined on a regular basis, with a view to identifying obsolete provisions, clarifying ambiguous entries, and incorporating any newly emerging categories that warrant special treatment. Such a periodic revision shall be carried out in close consultation with industry representatives and other relevant interest groups. - More detailed list of functions to be excluded from the scope of the Guidelines (Section 3, para. 32 lit. f)
In lit. f, the list contains an exemption for “the acquisition of services that do not have material impact on the financial entities’ risks exposures or on their operational resilience (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators)”. These exemptions listed under lit. f constitutes a crucial instrument for reducing administrative effort, especially for financial intermediaries such as banks and other regulated institutions. By clearly delineating which matters fall outside the scope of the guidelines, the list enhances legal certainty and mitigates the regulatory burden for the entities concerned. Certain items in the exemption list are currently expressed in a generic manner that may lead to divergent interpretations across Member States. We therefore recommends that the ESAs enrich the description of these points with concrete sub‑criteria, illustrative examples and, where appropriate, quantitative thresholds. This will foster uniform application and prevent inconsistent national implementations. - Reducing overlaps of the list of functions to be excluded from the scope of the Guidelines (Section 3, para. 32 lit. f) with the “non‑exhaustive” list in annex I
Furthermore, it has been observed that the “non‑exhaustive” list in annex I of topics that remain covered by the guidelines contains entries that overlap with the exemption list. Under the following heading, several services are listed: „Administrative services: Advertising & Marketing; Document Management & Archiving; Insurance Services; Payroll Services; Pensions & benefits; Postal services & Mailing; Procurement & purchasing of services; Secretarial Services; Talent acquisition & hiring; Travel & Entertainment Services; Other.” Notably, Travel Services and Secretarial Services appear both as activities subject to the guidelines and as exempted from them. This dual classification creates legal ambiguity and may result in contradictory compliance obligations. - Reducing overlaps concerning payments in view of the list of functions to be excluded from the scope of the Guidelines (Section 3, para. 32 lit. f) and Annex III of the ITS on DORA information registers
We would like to draw the attention to certain services that have been declared as ICT services through mentioned in Annex III of the ITS on DORA information registers, concretely stating that the ICT service S07 summarized as „ICT, facilities and hosting services (excluding Cloud services)“ shall also cover „payment-processing activities, or operating payment infrastructures“. Also in this regard, it can be observed that the “non‑exhaustive” list in annex I of topics that remain covered by the guidelines contains entries overlap with the above-mentioned entry regarding ICT services, as the list in annex I also contains many payment services. - Introduction of an holistic approach to ICT, non-ICT, and financial services in the third-party risk framework and prohibit overlaps in the list of functions to be excluded from the scope of the Guidelines (Section 3, para. 32 lit. f) and the “non‑exhaustive” list in annex I
In general, the ESAs should clearly show its rationale in their view on ICT, non-ICT, and financial services in their third-party risk framework. We propose to create a distinction to these three groups of services within the framework, meaning that the ICT services are regulated under DORA, the non-ICT services become regulated under the presented Guidelines, and all services that financial institutions provide to other financial institutions should be exempted in both ways in the light of the European Commission’s answer to the DORA FAQ 2999 - DORA030. As is well known, the FAQ states that financial services may include an ICT component. Thus, when financial entities provide ICT services to other financial entities in connection with their financial services, the receiving financial entities should consider whether (i) the services constitute an ICT service within the meaning of DORA and (ii) whether the providing financial entities and the financial services they provide are subject to Union law or the national law of a Member State or a third country. If both tests are passed, the ICT service in question should be considered a financial service for the most part and should not be treated as an ICT service within the meaning of Article 3(21) of the DORA. However, if the service in question is provided by a regulated financial entity that provides regulated financial services but is unrelated to or independent of those regulated financial services, the service should be considered an ICT service within the meaning of Art. 3 para. 21 DORA. The same should apply to ancillary services. This view should also be taken for the perspective on non-ICT services, and we therefore propose to amend the “non‑exhaustive” list in annex I of the Guidelines as this list widely refers to (licensed) financial services (payments, deposits, lending, etc.).
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
Sections 5–10 (Title III) are, in principle, clear and structured in a manner that reflects the life cycle of third-party contracts. The obligations set out therein are not novel, as they largely derive from the former EBA Guidelines on Outsourcing, especially regarding CIF functions; nevertheless, it is unfortunate that the prerequisites for CIF functions under the Guidelines are not fully align to the requirements set out in DORA and its technical standards.
The extension of regulatory obligations to all TPSAs listed, save for those expressly exempted, appears disproportionate. Financial institutions already integrate comprehensive risk assessments into their acquisition, commissioning and organisational processes. The introduction of additional requirements beyond these established frameworks—except where directly linked to regulatory-driven outsourcing—does not, per se, yield enhanced security for either customers or institutions, as the necessary controls are already in place. Broadening the scope to encompass all TPSAs is also likely to generate incremental risks without delivering corresponding security benefits. Robust internal governance and risk management mechanisms are already operational. Consequently, regulatory focus should remain confined to outsourcing arrangements that materially affect core banking activities.
Equally important is the establishment of clear and unambiguous definitions to enable institutions to distinguish between genuine outsourcing and other forms of external procurement.
We request clarification regarding the interpretation of marginal number 61 of section 10 on Documentation Requirements in the draft Guidelines that the requirement to retain the documentation relating to agreements concluded with third parties and the corresponding supporting documentation for a period of five years is not to be understood as applying this retroactively to agreements already in place prior to the entry into force of the new Guidelines.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Title IV is appropriate in principle and clear in content, although, on the one hand, slightly different provisions in comparison to DORA will make it more complicated for institutions to create an overall approach to their contract management, and on the other hand, some aspects of the requirements from the Guidelines appear to be burdensome or potentially disproportionate:
Regarding Section 11.2 (marginal numbers 73-78), financial institutions have established processes within their risk management frameworks to record and assess organisational or operational changes. It is accepted practice, and considered best practice, that regulatory outsourcing undergoes an additional risk assessment, as this process supports both contract drafting and the determination of criticality. Extending such requirements to other forms of external procurement, however, would be disproportionate, given that existing risk management processes already apply in these contexts.
With respect to marginal number 76 lit. b, aggregation risk is recognised in the context of outsourcing contracts. The explanations provided by the competent supervisory authority, however, are currently insufficient and lack clarity. Accordingly, an unambiguous definition and clear guidance on the types of contracts to be included in the aggregation risk assessment are considered necessary.
Regarding the contractual phase (sec. 12), should the intention be in the marginal numbers 85 and 86 to extend contractual requirements to non-banking service contracts, i.e. other external services, this would be considered disproportionate with regard to audit rights and cooperation obligations for both institutions and competent supervisory authorities, where such arrangements do not constitute regulatory outsourcing. This would also encompass other external procurement potentially classified as critical or important. In this context, the rationale for audits of entities not participating in the financial market is equally questionable, as are the associated cost implications for institutions and service providers. This issue is particularly pronounced in cases such as marketing service providers, which typically lack the relevant reports and organisational structures. Similar challenges have already been observed with ICT service providers unable to meet the stipulated requirements.
Furthermore, regarding marginal number 86 lit. f, from our perspective internationally active banks und financial entities, it remains largely a regulatory exercise and are only realistically enforceable in cases of serious legal or regulatory reasons (e.g. sanctions, licence revocation) to set up exit plans for intra-group contracts remain, especially in the connection between parent company and subsidiary.
In view of subcontracting of critical or important functions (Section 12.1), the provision should best be interpreted in terms of terminology and restricted to third-party sub-contractors with whom a bona fide written contractual relationship exists, directly related to the outsourced service and specifically determined and negotiated for the respective financial institution.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
Please refer to our answers to Question n. 2 with regards to the reduction of overlaps of the list of functions to be excluded from the scope of the Guidelines. Besides this, we request clarification regarding the interaction between the list of functions set out in Annex I of the draft Guidelines and the Digital Operational Resilience Act (DORA). Most of the examples of functions listed in Annex I are typically provided through ICT services. This raises questions about the continued relevance of this list where such services fall within the scope of DORA rather than the present Guidelines.
Besides, we have significant concerns regarding the inclusion of “depositary tasks” in Annex I, as depositaries under AIFMD/UCITS are statutory control bodies whose duties – safekeeping, cash-flow monitoring and oversight of investment limits – are not to be understood under supervisory law as “services for the management company,” but as a legally established, non-substitutable control mechanism.
To avoid regulatory inconsistencies and duplication, the Guidelines should therefore clarify that depositaries are not to be considered “third-party risk vendors” within the meaning of the Guidelines, and Annex I should be amended or supplemented accordingly. Furthermore, the final category, “Other,” should be removed, as it introduces unnecessary scope for interpretative ambiguity. Nevertheless, within the limits of its risk appetite, an institution should retain the discretion to classify circumstances not explicitly included in this exhaustive list as regulatory outsourcing or critical/important contracts.