Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
General Comments
State Street Corporation, including its investment management arm, State Street Investment Managers, (collectively, “State Street”) appreciates the opportunity to respond to the European Banking Authority’s (‘EBA’) consultation on its draft Guidelines on the sound management of third-party risk (‘the Guidelines’).
State Street Corporation (NYSE: STT) is one of the world's leading providers of financial services to institutional investors including investment servicing, investment management and investment research and trading. With $49.0 trillion in assets under custody and/or administration and $5.1 trillion in assets under management as of June 30, 2025, State Street operates globally in more than 100 geographic markets and employs approximately 52,000 worldwide. [1]
For global financial institutions such as State Street, the use of third-party providers allows them to access specialized expertise and achieve efficiencies that support high-quality service delivery. However, we also acknowledge that such arrangements introduce risk dimensions that must be managed through robust governance, due diligence, and oversight frameworks. We therefore welcome the EBA’s work in this area and the intended review and update of the existing guidelines in this area. In particular, we welcome the stated objective of aligning the framework for third party arrangements with the DORA framework. In our view, ensuring that regulatory expectations across ICT and non-ICT arrangements remain consistent is essential. At the same time, we strongly encourage the EBA to ensure that the guidelines are building on a proportionate and risk-based regulatory approach, including a clear materiality threshold when considering which third-party arrangements are in scope to ensure operational feasibility and to avoid unnecessary (administrative) burden, in line with the European Union’s objective of regulatory simplification and burden reduction.
We welcome the opportunity to comment on the EBA’s draft guidelines and have provided below our responses to the questions raised in the consultation. In addition, State Street has contributed to and supports various relevant industry submission, including from the Association of Financial Markets in Europea and of national associations such as the German Banking Industry Committee.
Answers to Question n. 1:
State Street welcomes the stated objective of aligning the EBA guidelines with DORA. Based on the draft guidelines, we acknowledge a broad alignment with DORA. However, ICT and non-ICT arrangements will continue to be subject to separate frameworks which further increases the importance of how these are being applied and interpreted in the course of day-to-day supervision. This creates uncertainty in particular where firms manage complex third-party arrangements that involve multiple functions with both ICT and non-ICT elements. Firms will have to make subjective assessments to distinguish what is “predominantly” ICT and justify their classifications. From a risk management perspective, this has no value or benefit as oversight expectations are aligned and risks are comparable. To avoid these issues, we strongly recommend further clarifying the distinction between ICT and non-ICT services while at the same time ensuring that the wording of the guidelines and their application be as aligned as much as possible with DORA.
Furthermore, the draft guidelines propose extending the scope from outsourcing to all third-party arrangements. While this is consistent with broader regulatory trends in third-party risk management and we understand the rationale for this shift, it further underscores the need for a proportionate and risk-based approach to implementation.
To ensure the guidelines remain operationally feasible, we strongly recommend that the EBA introduces a materiality threshold by clearly stating that only services with the potential to materially affect a financial entity’s risk exposure or operational resilience fall within scope. This would reinforce the principle already outlined in paragraph 32(f), which excludes services without material impact.
We also see further opportunities to strengthen proportionality, particularly in relation to contractual requirements and the register (please refer to our response to Question 3). Given the significant increase in the volume and diversity of arrangements that will be captured under the guidelines, it is essential that expectations remain proportionate and risk-based.
Regarding the definitions used in the draft guidelines, we acknowledge that the EBA has incorporated the DORA wording of a ‘critical or important function’ (CIF). However, paragraphs 33-37 of the draft guidelines retain the criteria for assessing critical or important functions from the previous guidelines. These risks undermining the alignment of the guidelines with DORA by adding criteria and is expected to result in almost all third-party arrangements being classified as critical or important. Instead, in line with DORA, only those services whose failure would materially impair a financial institution’s performance, continuity, or regulatory compliance should qualify as CIFs. To avoid these unintended consequences and in line with the wider EU simplification agenda, we urge the EBA to remove these additional criteria from the guidelines and to solely adhere to the CIF definition in DORA.
[1] Assets under management include approximately $116 billion of assets with respect to SPDR® products for which State Street Global Advisors Funds Distributors, LLC (SSGA FD) acts solely as the marketing agent. SSGA FD and State Street Investment Management are affiliated
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
We welcome the exemptions under paragraph 30 for the ‘mere purchase of a good’’ and the further exemptions under paragraph 32 for ‘basic utilities’’.
In addition, paragraph 30 states that a financial entity should assess whether the function is provided on a ‘recurrent or ongoing basis’ when determining if the arrangement is in scope of the guidelines. In our view, the EBA should clarify that the application is to be based on a recurrent or ongoing provision of services to avoid the guidelines’ application to very short-term or sporadic services. This clarification should also be reflected in the definition of ‘third party arrangement’’.
More importantly, State Street urges the EBA to amend paragraph 32 of the guidelines by adding ‘regulated financial services’ and ‘ancillary services’ to the list of exemptions, in line with DORA. Such services are provided by highly regulated entities that are subject to stringent requirements. The application of the Guidelines to them would entail significant unnecessary operational burden without any clear benefit. Adding such an exemption is hence key and would also be consistent with the other proposed exemptions under paragraph 32, including for ‘regulated basic utilities, global network infrastructures, clearing and settlement arrangements and correspondent banking services’.
A general exemption for regulated services would undoubtedly be the most effective way of ensuring a uniform and consistent approach across supervisory authorities and avoids the risk of certain activities being unintentionally captured by the guidelines. We therefore strongly encourage the EBA to exempt all arrangements which are regulated services or performed by parties themselves within scope of the guidelines, and to ensure this is reflected within the Annex (please also refer to our answer to Question 5).
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
State Street agrees with considering merging the outsourcing register where possible with the DORA Register of Information (ROI). However, as previously stated, proportionality needs to be applied with regards to the arrangements that should be included in the register. Otherwise, there is a risk of significantly expanding the scope of arrangements to be captured which in combination with the significant number of data fields to be maintained would result in substantial unnecessary and unmanageable operational and administrative burden. We recommend to only include arrangements with potentially material impact on a firm’s CIFs. Additionally, there should be an explicit reference within Title III that only subcontracting arrangements which effectively underpin CIFs should be included, reflecting the final position within the DORA delegated act on subcontracting.
Further, to enable a merging of non-ICT arrangements within the DORA register, we recommend the alignment of the information requirements and data fields with the DORA register of information Implementing Technical Standards (‘ITS’). Whilst we acknowledge the flexibility offered by the guidelines in terms of the alignment with the DORA register, we are concerned that this approach will drive complexity and risks divergence. Instead, in line with the broader industry, we favor a single third-party register framework that captures both ICT and non-ICT arrangements. This should be achieved through a single aligned register, with data field requirements adapted to reflect proportionality and risk-based principles.
With regards to business continuity plans, paragraph 58 of the draft guidelines state that BCPs related to third-party arrangements align with the EBA guidelines on internal governance. We recommend removing this requirement in order to ensure alignment with the requirements and expectations under DORA.
Lastly, the proposed documentation requirements in paragraph 61 foresee that firms retain documentation for terminated contracts for ‘for an appropriate period of at least 5 years'. This retention period was removed from DORA during the legislative process. Reintroducing it here does therefore not align with DORA and does not provide any additional benefit.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
The expectations on contractual provisions in the draft guidelines closely align with the requirements in Article 30 of DORA, including in the application of enhanced requirements for arrangements supporting CIFs. However, the draft guidelines retain certain elements from the previous version, and certain provisions only partially reflect DORA’s expectations or language and form.
In our view, consistency between DORA and the guidelines needs to be ensured, unless a provision is very ICT-specific. In this regard, we note that the EBA has omitted the additional data security terms and pen testing requirements from the previous EBA guidelines, as well as the termination for ICT risk related scenarios that were in DORA. In addition, in paragraph 109 (b), we do not see a reason to retain wording from the previous guidelines for a provision which conceptually is the same as in DORA. We therefore believe that the wording should be amended to reflect the wording in termination rights from art. 28(7)(c) DORA.
Further, given the broad number of third-party arrangements now in scope, we are concerned that some of the requirements will not work for all types of third-party arrangements. For example, paragraphs 85 (c) as well as (g) and (h) on data processing and storage location, data confidentiality and data access are not relevant for all non-ICT service arrangements especially where there is only an inbound flow of data.
The draft revised guidelines retain the previous definition of subcontracting (previously, ‘sub-outsourcing’), referring to subcontractors providing or supporting CIFs. However, the draft revised guidelines do not adopt DORA’s classification of subcontractors that ‘effectively underpin services supporting CIFs’ as material subcontractors. This risks a broader interpretation of what might be considered a ‘material subcontractor’. As noted in industry advocacy in connection with DORA’s Register ITS and Subcontracting RTS, treating every subcontractor supporting a CIF as equal, regardless of their role, level of importance or potential impact to the provision of the CIF diverges from a risk-based approach. This is unhelpful for supervisory and oversight objectives and diverts risk management resources away from monitoring providers that present the most material risks. In order to properly reflect a risk-based approach to supply chain scope, the revised guidelines should align in terminology and/or conceptually with DORA to support a consistent approach across frameworks.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
Having an annex that sets out a non-exhaustive list of categories of services can provide helpful guidance in implementing the guidelines. However, in order to fulfil that purpose, changes to the appendix are required to ensure that there is greater consistency between the categories listed in the appendix and the scope of the guidelines as set out in the text.
To provide further clarity on the purpose of the annex, paragraph 63(f) should be repeated within the annex. To ensure that the exemptions referenced in the guidelines are fully reflected in the annex, the following categories should be removed:
- Depositary tasks and administration for UCI: These services are ‘legally required to be performed by a TPSP’’ and as a result should fall under the explicit exemption in paragraph 32 (a) of the draft guidelines. More importantly, the very specific model of the depositary under the AIFMD and UCITS frameworks is not designed as a standard outsourcing/third-party arrangement. Instead, the depositary is a distinct statutory control body with its own oversight/control duties and an applicable liability regime. To avoid regulatory conflicts and duplication, the guidelines should clarify that sectoral legislation, i.e. AIFMD and UCITS, incl. applicable national transpositions, takes precedence for the classification and supervision of depositary relationships, and that depositaries are not to be treated as “third-party risk vendors” within the meaning of these Guidelines
- Asset servicing; clearing, settlement & reconciliation; proxy voting; safekeeping and custodianship; trustee, depositary & fiduciary services: These functions are generally part of the services provided by settlement institutions to their clients, which are deemed out-of-scope in line with paragraph 32 (c).