Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
Answer 1: No.
The definition of third party arrangements has not been clarified, despite the declaration issued in point 17 of section “3. Background and rationale”. What is clear for sure is that outsourcing arrangements are a subset of third party arrangements. Since outsourcing arrangements (following EBA/GL/2019/2) are agreements concluded with service provider who performs on a recurrent or an ongoing basis a function that would otherwise be undertaken by the financial entity itself it is clear that the third party arrangemets are of a wider scope. What is unclear is the direction of this definition inflation. In particular it should be clearly named the difference between previous range and the new extent.
The one and only probably direction in which the wider definition of third party arrangements may aim is to include in the new regime a one-off contracts. Other directions are pointless, as based on the white list presented in paragraph 32 on page 27, function that are usually not performed by financial institutions are exempted from the new regime. Hence functions on white list cannot be considered as “third party arrangements”. There is one more possible explanation – this is a carbon copy of one of provision from DORA, which says that outsourcing arrangements are a subset of arrangements with ICT third-party service provider. It is truth indeed but only in that direction, since based on white list included in EBA outsourcing guidelines (EBA/GL/2019/2) some functions are exempt from outsourcing regime, however under DORA regime these non-outsourcing arrangements are considered as arrangements with ICT service providers. See also wide explanations provided by UK’s FCA (Supervisory Statement, SS2/21 Outsourcing and third party risk management, November 2024)
It should be also more explicitly explained the difference between “providing” and “supporting” a function next to the definition of “third-party service provider”. As an example EBA could use the EIOPA answer on question 2750 - DORA006[1]. In particular on many occasions third party service providers are not necessarily providing a function as a whole. In most cases these are only supporting some part of the process. It should be clearly written that even though a function is critical or important for the financial entity, the level of support of may be of non material level and hence albeit the function itself is classified as critical, the regime in which the third party should be monitored is of less level.
[1]https://www.eiopa.europa.eu/qa-regulation/questions-and-answers-database/2750-dora006_en
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
Answer 2: Yes
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
Answer 3: Yes
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Answer 4: No
There are probably some mistakes in the text, EBA should in particular consider:
Section 13 – monitoring should include periodical due diligence of the third party
Paragraph 109 – missing letter f: “the reviewed risk assessment will reveal, that the risk of delegating the function on third party is exceeding the risk appetite”.
Paragraph 97 – these so called “audits” in current regime are not necessarily conducted by internal audit (III LOD). Currently audits in vast institutions are performed by business and compliance function (including data protection officers). EBA should refrain from pointing the internal audit function as responsible for these “audits”.
Paragraph 86, letter f – “exit strategy” should be renamed on “exit plan”. Justification – paragraph 86 defines elements which should be included in the agreement. Exit strategy since 2006 (CEBS outsourcing guidelines) is a more strategic document which is part of the outsourcing policy. Since paragraph 86 is about elements to the agreement, it should refer to exit plan which is more specific to the specific agreement.
Paragraph 86, letter e point (i) should refer to section 12.2 (access, information and audit rights) and not 12.1 (subcontracting of critical or important functions).