Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
It needs to be clarified whether third-party providers whose services are not directly related to the institution's own licensing obligations (means functions of the financial entity) will be covered by these EBA guidelines in the future. In particular, it should be clarified how companies that are regulated and supervised by supervisory authorities themselves are also to be classified as TPSPs under this guideline if they provide services to the financial services institution that the financial services institution itself cannot or is not allowed to provide due to its license, but these companies are important for the financial entity's internal processes chain.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
4. 37. of "at least the following factors": Clarification is requested on whether the factors listed in paragraph 37, specifically points (a) and (b), should be considered conjunctively (i.e., "a AND b") or disjunctively (i.e., "a OR b") when determining if a function is critical or important. The phrasing "at least the following factors" could imply that all listed factors must be met, or that meeting any one of them is sufficient, in addition to the general criteria in paragraph 33. A clear statement on whether these factors are cumulative or alternative would prevent inconsistent interpretations by financial entities.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
10. 61. Will the Outsourcing register therefore be abolished in the future?
10. 63. d) whether or not the TPSP or subcontractor is part of the group or a member of the institutional protection scheme or is owned by financial entities within the group or is owned by members of an institutional protection scheme; Subcontractors are not currently included in the mandatory disclosures for non-essential/non-critical agreements, but are mentioned here. Does this mean that all non-critical parties must now also fulfill the subcontractor obligations?
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
12.1 Sub-contractor Clarity: Regarding subcontracting, the overall framework is generally acceptable. Clarification is requested regarding the extent to which financial entities are responsible for the due diligence, monitoring, and audit rights over entities further down the supply chain beyond direct subcontractors. We anticipate practical challenges in implementing the requirement for financial entities to conduct direct checks at the sub-outsourcer level. Further clarity or alternative mechanisms on how financial entities can effectively oversee and verify compliance by sub-outsourcers would be greatly appreciated.
12. 2 No. 97 and 100: Does this mean that access/audit rights must also be contractually agreed upon at non-critical levels?
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
The scope is unclear because the following statements lead to different assumptions. Page 61 Annex 1 List of functions: e.g. Clearing, settlement & reconciliation: Page 27; 3; 32. c) As a general principle, the following functions are excluded from the scope of these Guidelines: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members.