Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
1.1 Subject matter
The subject matter must clearly stipulate that the Guideline also extends to new forms of cooperation between financial institutions (FIs) and FinTech entities (as is the case in the USA, for instance). Otherwise, with regard to third-party collaborations, the Guideline primarily governs outsourcing (in a broad sense), DORA- on ICT services, while the emerging new forms of FI-FinTech cooperation remain outside the focus of both the recommendations and the regulatory requirements. If that is the case, it should be clearly stated that the Guideline does not cover such cooperation (or specify the extent to which it does). That said, it would be highly beneficial for the market to introduce dedicated guidelines for third-party collaboration between financial institutions and FinTech entities. The current diplomatic approach of merely implying a broad interpretation of third-party risks will only provoke a predictable market reaction that will exploit this legal uncertainty. That said, it would be highly beneficial for the market to issue the dedicated guidance on third-party collaboration between financial institutions and FinTech firms. Compliance should not be subject to pricing!
At first glance, one might assume that, when cooperating with a FinTech entity, only IT or other services are involved and that no regulatory questions should arise. However, in practice, cooperation between licensed financial institutions and FinTech entities often goes beyond the mere provision of services within such a framework. Specifically, a licensed financial institution and a FinTech company may work together toward a common goal for their mutual benefit. In other words, in practice, “cooperation” frequently involves collaboration between entities without one strictly providing a service or function to the other, but rather aligning their efforts.
Moreover, the widely used Banking-as-a-Service (BaaS) model demonstrates that a financial institution may open its APIs to a third party, which in turn effectively offers that FI’s financial services through its own websites and applications.
In such a model, the parties work together and pool their efforts to achieve a common objective in developing their cooperation; however, whether their interaction falls neatly within the framework of a “service” or “function” being provided depends on how it is structured. Technically, the financial institution’s ability to fulfil even certain regulatory functions may depend on the FinTech entity (for instance, where the FinTech entity often operates as the front-office interface for customers through its website or application).
Such models of cooperation should be considered holistically and comprehensively, and the Guideline should expressly establish that its scope encompasses these new forms of FI-FinTech cooperation.
1.2. Definitions
The definitions section does not include a definition of operational risk, which constitutes the core risk in cooperation with third parties, and its use throughout the text is inconsistent.
The primary objective of the Guideline is to mitigate or eliminate risks arising from reliance on third parties and to strengthen operational resilience. The definition of “third-party risk” is broad and does not provide a clear understanding of the specific risks that arise in the context of cooperation with third parties. At the same time, the definition of “operational risk”, one of the key risks associated with third-party cooperation, is absent from the terminology section.
Since, according to paragraph 15 of the Guideline, “unless otherwise specified, the terms used and defined, in particular, in Regulation (EU) No 575/2013, shall apply,” it follows that the Guidelines appear to employ the notion of operational risk as defined in the Regulation.
Regulation (EU) No 575/2013 defines “operational risk” as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including, but not limited to, legal risk, model risk or information and communication technology (ICT) risk, but excluding strategic and reputational risk.”
However, ICT risks fall outside the scope of the Guideline, whereas legal risk is, throughout the text of the Guideline, referred to inconsistently- sometimes as an independent risk, and at other times as a component of operational risk (see paragraphs 37, 73, 78, 127).
Accordingly, the terminology section of the Guideline should include a definition of operational risk- either as a standalone term or as an integral component of third-party risk.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
With regard to paragraph 30, a question arises as to whether it should be understood that services which are not provided at least on a recurrent or ongoing basis fall outside the scope of the Guideline. If, however, this criterion is not exclusionary, in what circumstances would services that are not provided at least on a recurrent or ongoing basis nevertheless fall within the scope of the Guideline?
In addition, and further to the comments concerning the extension of the Guideline to cooperation between financial entities and FinTech firms, paragraph 30 is difficult to apply in practice, i.e. to determine whether an arrangement between a financial entity and a FinTech firm falls within the definition of a “third-party arrangement” provided in these Guidelines.
With regard to paragraph 31, when assessing cooperation between financial entities and FinTech firms, it is necessary to consider not only the provision of services or performance of functions but also the manner of interaction and the extent to which the financial entity’s ability to comply with regulatory requirements depends on the FinTech firm.
With regard to paragraph 32, a question arises as to whether it should be understood that the provision of legal opinions and legal representation before courts and administrative bodies is always excluded from the scope of the Guideline, even where such services create a dependency risk or have a material impact.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
In cooperation between financial entities and FinTech firms, the ability of the financial entity to comply with regulatory requirements often depends on the FinTech firm, the manner in which the cooperation is organised, and the allocation of functions, rights and obligations.
As a result, the fulfilment of regulatory requirements by the financial entity may become subject to pricing considerations. In this regard, Section 3 should provide that financial entities must ensure, and include in their contractual arrangements with FinTech firms, clauses under which the FinTech firm undertakes to ensure the fulfilment of the financial entity’s regulatory obligations where relevant.
In particular, paragraph 42 directly requires that regulatory functions be performed and that the financial entity bears full responsibility for their fulfilment. An explicit obligation on the FinTech firm to support the financial entity in meeting such requirements would be an important safeguard, especially where the financial entity’s compliance depends on the FinTech firm. In this context, although the Guideline formally applies to financial entities, its indirect application to non-financial entities is already embedded in its logic: for example, paragraphs 55, 85 and 99 effectively impose obligations on third parties.
Accordingly, it would be useful to complement paragraph 47 with a provision to the effect that:
“Financial entities should also identify risk areas that may affect the ability of the parties to meet regulatory requirements and ensure a contractual obligation on the third-party provider to undertake all reasonable measures within its control to ensure that the financial entity has sufficient information necessary for regulatory compliance purposes.”