Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
We find the subject matter, scope of application, definitions, and transitional arrangements to be generally appropriate. However, we would like to highlight the following points:
- It is our understanding that the EBA guideline aims to create a comprehensive approach in managing third party risks and to closely align with Digital Operational Resilience Act (DORA) to create a level playing field and we note that the definition of “critical or important function (CIF)” itself is aligned. However, the current guidelines are likely to lead to divergence in the functions identified as critical or important. This is because paragraphs 34 to 37 specify circumstances in which a function should be considered a CIF by assessing the role of a TPSP providing services relating to the function. In contrast, DORA does not require firms to assess how they use TPSPs when identifying their CIFs. To achieve an alignment of the CIF concept between DORA and these guidelines and a level playing field in the oversight of ICT and non-ICT services, paragraphs 34 to 37 should be amended so that they do not require firms to take into account the role of a TPSP when assessing whether a function is critical or important. The importance or criticality of a function is always rooted in the function for a business and should not be determined by which party is fulfilling the function.
- EBA is providing a definition of concentration risk in the list of definitions in paragraph 16. This definition appears to focus primarily on sources of significant risk, such as potential impacts to CIFs, the possibility of substantial losses, and threats to the stability of the financial system. However, the mention of “other types of adverse effects” seems to extend coverage to risks with considerably lower impact. We suggest either specifying a positive list of defined risks to be included or clarifying that only significant and severe adverse impacts should fall within scope. We would also encourage EBA to provide further clarity on how concentration risk should be treated given the proportionality and business model differ between intra-group versus external third-party arrangements.
Providers of fundamental data (such as security master data), ratings, prices, sector classifications, index or benchmark data, ESG metrics, as well as other forms of structured and unstructured data sets have, in paragraph 28 of the guidelines (in their currently applicable form), been excluded from the scope of application. Historically, BlackRock has not taken the position that such data provider relationships are services that “would otherwise be undertaken by the institution itself” (definition of “Outsourcing” in paragraph 12 of EBA/GL/2019/02) because BlackRock would not (for example) be independently determining ratings on bonds or independently proposing sector classifications for securities issuers.
However, the inclusion of the concept of “Third-party arrangements” in the newly proposed guidelines re-introduces this question, as such data provider relationships arguably meet the definition of “an arrangement of any form between a financial entity and a third-party service provider for the provision of one or more functions” (definition of “Third-party arrangement in paragraph 16 of EBA/CP/2025/12”).Just as BlackRock supports operational risk management initiatives such as DORA, BlackRock understands and sees value in the inclusion of data provider relationships within scope of “Third-party arrangements” and the additional rigor introduced by the requirement to evaluate and monitor such relationships subject to the proportionate implementation of the new rules.
It is important to note that there may not always be a distinct separation between the delivery of pure data in such relationships (e.g. through data feeds or Secure FTP) as opposed to “technology-enabled” data retrieval (such as through API calls) and technology services which have a data component (such as information terminals, or AI-based services). But regardless of the “crossover point” between “pure data” and “technology-based data service” we think it is important to have consistency in regulatory and enforcement standards across regulatory regimes – especially with respect to the DORA regime which has only recently been implemented by firms.
However, the goal of achieving such consistency is complicated by the treatment of certain categories of data. EIOPA for example clarified in a Q&A (Question ID DORA030 - 2999) that “the definition of ICT services should be understood in a broad manner to the extent that such services encompass digital and data services provided through ICT systems on an ongoing basis” but that further, under circumstances, a “related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3 (21)”. As a result, certain data types, such as ESG ratings, benchmarks, and exchange data, have been interpreted by market participants to fall outside the scope of DORA.
If such data types are not addressed by the guidelines, there could be an unsatisfactory outcome in which financial entities have the obligation to ensure certain contractual protections and transparency standards with respect to non-ICT services in accordance with the revised guidelines on outsourcing, with respect to ICT services under DORA but not with respect to certain data providers (because they are not covered by the outsourcing guidelines, and also qualify for exemptions under DORA).
The EBA guidelines should address such data provider relationships not encompassed by DORA, while ensuring that the scope of requirements under DORA remains unchanged.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
No response to Q2
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
We support the expanded governance framework outlined in the draft guidelines. However, we recommend the following:
Whilst DORA largely applies to asset managers, the current and proposed scope of the EBA guidelines would not apply to fund managers unless they are also an Investment Firm. This will create an uneven application of the Guidelines, which would likely be filled by domestic legislation. Consequently, depending upon the Member State there would be fund management companies in the European Union required to maintain the following:
- DORA Register of Information (ROI), but no EBA register
- DORA ROI and a local outsourcing register
- DORA and an EBA register which may or may not be maintained along with the DORA register
For regulated firms and from a supervisory perspective, we believe this uneven application will result in supervisory gaps, unequal application of the guidelines and operational and reporting inefficiencies across both the outsourcing lifecycle management and the maintenance of registers. From the perspective of a firm operating in multiple Member States, the European Union should allow regulated firms to opt-in to a standardised EBA register which is consistent with the DORA register. This would enable domestic firms to comply in the manner most appropriate to their arrangements and would enable firms operating across Member States to unify their operations and reporting requirements.
- Paragraph 63(f) should be aligned with the position in Annex I to avoid confusion regarding the classification of functions. Annex I states that financial entities are encouraged to maintain their own classification rather than using the Annex, if more relevant or appropriate.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
The third-party arrangement process is well-detailed in the draft guidelines. We propose the following enhancement:
- A clarification would be welcome on whether the requirements in paragraph 86 apply solely to third party arrangements involving the third party providing a CIF in its entirety or also to third party arrangements that support a CIF in part.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
The illustrative classification in Annex I includes a number of Level 2 Category services that are generally excluded from the scope of the Draft Guidelines under paragraph 63 e.g. travel services, secretaries, clerical and post-room services. Could these examples be reviewed to remove the overlap. The overlap suggests that third-party arrangements that are excluded from the Draft Guidelines should nonetheless still be included in the register.