Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
Several entities within Deutsche Börse Group (“DBG”) are covered by the EBA's draft guidelines on the sound management of third-party risk (“Guidelines”). Accordingly, DBG is submitting a consolidated group statement in response to this consultation and appreciates the opportunity to provide feedback.
Generally, we welcome the overall goal of the Guidelines to further align the outsourcing framework for financial sector entities with the requirements on the management of ICT third-party risk under Regulation (EU) 2022/2554 (“DORA”).
In the area of third-party risk management, the newly introduced distinction between the provision of “ICT services” and “non-ICT related services” to financial entities can lead to the introduction of clearer categories and will prevent a double regulation in which the same service is governed by both outsourcing frameworks as well as DORA.
However, the current draft would result in a significant increase in regulatory burden of impacted entities based on a scope increase of services subject to regulatory requirements, without resulting in a meaningful increase in resilience. To ensure proportionality, certain targeted exemptions, especially for regulated financial services provided by one financial entity to another and for non-business specific services that don’t increase the overall risk profile of a financial entity are required. Our respective proposals are further outlined in the following.
In principle, the Guidelines cover the use of all third-party service providers (“TPSPs”) providing or supporting functions that do not qualify as ICT services under DORA. Functions are defined as process, service or activity or part of it. Consequently, almost all third-party arrangements (“TPAs”), defined as an arrangement of any form between a financial entity and a TPSP, including intragroup third-party service providers are in scope of the Guidelines. Exemptions are listed in paragraph 32 of the Guidelines.
Financial entities should be able to apply the principle of proportionality when complying with the Guideline. In particular, financial entities should be permitted to take into account the complexity of the functions provided by TPSPs, the risks arising from the TPA, the criticality or importance of the function provided by TPSPs and the potential impact of such TPA on the continuity of their activities.
Against this background, we take the view that the list of functions excluded from the scope of the Guidelines pursuant to paragraph 32 thereof is too narrow, while the list of functions potentially in scope according to Annex I thereof is considerably too broad. If adopted as proposed, the Guidelines would not only cover material non-ICT services but also extend to the procurement of other third-party services which regularly do not have a material impact on financial entities’ risk exposures or their operational resilience (such as “Advertising & Marketing”, “Document Management & Archiving”, “Postal services & Mailing” “Talent acquisition & hiring”, “Marketing” as well as advisory services).
Consequently, the guidelines substantially broaden the range of services subject to regulatory requirements, increasing the compliance burden on financial entities while offering limited incremental benefit, given the minimal risk associated with these service providers. This approach contrasts sharply with the European Commission’s simplification and burden reduction agenda, which aims to streamline processes and reduce administrative burdens by 25% for all businesses, with the goal of enhancing the competitiveness of European enterprises.
Therefore, we suggest amending paragraph 32 letter a. of the Guidelines to not only include a function that is legally required to be performed by a TPSP but functions that are typically performed by a TPSP for financial entities and that, due to actual circumstances or legal requirements, are regularly not carried out by financial entities themselves. In addition to the services already addressed in paragraph 32, this includes in particular: the use of central bank functions, liquidity lines or publicly accessible (also fee-based) data from market information providers (e.g., rating agencies, not targeted/processed for the financial entity).
Based on these considerations, we propose a non-exhaustive list of services (included in a supplementary document attached to our response) that should not be referenced in the EBA Annex containing examples of services within the scope of the Guidelines. This non-exhaustive list reflects our view that certain non-ICT services that are typically performed by TPSPs fall outside the intended scope of the Guidelines.
In addition, we propose to clarify that the provision of isolated software licenses to a financial entity is not in the scope of the Guidelines. In their FAQ on the management of ICT third-party risk, BaFin clarified that the provision of isolated software licenses usually constitutes rights of use which do not qualify as an ICT service within Article 3 (21) DORA. We believe that the inclusion of isolated software licenses as non-ICT services in the scope of the Guidelines would likewise not be appropriate since they are more akin to a simple procurement of goods.
Furthermore, in parallel to the approach by the European Commission when clarifying the scope of the term ICT services within the meaning of DORA, we urge EBA to clarify that regulated financial services, including ancillary services, provided by licensed financial entities to other financial entities are not in scope of the Guidelines. Regulated financial services are already subject to comprehensive regulatory requirements which require the financial entity providing them to ensure a high level of operational resilience and to manage the risks associated with the provision of the respective financial services.
The inclusion of regulated financial services into the scope of the Guidelines would require a financial entity which is receiving financial services from another financial entity to include these services into its third-party risk management. Consequently, financial entities would need to monitor each other’s regulated services, resulting in a high administrative burden, while not limiting or effectively managing third-party risk or increasing operational resilience.
This is particularly relevant for financial market infrastructures (“FMIs”), such as trading venues, CCPs or CSDs, authorized under European regulations (including MiFID II, EMIR, CSDR) which reliably ensure both their business continuity and operational resilience. DBG therefore welcomes the inclusion of “clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members” into the exemptions listed in paragraph 32 but proposes to extend this exemption to regulated financial services in general (including the operation of trading venues within the meaning of MiFID II).
For the same reason, ancillary services provided by a financial entity should be exempted, if such ancillary services are regulated financial services themselves or services inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.
This approach would be in line with that of the European Commission in defining the scope of “ICT services” under DORA in its response to question “DORA030 – 2999”. In its response, the European Commission stated:
“[i]n the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).
In case the service is provided by a regulated financial entity providing regulated financial services but is unrelated or is independent from such regulated financial services, the service should be considered as an ICT service under Article 3(21) DORA.
The same rationale applies to ancillary services provided by an entity, depending on whether such ancillary services are regulated financial services or a service inseparable from, indivisible from, preparatory or necessary for the provision of a regulated financial service, and are not provided in a standalone manner.”
Therefore, the assessment of whether a provided service or function is a regulated financial service already plays a central role in classifying services as ICT services and hence as DORA relevant. Since the Guidelines strive to closely align the management of third-party risk in relation to non-ICT services with DORA requirements, regulated financial services should be treated identically across both regulatory frameworks.
To this end, we request clear guidance on how to classify services (ICT or non-ICT) in cases where the primary service is non-ICT but relies on ICT components in the delivery chain. For example, compliance services that utilize a sanctions screening tool in the background raise ambiguity. Should such arrangements be treated under the non-ICT framework or fall under DORA due to the embedded ICT dependency? We seek clarification on how materiality of ICT components influences classification.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
We believe that Title II is sufficiently clear overall.
However, as already stated above, the services listed in paragraph 32 of the Guidelines and Annex I should be further aligned. Paragraph 32 f. states that “[a]s a general principle, the following functions are excluded from the scope of these Guidelines: […] f. the acquisition of services that do not have material impact on the financial entities’ risks exposures or on their operational resilience (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution’s or payment institution’s premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators) […]”. However, “Secretarial Services” are explicitly mentioned in Annex I of the Guidelines (“Non exhaustive list of functions that could be provided by a third-party service provider”) as an administrative service that is in scope of the EBA Guidelines.
Furthermore, the draft EBA Guidelines (Chapter 4, Paragraph 34) introduce additional triggers and risk factors for identifying Critical or Important Functions (CIFs), which appear to go beyond the definition provided in DORA (Article 3(22)). This creates potential divergence in CIF classification methodology. EBA should, therefore, clarify whether these triggers are mandatory or illustrative, and how firms should reconcile the two frameworks when applying a unified third-party risk register to ensure consistency of CIF determination criteria between EBA Guidelines and DORA.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
We believe that Point 64.c) introduces a disproportional burden, though being applicable for critical or important functions. Point 64 c) requires that all subcontractors along the entire chain of subcontracting, including natural persons, are registered in the Info register. As the reach of the proposed regulation is extremely broad per se, in a world that thrives from specialization and collaboration the obligation is extensive, as hundreds or even thousands of subcontractors along the value chain of a service or product may be involved. The identification of such contributions to the value chain covered by the proposed regulation will in many cases not even be possible for the tier 1 subcontractor. The identification of subcontractors along the entire subcontracting chain of ICT Services under DORA has proven to be hardly practicable at best. Here, as the covered services are much broader across most non-ICT service categories, the determination of all subcontractors along the value chain will become impossible.
Thus, we propose to limit either the number of tiers of subcontracting which will have to be covered or to at least restrict to those non-ICT services that effectively underpin the services which in turn effectively underpin the financial entity’s critical or important functions.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
We consider the highly detailed and complex risk assessment required in Section 11.2 to force financial entities to allocate resources in a disproportional manner to both, critical and important functions and non-critical or important functions as the main parts of the required risk assessment applies for both types of functions. For functions that per se do not introduce high risks for a financial entity’s resilience almost the same resources must be allocated as for the most critical or important functions. Given the extremely high number of services which typically will be covered this leads to an excessive administrative burden with a questionable focus. Thus, we propose to introduce an approach that stronger distinguishes between non-critical or important functions and critical and important functions with a more relaxed risk assessment for non-critical or important functions.
The same applies mutatis mutandis to the due diligence requirements in Section 11.3.
Point 82 is already expressly mandated under the GDPR, thus does not need to reappear here.
With a view to point 83 we have the following observation. Though aspects of ethical and social responsibility, ESG and Human Rights are ultimate fundamental principles deeply rooted in DBG’s DNA and, we respectfully question if these aspects are required to be specifically addressed in this financial regulation on resilience or if covering these aspects by requiring the financial entity to adhere to applicable EU law - which it per se is - would be more appropriate.
We believe that sections 12, 13, 14 should carefully be reconsidered in light of the broad range of services of different nature that will be covered by the proposed regulation and the very different risk levels that a service may introduce. Large parts of the requirements appear to be taken over from DORA and its delegated regulations and thus inherit the immense level of detail that DORA establishes. Even the quite limited variance of ICT service contracts showed that DORA established mandatory minimum contractual requirements, which from case to case may not be relevant (e.g. data center leased space vs. location of data processing/ storage requirements). Given the broad range of services covered by the proposed regulation this will become even more evident with the requirements established in the sections mentioned above. Exempli gratia, the data related provisions will not be applicable to many services but however are required to be “at least” included in the agreements. What are service level descriptions, including their updates and revisions thereof for the Entertainment Services that are covered under the annex category of Travel & Entertainment Services?
We propose that the contractual requirements should be subjected to the principle of proportionality and thus be applicable “as appropriate” to foster for the wide variety of services, risk exposures and different agreement types that will be covered by the proposed regulation, so that the Financial Entity has the ability to not follow a mandatory set of requirement but to pick those which are sensible for the services and agreement.
Section 12.1 foresees that certain contractual requirements must be inherited through the whole subcontracting chain. Though recognizing that for full transparency and full control of risks, this may be the ultimate solution, we consider that this may be impracticable and thus disproportional given the large variety of different service types covered by the proposed solution. Exempli gratia that could imply that for a money transport truck that is leased, the leasing company must grant the financial institution audit and access rights to the repair shop in which that truck is repaired, that repair shop in turn must grant audit rights regarding the provider of garage equipment that the repair shop leases from a manufacturer, who uses a number of different consulting and other services to which in turn that manufacturer must grant audit rights to the financial entity. This example could be further expanded through the further subcontracting chain. We see this requirement as not viable, specifically given the broad range of potentially covered services.
In this context, we appreciate that Section 12.2 explicitly includes the possibility of leveraging third-party certification and third-party or internal audit reports to comply with TPSP audit requirements. Suppliers often provide services to many financial entities, which can number in the hundreds. It would therefore be highly inefficient for the supplier, and unnecessarily costly for the financial entities, if each financial entity were required to conduct its own supplier audit. Statutory audits provide a good example of how a streamlined audit procedure can deliver insights for a large number of stakeholders. Developing standards for TPSP audits could further support consistency and efficiency in practice. To ensure usability and comparability, such certifications should be designed in a standardized and widely recognized format—ideally aligned with established frameworks such as ISO certification. However, we caution against introducing eligibility criteria that could limit the pool of eligible providers to only those who are certified to provide services to the financial sector; or that could lead to unjustified cost premiums charged by financial industry-certified service providers.
Similar to ICT services – where high synergies would be realized if contractual terms on operational resilience could be uniform instead of thousands of financial institutions discussing with a small number of key ICT service providers – EBA could provide a standardized contractual template to reduce the need for individual negotiations, make individual negotiating power irrelevant, and reduce unnecessary costs to the industry.
Thus, we propose that the primary subcontractor who remains in charge of fulfilling all obligations under the agreement shall be required by the financial entity to establish the respective controls and requirements in its subcontracting chain as required to fulfill its obligations under the agreement, but leaving the control and steering of that subcontracting chain to the supplier, as the supplier will know best what it requires for ensuring the continuous and flawless service provisioning to the financial entity.
Similarly, the previous EBA outsourcing guidelines led to extensive implementation of contractual clauses across internal and external arrangements. Even minor Amendments to these clauses now require full contract re-rollout, which imposes significant operational burden without proportional benefit. Considering contractual clause revision and implementation burden, EBA should consider providing flexibility for minor updates that do not materially affect risk posture.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
We believe that Annex I of the Guidelines is too broad and extends the Scope of the Guidelines to services and functions which regularly do not have a material impact on financial entities’ risk exposures or their operational resilience (such as “Advertising & Marketing”, “Document Management & Archiving”, “Postal services & Mailing” “Talent acquisition & hiring”, “Marketing” as well as advisory services). Such an approach will lead to significant regulatory and administrative burden for financial entities within the scope of the Guidelines. This will create an unlevel playing field for financial entities within Member States and conflicts with the current initiatives to reduce bureaucracy in the European Union.
In line with the line of argument above, we urge EBA to revisit the list provided in Annex I of the Guidelines to exclude
- services that are typically performed by a TPSP for financial entities and that, due to actual circumstances or legal requirements, are regularly not carried out by financial entities themselves, and
- regulated financial services as well as ancillary services to these regulated financial services.
A non-exhaustive list of items we believe should be excluded from the Annex I items based on these arguments, can be found attached to our response.