Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
Chapter 2, par. 5 is phrased in a confusing manner and it is not entirely clear what is meant by this. As for par. 16 (definition) - The definition of 'third party arrangement' needs more clarity on how an intragroup third party service provider can be seen as a third party. In what way is an intragroup provider now seen as 'Third Party' considering that by definition it is not a third party. Further, the definition of 'Third party risk' includes 'Subcontractor Risk' yet subcontractors not included in the definition of a third party arrangement/service provider. Can this be clarified?
Chapter 3. Seems par. 17 contradict the content of par. 18. Par. 17 requires amendment of third party arrangements on or after 'effective date'. However, par. 18 uses mandatory language and prescribes that exisiting arrangements should be made compliant.
Scope
It is not clear if ARTs and MICAR should be considered. Please provide clarity on the scope
Date of application
Is this relating to all third party arrangements or the ones stipulated in the guideline? (Non-ICT services) Please clarify
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
The scope of exclusions and the concept of prudential reporting require further clarification. Especially Title II requires further clarification and alignment as it seems Recovery & Resolution is now included as a criticality criteria. Text is unclear on exclusion criteria and therefore needs clarification.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
While the governance framework is mostly clear, some policy and documentation requirements need refinement. Especially on 6. Policy on third-party risk management & 10. Documentation requirements there is clarification needed. We urge the Regulators to consolidate and align the registers of EBA (TPRM) and ESMA (DORA).
6. Policy on third-party risk management
49h can be made more clear as it is ambiguous relating to possible service interruptions and unexpected termination. Is the individual interruption a reason to exit or should interruption be taken into account when exit is already triggered?
50c. What is the driver behind the differentiation in the policy requirements? (CoIF or not, authorised or not, location member state or third country,…).
50. It is unclear what the consequence of including this in the policy and what is expected of the financial entity. Missing rationale and explanation of what it means.
55. & 61. Ambiguity in reference to “Section 2”, there is no clearly labeled “Section 2” in the document, needs to be clarified (It could also be a mistaken reference to Chapter 2 or Paragraph 2).
10. Documentation requirements
63. “When not merged” could be misinterpreted. Please clarify whether a unified register is expected or optional.
63d. Why the inclusion of subcontractor if a subcontractor is already considered as a TPSP?
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Mostly clear however in general:
- Title IV outlines a robust process for managing third-party risks, but it remains unclear which types of non-ICT functions and associated risks are considered in scope. We recommend the EBA provide illustrative examples of non-ICT risks (e.g. legal, compliance, reputational) that would be relevant under these guidelines to support consistent interpretation and implementation.
- The guidelines explain the proportionality principle clearly, but the term “risk-based approach” is used without a formal definition (examples 75, 78, 113, 114, 115). We suggest adding a short definition to help ensure consistent understanding and application.
12. Contractual phase
85c. Stipulating the difference between processing and storage is referenced in this article. Does this mean that for example: for support/sourcing contracts these are not DORA applicable while it contains an IT component?
94. Why is opt-out not an option referenced in this article?
94. Before implementation is not always possible in real life situations.
104. Focus is on CoIF for assesment of tp-certifications. Does this mean that this is not required for non-critical?
13. Monitoring
113. “Regularly” and “periodically” are not defined in terms of months or years. Leaves some room for interpretations.
115a. Please clarify what ''appropriate reports'' entails.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
Title V – Guidelines on third-party risks arrangements addressed to competent authorities
122.Please note that currently many TPSP thinks that right to examine/audit by competent authority is always planned and some arrangements includes a notice period of 14 days. This makes ad-hoc request from competent authority impossible.
123d. What kind of report do competent authorities expect here?
Annex I
Annex I (non-exhaustive list of functions) is generally clear but would benefit from alignment with other EBA regulations and clearer distinction between ICT and non-ICT services.
Some payment services referenced in the annex are out of scope if they are already monitored by law. See the out of scope list at the beginning of the document. Please clarify.