Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
The Guidelines also refer to contractual arrangements within a group. In our view, it would be appropriate to raise concerns regarding the overly broad material and personal scope of the definition of “third-party arrangement”. We propose to exclude intragroup TPSPs from the scope of both the definition and the Guidelines.
The outsourcing procedure is developed at the level of each financial entity, and in our assessment this does not create systemic risks within group relationships. Moreover, financial entities bear full responsibility in accordance with Guideline paragraph 42. Within a group to which a financial entity belongs, the awareness of and compliance with best outsourcing practices is generally high.
This comment applies to all definitions referring to arrangements at the group level.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
In paragraph 32 of the draft Guidelines, the functions excluded from the scope of application are listed. We propose adding to these exclusions the equivalent of “correspondent banking services” in the payments sector, namely intermediary payment services or services usually provided by financial entities.
We also consider the exclusion of Visa and Mastercard from the scope of the Guidelines to be appropriate.
With regard to paragraph 37(b)(v) of the Guidelines, we note that the previous version of the EBA Guidelines on Outsourcing did not include ESG or AML/CFT risk. In our view, the inclusion of ESG risk is particularly problematic due to the lack of a uniform and clearly defined scope of this concept. A similar comment applies to Guideline No. 83.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
In relation to paragraph 39 of the draft Guidelines, we note that the document was intended to address areas outside the scope of DORA. Nevertheless, references to DORA are included in this section, which may create interpretative uncertainty regarding the relationship between these two regulatory frameworks.
Regarding paragraph 44, the reference to “payment institutions” appears unclear. Since, according to the Guidelines, “financial entities” already include payment institutions, there is no need to explicitly distinguish them again within this provision.
With respect to paragraph 45(a), we propose that the responsibilities referred to in the preceding points be assigned to the specific member of the management body responsible for the relevant function, rather than to the management body as a whole.
In paragraph 48, the Guidelines specify that reviews should be carried out “at least once a year.” This is inconsistent with the earlier provisions of the Guidelines, which referred only to “regular reviews” without indicating a frequency. We propose retaining the previous wording from the EBA Guidelines on Outsourcing, without specifying the review interval.
In paragraph 49, we see no justification for replacing the word “main” with “all” (in the sentence “The policy should include all the phases of the life cycle”) compared with the previous Guidelines. This change could impose additional burdens on financial entities without clear rationale and seems inconsistent with the principle of proportionality.
In paragraph 49(d), we recommend introducing simplified requirements for smaller entities, in line with the principle of proportionality (similarly to paragraph 45(c)). Moreover, clear criteria should be defined for identifying smaller entities eligible for simplified requirements.
Paragraph 55 introduces a new obligation requiring the mandatory participation of third-party service providers in BCP testing and central-level testing within groups. In our view, this requirement is excessive and will result in significant logistical and operational challenges for payment institutions. No justification for this extension has been provided.
Paragraph 61 introduces a major change compared to the previous Outsourcing Guidelines. The former wording “as appropriate” has been removed. Since the Guidelines are not a legally binding source of EU law, they should not specify exact timing requirements - such matters should remain governed by national legislation.
In paragraph 63(g), the requirement to include the LEI or EUID of each TPSP in the register of information raises practical concerns. Not all TPSPs possess an LEI, as it is not assigned automatically and must be obtained from authorised providers. Moreover, many non-EU TPSPs have indicated that they do not intend to apply for an LEI. These entities are often critical for payment infrastructure (both EU and global), are highly specialised, and maintain high security standards. However, the absence of an LEI (and the fact that non-EU TPSPs do not have an EUID) will make it impossible for financial entities to complete the relevant register fields, which require at least one of these identifiers.
Paragraph 64(c) introduces the requirement to specify the position of each TPSP within its subcontracting chain in the register of information. This may prove extremely challenging in practice.
Finally, paragraph 67 establishes an obligation to inform competent authorities of planned contractual arrangements concerning critical or important functions. This requirement is formulated in very general terms, without specifying the timing or scope of such notification. This could expose payment institutions to supervisory risk if the authority expects notification within a specific deadline that is not clearly defined in the Guidelines. The same concern applies to paragraph 68.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Non-Applicable
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
Listing the functions specified in Annex I as those that may be provided by TPSPs could lead to excessive outsourcing of risk management by financial institutions. This, in turn, may result in institutions losing their ability to identify, assess, monitor, and report risks effectively, and could lead to the implementation of inadequate or inefficient control mechanisms.
Supervisory authorities have repeatedly emphasised in their communications that risk management, compliance, and internal control functions are integral elements of the internal control system and the overall risk management framework of financial institutions. Therefore, such functions should not be outsourced.
It should also be noted that including in the Annex services that are already subject to supervision (e.g. payment services, among others) creates a situation of “double regulation” of the same activities, as well as of certain functions (such as internal control) that should not be outsourced at all.
Moreover, several of the functions listed in Annex I appear disproportionate to the purpose of the Guidelines, especially considering the types of services covered. The catalogue is drafted so broadly that it could, in practice, encompass even very simple activities, such as the posting of registered mail.