Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 1 for Public Consultation: Are subject matter, scope of application, definitions and transitional arrangements appropriate and sufficiently clear?
We are concerned by the proposed inclusion of Class 2 investment firms, and more specifically proprietary traders, in the scope of these Guidelines.
The Association of Proprietary Traders (APT) represents 23 independent proprietary trading firms based in the Netherlands, trading professionally in financial instruments for own account and risk, contributing to price discovery and providing continuous liquidity on centrally cleared exchanges and trading platforms, hereby improving market efficiency, stability and transparency. This is often done in the capacity of designated market maker, to the benefit of all market participants, retail and institutional investors alike. A big contingent of our members consist of smaller, SME sized, investment firms.
Class 2 investment firms are already subject to comprehensive governance and risk management requirements under the IFD/IFR prudential framework. This framework requires firms to have sound risk management processes in place, but does not mandate such extensive documentation, registration and contractual obligations as proposed in these draft Guidelines. Introducing such requirements would go far beyond the Level 1 framework and impose a disproportionate burden on entities that are not part of the banking sector.
IFR/D was set up as a separate and specific regime, more fitting for investment firms like than CRR/D. With the introduction of IFR/D, the CRR EBA Guidelines on Outsourcing are no longer applicable to investment firms - instead the MiFiDII & delegated reporting requirements apply. For APT it is unclear why these MiFIDII requirements are now considered insufficient for non-ICT services, beyond a desire to harmonise with DORA/a theoretical view on the risks of a lack of documentation related to outsourcing. To revert back to CRR/D whilst a separate regime is in place seems a step back. Not only this, but given Class 2 investment firms are not subject to the EBA Guidelines on outsourcing arrangements issued in 2019, the proposal in the 2025 consultation represents an very heavy and administratively burdensome lift for such firms given the difference between the MiFIDII approach and the 2025 proposed Guidelines. This has not been properly explained or justified in the cost/benefit analysis attached to the Guidelines.
The proposals in the Guidelines are also “out of sync” with the European Commission's push for reducing the reporting burden on firms (aiming for a 25% reduction). It is also unclear to us what is the need for this new register: has there been a failure somewhere in the field on non-ICT/"non cyber"? Has some form of GAP analysis been performed?
In our view, the EBA has no legal mandate to extend its Guidelines to activities provided by entities such as proprietary traders that are subject to sectoral frameworks under the responsibility of ESMA. Such expansion of the scope risks creating conflicting requirements, duplicative oversight, and diverging supervisory practices across the Union.
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
We would like to refer to and support FIA EPTA’s response.
Question n. 3 for Public Consultation: Are Sections 5 to 10 (Title III) of the Guidelines sufficiently clear and appropriate?
Register of information (ROI): for our membership the proposed introduction of this non-ICT register represents a major increase in reporting burden. Including any outsourcing in the register, would mean a lot of additional work. For instance, page 37 paragraph 63 of the consultation effectively seems to indicate the register needs to be the same as the DORA register: "...the register shall be consistent to the extent possible, when not merged, with the register of information under Article 28(3) DORA, and financial entities are encouraged to avoid any discrepancies between those two registers."
Aligning the outsourcing register with DORA comes with a number of issues. First, the DORA register is approximately 95 fields, 14 tabs and multiple spreadsheets, also in part because the ESAs used the register to define critical and important ICT third-parties service providers for the Union. This is not the case currently for the outsourcing register; the guidelines suggest between 11 to 18 fields. Trying to align the two in this sense would take a considerable amount of work and effort. Additionally, unlike the DORA Regulation, the clarification between third party services in scope is not as clear as is the case for DORA. For example, the exemptions for regulated services are limited to global network structures, legally required functions and global financial messaging infrastructures, but does not include services which are subject to a regulatory/licensing regime such as a credit institution. Lack of clear distinction will create confusion as to which entities do or do not fall in scope of these guidelines and registers. The benefit having a DORA like register for all outsourced services is also not properly investigated in the cost-benefit analysis. What material benefit to the market is anticipated which justifies such a very high administrative burden being placed on firms?
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
Pre-contractual and onboarding obligations: APT expects a substantial additional workload. The same documentation requirements as DORA will start to apply, which seems overly onerous to us, especially given the scope of the counterparties captured. All in-scope contracts have already been executed, so this would require a process of amendments, taking a lot of time and legal resources. For DORA this took up to a year of many back and forths with each counterparty. It is unclear what risk these prescriptive requirements are looking to defend against, especially since all contracts will always contain termination rights which should cover the majority (if not all) of the risks the EBA is looking to address. The MiFIDII Guidelines take a more pragmatic approach to contractual requirements leaving firms responsible for managing the specific drafting whilst keeping a prescribed outcome in mind. The MiFID II Guidelines have also proven to be fit for purpose in practice. Allowing firms the freedom to contract how they see fit whilst ensuring that operational risk is mitigated seems to be a more sensible approach, especially when trying to reduce, rather than increase, the administrative burden on firms.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
We would like to refer to FIA EPTA’s response.