EU securities authority turns spotlight on third party risks

The European Securities and Markets Authority has given regulators a guide for supervising third party risks to the financial sector. EU firms have recently finished implementing the Digital Operational Resilience Act which includes rules on managing ICT third party risks. They should now prepare for more scrutiny of other third party risks which were not included in their DORA implementation projects.

ESMA’s principles on third-party risks supervision aim for consistent supervision of third party risk across the EU’s securities markets. ICT risks fall outside the scope of these principles because firms’ management of ICT risk is covered by DORA. The principles cover other uses of third parties, including outsourcing and delegation arrangements.

Some points for firms to note include:

• No empty shells: ESMA tells regulators to assess the overall reliance of an entity on third parties and the related risks posed to its corporate substance.
• Management oversight: Regulators should check that senior managers get sufficient information for them to challenge third party risks. Some boards may need to allocate specific responsibility for overseeing critical activities provided by third parties.
• Strategy refresh: Firms should have a third party risk management framework which explains their reliance on third parties and the controls they have in place to manage related risks. They should regularly review this framework along with their third party strategy.
• Contract review: Third party arrangements should explicitly grant audit rights for the entity, its auditors and its regulators. Contracts should also provide for regular monitoring, business continuity and exit plans.
• Supply chains: Firms should integrate safeguards in their contracts specifying conditions on sub-contracting.

The principles are non-binding guidance and specific regulatory requirements on firms take precedence. ESMA says that regulators should apply the framework proportionately, with specific focus on use of third party services for critical activities.