In June, the European Securities and Markets Authority ("ESMA") published fourteen non-binding Principles on third-party risks supervision (the "Principles"). The purpose of the Principles is to facilitate the creation of a common framework to be used by EU-domiciled National Competent Authorities ("NCAs") to identify, assess and supervise third-party risks of the firms they regulate.
Through the use of these Principles, ESMA's intention is to foster a consistent and streamlined approach to third-party risks supervision by the NCAs, including as it relates to loss of control, non-compliance with regulatory provisions, reduced operational resilience, security issues and exposure to concentration risks, and to allow for further supervisory convergence in this area.
Note: For the avoidance of doubt, the Principles are expected to apply to all recurring and ongoing arrangements with intragroup or external third-party service providers whether they are 'outsourcing, delegation or other forms of provisions of services by a third-party', apart from arrangements with ICT service providers captured by the Digital Operational Resilience Act ("DORA").
Central Bank of Ireland Regulatory & Supervisory Priorities
As highlighted in Central Bank of Ireland's Regulatory & Supervisory Outlook for 2025/26, operational risks and resilience remain high on the agenda across all industry sectors, with both the reliance on outsourcing arrangements and the delegation of critical functions recognised as key risk drivers.
To assess third-party risks and their impact on resilience, the Central Bank of Ireland (the "Central Bank") is currently undertaking a number of supervisory activities, including a thematic review of delegation practices by fund management companies. In addition, the Central Bank has committed to assessing how well securities markets firms have implemented the requirements of the Markets in Crypto-Assets Regulation ("MiCAR") and DORA, both of which have a significant focus on third-party risks.
Principles of Third-Party Risks Supervision – Key Areas of Focus
All Irish regulated firms should by now have undertaken regulatory change programmes to implement the requirements introduced by the Central Bank of Ireland's Cross Industry Guidance on Outsourcing (the "Outsourcing Guidance"). While the Principles and the Outsourcing Guidance are wholly aligned, it is worth noting that there are some key aspects of third-party governance and oversight which continue to create additional complexities for firms, especially those who operate within a larger group structure.
When reviewing their third-party management programmes against the Principles, we encourage regulated firms to conduct more in-depth and critical assessments of the following areas:
Principle 2: Effective Governance to Manage Third-Party Risks
For those firms who operate within a larger group structure, it may be the case that certain oversight and due diligence activities are performed by centralised specialist teams to increase efficiencies, reduce costs and benefit from economies of scale.
In these situations, the firm must ensure that any third-party arrangements are still subject to their own local governance arrangements (i.e. decision making and approval processes), and that any activities performed by centralised teams comply with EU laws and regulations, and take into consideration the requirements and views of the firm (e.g. local risk appetite and tolerances, service criticality assessments etc.).
Principle 5: Risk Management Framework
Under the Principles, NCAs are encouraged to apply proportionality in their supervisory approach to third-party risks. In practice, this typically means that regulated firms who pose higher levels of risk to markets and consumers will be subject to more frequent and intense supervision activities.
From the regulated firm's point of view, proportionality should also be applied by heightening the level of oversight and due diligence of critical or important activities or by taking a more granular approach 'depending on the third-party risks level considered acceptable by the entity'. It is crucial that a firm documents its approach to proportionality and how it impacts its oversight of, and the due diligence it performs on, third-party arrangements to ensure that the firm takes a consistent approach for arrangements with a similar risk profile.
Principle 11: Intragroup Arrangements
Many firms operating within a wider group structure will benefit from shared services and access to centres of excellence through intragroup arrangements. Under the new Principles, NCAs are expected to assess these arrangements to ensure that firms are able to evidence that:
- they retain 'full ownership' of the decision to enter into the intragroup arrangement;
- the services received are adapted to meet local business needs i.e. any global processes are tailored to meet Irish and EU requirements where necessary; and
- the arrangement is subject to risk mitigants including, for example, a formal written contract directly with the firm, sufficient time allocation by the intragroup service provider, and fees that are subject to fair transfer pricing provisions.
It is vitally important that firms can evidence that the decision to engage in any arrangement is taken locally and not unduly influenced by the group, that they apply the same level of rigour to intragroup and external third-party arrangements, and that the particular risks arising from such arrangements are identified, assessed, monitored and managed accordingly.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
