Regulations

Hi there

Due to their nature, the EBA Guidelines on outsourcing arrangements suggest that both these services would be in scope for risk identification, assessment, monitoring, management, and reporting. (See language below). While it is unclear why BBG is pushing back, it is clear that no matter what vendor claims, your organization can determine which of your third-party relationships you will include in your TPRM program and process. Still, considering that BBG has other customers in the same position as your organization, it would be interesting to know why they feel they should be out of scope for these EBA requirements.

My advice is to have BBG state in writing what their specific objections are, and to provide their rationale, citing specific regulatory information that justifies their position. Once you have that information, I suggest you work with your internal compliance department (and legal counsel if necessary) to formalize your position on the matter. Please make sure to document everything fully, regardless of what your organization decides Regulatory examiners may ask about the considerations and decision-making undertaken by your organization before reaching a conclusion.

Those are my thoughts, but hearing from other members on this topic would be great.

Per the Final Report on EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02 25 February 2019)

The Delegated Regulation (EU) 2017/565 specifies, under Article 30, that 'an operational function shall be regarded as critical or important where a defect or failure in its performance would materially impair the continuing compliance of an investment firm with the conditions and obligations of its authorisation or its other obligations under Directive 2014/65/EU, or its financial performance, or the soundness or the continuity of its investment services and activities'. formal vendor risk management processes which include assessment.