ESMA’s New Guidelines Aim to Tackle Third-Party Risks in a More Digital World

Key Takeaways

• Growing Third-Party Dependence: EU securities markets are increasingly reliant on third-party services, making the need for effective third-party risk management more urgent.
• ESMA’s New Framework: ESMA’s principles offer a comprehensive framework for supervising third-party risks, ensuring consistency across sectors within the EU.
• Benefits and Risks: While third-party services provide advantages like expertise and cost efficiency, they also bring risks, including security vulnerabilities and loss of control.
• Governance and Oversight: Effective governance, diligent due diligence, and continuous monitoring are key to managing third-party risks effectively.
• Consistency Across the EU: ESMA’s guidelines aim to establish a consistent, efficient approach to supervising third-party risks across all EU jurisdictions.

Deep Dive

The European Securities and Markets Authority (ESMA) is stepping up to ensure that third-party risks don’t get overlooked in the growing complexity of EU securities markets. As more companies turn to third parties for critical functions, ESMA’s new guidelines aim to help supervisors across the EU keep pace with these shifts and ensure a more secure, compliant, and resilient market.

For years, outsourcing and third-party services have been a common practice in the securities sector. But as the world goes more digital, that reliance is deepening, and the risks are evolving in ways that weren’t part of the traditional outsourcing model. These new guidelines recognize this transformation, bringing a fresh set of principles to help tackle third-party risks across sectors.

In the past, third-party services were largely tied to outsourcing. A company would hand off a specific function to another firm. But in today’s digital world, third-party relationships extend far beyond this traditional model. Companies are increasingly reliant on third parties for a wide range of services, from business processes to technology, and from data management to customer support. Some third-party providers are deeply embedded in these companies’ operations, sometimes providing critical functions.

This shift brings tremendous benefits: better quality services, access to specialized expertise, and lower operational costs. But with these benefits come new challenges. Third-party risks now pose bigger threats, such as loss of control, compliance lapses, security breaches, and the exposure to concentrated risks that could ripple throughout an entire business. The increasing use of third parties could leave some companies vulnerable, especially when these relationships stretch across borders or become more integrated into the company’s core functions.

Why These Principles Matter
ESMA's new principles were developed to provide a clear framework for supervisory authorities across EU jurisdictions to better handle third-party risks. These guidelines aren't just a ‘one-size-fits-all’ approach; they account for the growing digitalization of services and the varying degrees of risk companies face depending on the type and criticality of the third-party service they use.

At the heart of these principles is the aim to create a level playing field, ensuring consistent supervision across the EU. By establishing a common framework, ESMA wants to ensure that no matter where a company is based, or what services they outsource, there’s a standard approach for assessing, managing, and monitoring third-party risks. This is crucial for maintaining financial stability and protecting investors in an increasingly interconnected market.

Let’s break down some of the main principles and how they work to keep third-party risks in check:

1. Governance and Risk Frameworks: ESMA wants to make sure that companies aren’t letting third-party relationships undermine their governance or risk management. Supervisory authorities will check that entities have strong frameworks in place to assess and manage these risks, ensuring that third-party dependencies don’t leave the company exposed.
2. Due Diligence and Risk Assessment: Before entering into third-party arrangements, companies must carry out thorough risk assessments. This includes understanding the potential impact on their business model, reviewing the financial health of the third party, and assessing potential risks, like security vulnerabilities or regulatory compliance issues. Supervisory authorities will ensure that these assessments are documented regularly and updated as the business evolves.
3. Contractual Arrangements and Monitoring: To avoid future issues, all third-party relationships should be formalized through clear, written contracts. These should outline the roles and expectations of both parties, as well as the specific risks identified during due diligence. Regular monitoring of third-party performance is essential, ensuring that services are delivered as agreed, and that risks are properly managed. Supervisors will be on the lookout to ensure that companies aren’t simply ticking boxes, they need to have strong, ongoing oversight of these relationships.
4. Intragroup and Cross-Border Arrangements: In today’s globalized world, many companies rely on third parties based in other countries or within their own corporate groups. ESMA has set principles for these types of arrangements too. When third-party services cross borders, the risks get more complicated, especially if the third-party is in a jurisdiction with different regulations. Supervisory authorities will check that companies properly assess these risks and have the right mechanisms in place for supervision, especially when it comes to access and audit rights.

Why Governance and Monitoring Are Key
One of the most important aspects of these new principles is ensuring that companies don’t lose control when they rely on third parties. The governing bodies of these entities must ensure that third-party risks are properly managed and that they maintain enough visibility over the third-party services provided. This is especially true when critical functions are being outsourced. Supervisory authorities will make sure the company is fully accountable and that key personnel, like the CEO or senior managers, are actively overseeing these relationships.

It’s also important to remember that these principles are about building a framework for the future. Third-party risks need to be monitored continuously, and exit strategies must be in place in case things go wrong. That’s why ESMA’s principles stress the need for periodic reviews and assessments as part of a broader, ongoing risk management strategy.

As businesses increasingly depend on third-party services to run their operations, the landscape is evolving. While these new relationships open up a world of opportunities, they also introduce new risks. The challenge for businesses and supervisors alike is to find a balance between leveraging these services and managing the risks effectively.

GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.