ITS on register of information

Certain sector-specific Union financial services legislation contains requirements on outsourcing. Those requirements have been further developed in guidelines issued by the ESAs. Under those guidelines, some financial entities are expected to record specific information on their outsourcing arrangements, in some cases also in the form of registers, as part of their outsourcing risk management. In recent years, several national competent authorities and the ECB have collected information included in such registers as part of their supervision of financial entity compliance with the outsourcing requirements. Based on the lessons learned from the different data collection exercises of outsourcing registers performed in the recent years by the ESAs and competent authorities, the standard templates should be designed in a technology-neutral manner with open tables, which have a predefined number of columns and an indefinite number of rows. In addition, the standard templates should be linked to one another by using different specific keys forming a relational structure between those templates.

To receive ICT services from an ICT third-party service provider, including ICT intra-group service providers, financial entities conclude a written contract with the ICT third-party service provider. In case of groups, ICT intra-group service providers may conclude a contract with ICT third-party providers that are external to the group to provide ICT services to one or more financial entities of the group. To capture the full ICT service supply chain, financial entities maintaining the register of information should report both information on the contractual arrangement with their ICT intra-group service provider and information on the arrangement stipulated by the ICT intra-group service provider and the ICT third-party providers that are external to the group as subcontractors. Therefore, the register of information should include a specific template enabling the reconciliation between the intra-group contracts and the contracts with ICT third-party service providers that are external to the group.

The provision of ICT services to financial entities may rely on potentially long or complex chains of subcontracting which should be monitored by the financial entities. Financial entities should assess the associated risks, including ICT third-party concentration risks with regard to the ICT third-party service providers supporting a critical or important function or material parts thereof, considering a risk-based approach and the principle of proportionality. To enable that assessment, financial entities should be required to record in the register of information only those subcontractors that effectively underpin ICT services supporting critical or important functions or material parts thereof, including all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision. When identifying those subcontractors, financial entities should consider business and ICT service continuity and ICT security aspects.

A register of information should be maintained and updated by financial entities including where a financial entity outsources all its activities to another entity, as the maintenance of the register of information contributes to the operational resilience of that financial entity. Therefore, where an entity is acting on behalf of a financial entity for all the activities of the financial entity (including the ICT services), the direct ICT third-party service providers to that entity should be recorded in the relevant templates of the register of information of the financial entity. In such case, the entity is only registered as an entity maintaining the register.

To allow transparency and comparability of contractual arrangements and the ongoing monitoring of those arrangements, the register of information should focus on the operational links between the financial entities and the ICT third-party service providers. To that end, the register of information should use four keys, which, among others, linking relevant data to each other across the templates of the register of information: (i) the reference number of the contractual arrangement between the financial entity signing that arrangement and the direct ICT third-party service provider, (ii) an appropriate identifier of financial entities and ICT third-party service providers, (iii) the function identifier, and (iv) the type of ICT services.

To appropriately document the contractual arrangements between the financial entities and the ICT third-party service providers as required by Regulation (EU) 2022/2554, it is understood that ICT third-party service providers should provide for an identification number which allows for their consistent and accurate identification by the financial entities and by the ESAs, the Oversight Forum, and the competent authorities, when exercising their supervisory powers, including for the designation of critical ICT third-party service providers under Article 31 of that Regulation. Concerning legal persons, the LEI and EUID are recognised international and European identifiers ensuring the consistent, unique and robust identification of companies. Consequently, either of these two identifiers should be used for the identification of the ICT third-party service providers established in the Union for the purposes of the application of that Regulation and should be considered as information that is common to all contractual arrangements, whereas the ICT third-party service providers established in third-countries should be identified with LEI only. The templates used for the register of information about the ICT third-party service providers should require information on either of these two identifiers for ICT service providers that are legal persons, while allowing natural persons acting in the capacity of ICT service providers to use alternative identification codes.

Each financial entity, including financial entities from the same group, have their own internal taxonomy of functions depending on their specific business models and internal organisations. To allow for a clear monitoring distinguishing between the functions of the financial entities and the ICT services, financial entities should themselves designate relevant functions by using the function identifier at individual level and at group level.

To enable the operability of the register of information at entity, sub-consolidated and consolidated level across all the financial entities that are part of the same group, financial entities should ensure the correctness and consistency of all the data in that register. In particular, to enable such operability, it is necessary to ensure consistency in the consolidation of the identifiers, namely the contractual arrangement reference numbers, the function identifier, LEI of the financial entities and identifiers of the ICT third-party service providers.

To ensure consistency and harmonisation and to avoid burdensome reprocessing of data for reporting purposes, the structure of the templates and the requirements of the data elements should consider data management and reporting perspectives. To ensure full comparability of the information reported in the register of information with the information provided in other regulatory or statistical reporting, financial entities should adhere to data quality principles, when maintaining and updating that register.

This Regulation is based on the draft implementing technical standards submitted to the Commission by the ESAs.

The ESAs have conducted open public consultations on the draft implementing technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the ESAs’ Stakeholder Groups established in accordance with Article 37 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council(²)Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p. 12, ELI: http://data.europa.eu/eli/reg/2010/1093/oj)., Article 37 of Regulation (EU) No 1094/2010 of the European Parliament and of the Council(³)Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (OJ L 331, 15.12.2010, p. 48, ELI: http://data.europa.eu/eli/reg/2010/1094/oj). and Article 37 of Regulation (EU) No 1095/2010 of the European Parliament and of the Council(⁴)Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (OJ L 331, 15.12.2010 p. 84, ELI: http://data.europa.eu/eli/reg/2010/1095/oj).

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(⁵)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj)..