A&O Shearman | FinReg | ESMA publishes principles for supervisory oversight of third-party risk
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
Filters
Recent Posts
ESMA final reports on the Prospectus Regulation and civil prospectus liability
EC adopts Delegated Regulation to delay the application of Basel 3 market risk prudential requirements by an additional year
ESMA publishes principles for supervisory oversight of third-party risk

  • ESMA publishes principles for supervisory oversight of third-party risk
    12 June 2025
    The European Securities and Markets Authority (ESMA) has published a comprehensive set of principles, accompanied by a press release, aimed at strengthening the supervision of third-party risks across the EU financial sector. The principles are intended to guide national competent authorities (NCAs) in identifying, assessing and overseeing third-party risks for EU entities in the securities markets, in accordance with the relevant legal framework and the principle of proportionality. Aligned with international standards (IOSCO, FSB and BCBS), the principles apply to all third-party arrangements, whether the third party is intra-group or external, located within the EU or in a third country, and irrespective of the technology used. The fourteen principles are grouped into four thematic areas to support NCAs in exercising effective oversight and ensuring that entities appropriately manage third-party risks.
    • The supervisory overview, which includes the principle on the supervision of third-party risks, aimed at maintaining consistent and effective oversight of entities′ exposure to such risks.
    • The supervised entity, which includes the principles of: (i) effective governance, requiring clear internal structures for risk management; (ii) oversight of third-party risks by management bodies, ensuring they are held accountable for effective oversight; (iii) sufficient substance, requiring entities to retain sufficient corporate substance at all times; (iv) integration of third-party risk in the overall risk management framework; and (v) conducting thorough documented risk assessments before entering into arrangements.
    • The relationship with the third party, which includes the principles of: (i) performing due diligence prior to engagement; (ii) establishing clear and enforceable written contractual and service level agreements; and (iii) implementing effective monitoring of third-party performance and risk exposure.
    • The specific risks and issues, which includes the principles of: (i) managing risks associated with the geographical location of third parties; (ii) applying appropriate oversight to intragroup arrangements; (iii) addressing risks within the third-party supply chain; (iv) ensuring the effectiveness and independence of outsourced internal control functions; and (v) retaining adequate access and audit rights.

    ESMA intends in future to support the progressive implementation of the principles through supervisory discussions and case studies among NCAs.

    Return to main website.
    Topics: Financial Market InfrastructureOperational ResilienceSecurities