Article 33
Outsourcing
1.
External reviewers that outsource their assessment activities to third-party service providers shall ensure that any such third-party service provider has the ability and the capacity to perform those assessment activities reliably and professionally. Those external reviewers shall also ensure that the outsourcing does not materially impair the quality of their internal control and ESMA’s ability to supervise the compliance of those external reviewers with this Regulation.
2.
External reviewers shall not outsource all their assessment activities or their compliance function.
3.
External reviewers shall notify ESMA of the assessment activities that they intend to outsource, including a specification of the level of human and technical resources needed to carry out each of those activities and the reasons for such outsourcing.
4.
External reviewers that outsource assessment activities shall ensure that such outsourcing does not reduce or impair the ability of the members of the external reviewer’s senior management or management body to perform their function or roles.
5.
External reviewers shall ensure that third-party service providers cooperate and comply with any supervisory requests from ESMA in connection with any outsourced assessment activities.
6.
External reviewers shall remain responsible for any outsourced activity and shall adopt measures to ensure the following:
(a)
assessments of whether third-party service providers carry out outsourced assessment activities effectively and in compliance with applicable Union and national laws and regulatory requirements and adequately address identified failures;
(b)
identification of any potential risks in relation to outsourced assessment activities;
(c)
adequate periodic monitoring of the outsourced assessment activities;
(d)
adequate control procedures with respect to outsourced assessment activities, including effective supervision of the outsourced assessment activities and of any potential risks in relation to the third-party service provider;
(e)
adequate business continuity of outsourced assessment activities.
For the purposes of the first subparagraph, point (e), external reviewers shall obtain information about the business continuity arrangements of third-party service providers, assess their quality and request improvements to such arrangements where necessary.
7.
ESMA shall develop draft regulatory technical standards specifying the criteria for:
(a)
assessing the ability and the capacity of third-party service providers to perform the assessment activities reliably and professionally; and
(b)
ensuring that the performance of assessment activities does not materially impair the quality of the external reviewers’ internal control or ESMA’s ability to supervise the external reviewers’ compliance with this Regulation.
ESMA shall submit those draft regulatory technical standards to the Commission by 21 December 2024.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1095/2010.