Article 4
Third party involvement
1. In order to assess compliance with the requirement regarding the soundness and the integrity of the rating systems laid down in Article 144(1) of Regulation (EU) No 575/2013 where an institution has delegated tasks, activities or functions relating to the design, implementation and validation of its rating systems to a third party, or has purchased a rating system or pooled data from a third party, the competent authority shall verify that that delegation or purchase does not hinder the application of this Regulation and shall verify that:
|
(a) |
senior management of the institution as defined in point (9) of Article 3(1) of Directive 2013/36/EU (‘senior management’) as well as the management body of the institution or the committee designated by that management body are actively involved in the supervision and decision-making regarding the tasks, activities or functions delegated to the third party or regarding the rating systems obtained from third parties; |
|
(b) |
the staff of the institution has sufficient knowledge and understanding of the tasks, activities or functions delegated to third parties and of the structure of data and rating systems obtained from third parties; |
|
(c) |
continuity of the outsourced functions or processes is ensured, including by means of appropriate contingency planning; |
|
(d) |
internal audit or other control of the tasks, activities and functions delegated to third parties is not limited or inhibited by the involvement of the third party; |
|
(e) |
the competent authority is granted full access to all relevant information. |
2. Where a third party is involved in the tasks of developing a rating system and risk estimation for an institution, the competent authority shall verify that:
|
(a) |
points (a) to (e) of paragraph 1 are satisfied; |
|
(b) |
the validation activities with regard to those rating systems and those risk estimates are not performed by that third party; |
|
(c) |
the third party provides the institution with the information necessary for those validation activities to be performed. |
3. Where, for the purposes of developing a rating system and risk parameter estimation, the institution uses data that is pooled across institutions, and a third party develops the rating system, the third party may assist the institution in its validation activities by performing those tasks of validation which require access to the pooled data.
4. For the purposes of applying paragraphs 1, 2 and 3, competent authorities shall apply all of the following methods:
|
(a) |
review the agreements with the third party and other relevant documents which specify the tasks of the third party; |
|
(b) |
obtain written statements from or interview the relevant staff of the institution or the third party to whom the task, activity or function is delegated; |
|
(c) |
obtain written statements from or interview senior management or the management body of the institution or the third party to whom the task, activity or function is delegated, or the committee of the institution designated by the management body; |
|
(d) |
review other relevant documents of the institution or of the third party, where necessary. |