Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Guide

A Guide to Third-Party Risk Management Compliance in Finance

Noggin

Risk Management

Updated March 25, 2024

Introduction

Companies have become more reliant than ever on third-party vendors. And it’s not just a matter of how many, it’s a matter of what kind and quality of services provided, as well.

Many third-party vendors are central to how businesses operate. According to a Deloitte survey, “many companies even outsource core functions.”i

Sure, these arrangements improve efficiency and productivity. But they carry stark risk, too.

Now, when vendor incidents happen, they quickly cascade into crises for the organization by compromising material business activities.

Third-party risk on the rise

COVID, in this respect, was a pivotal moment.

How so? The pandemic precipitated greater dependence on cloud service providers (CSPs); almost 90% of Deloitte global survey respondents expect to have moderate to high levels of dependence of CSPs.ii

Another result of COVID-related disruptions is that organizations are facing a newer spectrum of more complex risks across overlapping domains. Those domains include geopolitical, geographic/supplier concentration, sanctions, export controls, etc.

Regulators intervening under the banner of operational risk

Regulators, as a result, are intervening, particularly in the financial services space.

These regulators have mandates to ensure the well-functioning of public markets. And they have found that many of the firms they regulate haven’t kept pace with the profound shift in the third-party risk environment ushered in by the pandemic.

Now, under the banner of operational resilience compliance, these regulators have put forth specific compliance requirements for firms who have “outsourced” material business activities to third parties.

Which regulators and how? That’s what this guide to third-party risk management compliance will tackle, specifically addressing the following regulations in advanced financial markets:

The Digital Operational Resilience Act

A binding EU regulation on digital operational resilience for the financial sector, DORA addresses potential systemic and concentration risks posed by the financial sector’s reliance on information and communication technology (ICT) third-party providers (TPPs).

Indeed, the very rationale for the regulation came from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. But what is ICT third-party risk, exactly?

ICT third-party risk, as the statute lays out, is ICT risk that may arise due to ICT services provided by ICT third-party service providers or their subcontractors.

How, then, does DORA regulate ICT-third party risk. The Regulation does so through the imposition of the following ICT third-party risk management requirements:

  1. Manage ICT third-party risk as an integral component of ICT risk within the entity’s ICT risk management framework and in accordance with the following principles:

    1. Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with,  and the discharge of, all obligations under this Regulation and applicable financial services law.

    2. Financial entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:

      1.  The nature, scale, complexity, and importance of ICT-related dependencies

      2.  The risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level

  2. Adopt and regularly review a strategy on ICT third-party risk, as part of the entity’s ICT risk management framework, taking into account the multi-vendor strategy. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.

  3. Maintain and update at entity level and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

    The contractual arrangements shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.

    Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.

    Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity.

    Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.

  4. Before entering into a contractual arrangement on the use of ICT services, financial entities shall:

    1. Assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function

    2. Assess if supervisory conditions for contracting are met

    3. Identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk 

    4. Undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable

    5. Identify and assess conflicts of interest that the contractual arrangement may cause.

  5. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.

  6. In exercising access, inspection, and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards.

  7. Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances:

    1. aSignificant breach by the ICT third-party service provider of applicable laws, regulations, or contractual terms

    2. Circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider 

    3. ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data

    4. Where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.

  8. For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providers.

  9. The ESAs shall, through the Joint Committee, develop draft implementing technical standards to establish the standard templates for the purposes of the register of information, including information that is common to all contractual arrangements on the use of ICT services.


    The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to further specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

Sound Practices to Strengthen Operational Resilience

Like their counterparts in the EU, U.S. regulators have also acknowledged that firms have become increasingly dependent on third parties for business-critical functions and that these third parties are themselves vulnerable to disruption, disruption which can then imperil financial services organizations.

As a result, the Sound Practices to Strengthen Operational Resilience, which brings together already-existing regulations and guidance to better assist in the development of comprehensive approaches to operational resilience, outlines the following measures to promote the sound management of third-party risk:

  • Identify and analyze third-party risk of critical operations and core business lines. Prioritize third-party dependencies that are most significant and understand, manage, and mitigate risks.

  • Establish relationships with third parties through formal agreements. Manage and monitor the performance of third parties against service requirements and tolerance for disruption.

  • Periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties.

  • Verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption.

  • Address key third-party concerns to the extent that these concerns affect the firm’s operational resilience.

  • Identify risks of third parties that provide the firm with public and critical infrastructure services, such as energy and telecommunications.

  • Identify other third parties that may be available to assist in the event current third parties are unable to continue delivering services.

APRA CPS 230

APRA CPS 230 is a relatively new prudential standard designed to strengthen the management of operational risk in the Australian banking, insurance, and superannuation industries. It works by establishing minimum standards for managing operational risk, including updated requirements for service provider management.

What are the requirements for the management of service provider arrangements? Regulated entities are being asked to maintain a comprehensive service provider management policy.

That policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.

The relevant policy must include the following:

  • The entity’s approach to entering into, monitoring, substituting and exiting agreements with material service providers

  • The entity’s approach to managing the risks associated with material service providers

  • The entity’s approach to managing the risks associated with any fourth parties that material service providers rely on to deliver a critical operation to the APRA-regulated entity

Further third-party risk requirements include:

Material service providers

  • Must identify and maintain a register of its material service providers and manage the material risks associated with using these providers.
  • Material service providers are those on which the entity relies to undertake a critical operation or that expose it to material operational risks.
  • Material arrangements are those on which the entity relies to undertake a critical operation or that expose it to material operational risk.
  • Must, at a minimum, classify a provider of the following services as a material service provider
    o    Credit assessment, funding and liquidity management, and mortgage brokerage
    o    Underwriting, claims management, insurance brokerage, and reinsurance
    o    Fund administration, custodial services, investment management and arrangements with promoters and financial planners
    o    Risk management, core technology services and internal audit.
  • Submit its register of material service providers to APRA on an annual basis.
  • APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service provider, or type of service provider, as material.

Service provider agreements

Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:

  • Undertake appropriate due diligence, including an appropriate selection process and an assessment of the ability of the service provider to provide the service on an ongoing basis
  • Assess the financial and non-financial risks from reliance on the service provider, including risks associated with geographic location or concentration of the service provider(s) or parties the service provider relies on in providing the service

Monitoring notifications and review

  • Monitor and report to senior management on material service provider arrangements commensurate with the nature and usage of the service
  • Notify APRA:
    • As soon as possible and not more than 20 business days after entering into or materially changing an agreement for the provision of a service on which the entity relies to undertake a critical operation
    • Prior to entering into any offshoring agreement with a material service provider, or when there is a significant change proposed to the agreement, including in circumstances where data or personnel relevant to the service being provided will be located offshore.
  • Review any proposed outsourcing arrangement with a material service provider for a critical operation, and regularly report to the Board or Board Audit Committee on compliance with the entity’s service provider management policy for such arrangements

Operational resilience: Impact tolerances for important business services

The first in the space, U.K. regulators put out operational resilience regulations in the late 2010s whose effective date was subsequently delayed due to COVID.

Parsing out these sprawling regulations, we find that regulated entities are required to map their important business servicesiii and test their ability to remain within impact tolerancesiv for the purposes of building operational resilience.

What does that have to do with third-party risk management? Well, compliance is expected regardless of whether the operational resources are being provided wholly or in part by a third party.

Indeed, mappingv and testing on third parties is necessary, per the statute, for the entity and the supervisor to obtain an accurate understanding of their operational resilience.

To that end, the supervisory authorities expect that the level of assurance entities receive from third party suppliers relating to important business services should be proportionate to the size and complexity of the firm or FMI (financial market instrument) and reflect the materiality and risk of the outsourcing and third-party arrangement.

Firms that enter into outsourcing or third-party arrangements remain fully accountable for complying with all their regulatory obligations. As part of their assurance, firms or FMIs may ask third parties to provide mapping or scenario testing data but this is not required in all cases, particularly if other assurance mechanisms are effective and more proportionate.

Digital technology to ensure regulatory compliance

What do many of these regulations amount to? Well, regulators are asking organizations to manage their third-party risk by ensuring that vendors meet the same standards and expectations (be they for cybersecurity, data privacy, or any other matter) as their internal teams.

Organizations, as such, must follow the third-party risk management lifecycle, an ongoing process requiring regular reassessment to ensure that risks are being appropriately managed.

The process itself consists of the following stages:

  • Identification of whether you need to employ a third party

  • Conducting due diligence

  • Shortlisting and selection of a third party

  • Sending out a risk questionnaire

  • Contract drafting

  • Commencement of the onboarding process

  • Ongoing monitoring

  • Undertaking of internal audits

  • Contract termination or offboarding

To ensure compliance, though, financial services organizations might also consider integrating digital third-party risk management functionality into lifecycle. Why? Embedded automated cross-functional workflows prove more effective in managing third-party risk and reporting to senior leadership.

How’s that? Using automated workflows to invite vendors and gather due diligence information using questionnaires and documents, these technologies serve to simplify the onboarding process for third parties. And once onboarded, service details, contracts, and risk assessments are set up in collaboration with vendors to ensure alignment between parties.

What other capabilities should you be looking for if you’re looking to ensure regulatory compliance by up-leveling your TPRM program? Consider the following:

Integrate third parties into your resilience initiatives

Digital technology should incorporate third-party risk management into your wider resilience workspace to align third parties with your resilience initiatives – from anticipating disruptions using risk intelligence, improving preparedness with risk assessments and dependency mapping, through to collaborating during incident response.

Automate ongoing monitoring and follow-up activities

Digital technology should support monitoring of third parties on an ongoing basis to ensure you have the right data to improve the resilience of the third-party ecosystem, with automated document and questionnaire updates, third-party status updates, risk assessment and action monitoring, plus risk intelligence to stay ahead of emerging threats.

Identify and share insights to improve resilience

Digital technology should enable you to leverage the data collected from your ecosystem and visualize it using configurable analytics to identify top issues and opportunities for improvement. Insights should also be able to be shared with internal stakeholders or externally with regulators as required, to satisfy obligations in customizable, printable reports.

Finally, regulators have cottoned on to the explosion of third-party risk, in the process imposing stringent new measures on financial services organizations. Addressing this new regulatory environment will take robust third-party risk management measures.

In addition to these procedures, organizations should also seek out third-party risk management software. This software, as noted, equips teams to pinpoint and address the top issues across the vendor ecosystem to better manage risk, ensure digital operational resilience, and remain firmly in regulatory compliance.

New call-to-action

 

Sources

i Deloitte: Emerging stronger: The rise of sustainable and resilient supply chains: Global third-party risk management survey 2022. Available at https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-global-tprm-survey-report-2022.pdf.

iiIbid.

iii Important business services, here, means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could : (1) cause intolerable levels of harm to any one or more of the firm’s clients; or (2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.

iv Impact tolerances, as defined by the Financial Conduct Authority, means the maximum tolerable level of disruption to an important business service, as measured by a length of time and in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could pose cause intolerable harm to any one or more of the firm’s clients or pose an intolerable risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets.

v The consultations proposed that a firm or FMI (financial market instrument) would be required to identify and document the necessary people, processes, technology and information required to deliver each of its important business services. In particular, it was proposed that mapping should enable firms and FMIs to deliver the following outcomes: (i) identify vulnerabilities in delivery of important business services within an impact tolerance; and (ii) test their ability to remain within impact tolerances.