Managing critical third parties

Financial services (FS) firms have become increasingly reliant on third party providers (TPP) to support their operations. The services offered by these providers (such as cloud computing and data analytics) provide many potential benefits and are enabling widespread digital transformation. However, this increasing reliance also poses growing risks — especially as the group of providers continues to become more concentrated.

Ultimately, firms themselves are accountable for their end-to-end operational resilience, regardless of whether or not they rely on providers. Firms can seek to exercise some control over their own arrangements with third parties, however, they are not able to address the systemic risks that the largest of these providers now pose. Therefore, regulators are stepping in with measures that target third party resilience more broadly.

In May, the European Council (EC) announced that provisional agreement had been reached on the Digital Operational Resilience Act (DORA).

DORA was first proposed in September 2020 as part of the EU's larger digital finance package. It aims to create a harmonised regulatory framework for digital operational resilience across the EU and bring critical ICT third party providers (CTPPs), including cloud service providers (CSPs), within the regulatory perimeter. It will require in-scope entities to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

The proposed legislation would enable the designation of a TPP as `critical', based on criteria such as the number and systemic character of financial entities that rely on it and the TPP's degree of substitutability.

Once designated as a CTPP, oversight will be carried out by one of the European Supervisory Authorities (ESAs — the EBA, EIOPA or ESMA), which will be able to conduct on-site and off-site inspections, issue recommendations and even levy fines (of up to 1% of daily worldwide turnover) in case of non-compliance or require FS firms to terminate their arrangement with the CTPP.

Additionally, under the provisional agreement:

• Alignment is maintained with existing EU regulatory guidelines on ICT risks (e.g. EBA Guidelines on ICT and Security Risk Management, and Guidelines on Outsourcing Arrangements)
• The implementation window for firms to comply with the requirements of DORA is extended from 12 to 24 months
• Auditors are not subject to DORA in the first instance, but this will be reviewed in future and the rules may be revised
• CTPPs are required to establish a subsidiary within the EU so that they can be effectively overseen
• An additional joint oversight network strengthens coordination between the ESAs
• Penetration tests will be carried out in functioning mode, and it will be possible to include several member states' authorities in the test procedures
• Firms' intragroup ICT providers are differentiated from external providers through separate definitions, with controls suited to the risk profile of each
• A new limitation to the automatic termination of contracts between firms and CTPPs is introduced, to ensure the safe and secure transition to alternative providers if required

To note, the proposed oversight framework for CTPPs will not remove or reduce firms' own regulatory responsibilities in respect of ICT TPPs. DORA contains — in line with existing EBA and EIOPA guidelines — third party risk management requirements for firms that use CTPPs and TPPs, including provisions relating to auditing rights and mandatory contractual clauses.

The provisional agreement on DORA is now subject to approval by the European Council and Parliament before going through the formal adoption procedure. Once formally adopted, DORA will be passed into law by each EU member state. The ESAs will then develop technical standards and the respective national competent authorities will be responsible for compliance oversight and enforcing the regulation as necessary. Requirements are expected to become operational some time in 2024.

The UK appears to be moving towards a similar approach to DORA in respect of critical third parties — although potential regulation is still in the consultation phase.

In July, the UK financial authorities — the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) — published a discussion paper (DP) setting out their plans to oversee the critical services provided by `big tech' firms to the financial sector. Specifically, they are seeking views on potential measures to manage the systemic risks posed by TPPs designated as “critical” to the financial sector by HM Treasury under the newly introduced UK Financial Services and Markets Bill (FSMB).

Under the provisions of the FSMB, HMT will — in consultation with the financial regulators and other bodies — be able to designate certain third parties as 'critical' (CTPs). This designation will be applied through secondary legislation, taking into account high-level criteria such as the number and type of services a third party provides to FS firms and the materiality of those services.

Core to the regulators' proposed approach would be the provision of information by CTPs to the supervisory authorities to assess the resilience of material services and address relevant concerns.

The potential measures in the DP are technology-neutral and focus on material services that CTPs provide to the financial sector only — they do not address wider application to other sectors. The regulators will be able to exercise a range of powers in respect of any material services that CTPs provide. These powers include the ability to set minimum resilience standards (including requirements to develop and test financial sector continuity playbooks) and enforce targeted forms of resilience testing.

Regulators will also be empowered to assess whether the resilience standards are being met, including by:

• Requesting information directly from CTPs on the resilience of their material services to firms, or their compliance with applicable requirements
• Commissioning an independent `skilled person' to report on certain aspects of a CTP's services
• Appointing an investigator to look into potential breaches of requirements under the legislation
• Interviewing a representative of a CTP and require the production of documents
• Entering a CTP's premises under warrant as part of an investigation

As with DORA, these measures would seek to complement, but not replace, FS firms' and FMIs' own responsibilities to manage potential risks to their operational resilience, including as a result of the impact of the failure or disruption of a TPP. The supervisory authorities also recognise that there could be unintended consequences stemming from the designation of CTPs, for example on competition, and welcome industry feedback on ways to minimise these risks.

The consultation runs until 23 December.

As more jurisdictions engage on the issue of critical third parties, the need for cross-consultation and some degree of harmonisation will also increase.

During July's US-UK Financial Regulatory Working Group, regulatory approaches were discussed, with participants noting: “the value of developing shared, international approaches to identifying critical services and providers; expectations for their use in the financial sector; and collaborative methods of assurance, and the importance of promoting cooperation on a bilateral and multilateral basis between relevant authorities on this issue”.

Most financial services firms will likely welcome the introduction of these oversight frameworks, as they provide greater clarity and certainty around their obligations and the obligations that lie with their third parties. All stakeholders should continue to watch the developments in this space as the final regimes are decided.