About the author
Managing Consultant | Advisory
Christine Young joined Thomas Murray’s Advisory team in 2022, after 30 years in the asset servicing sector. Her previous role was at BNY Mellon, where Christine was responsible for the risk and regulatory control function in the asset servicing business, having led the development of the control framework for the business. She has also held roles in sales, corporate development and relationship management. Christine has both legal and accounting qualifications, and extensive experience in working on multi-discipline projects in global jurisdictions.
Critical third parties and hidden risk
Across all industries, critical third party (CTP) suppliers are essential to the smooth running of their clients’ day-to-day operations, from payroll to supply chain continuity. These essential relationships come with a range of associated risks, however – as recent global events have highlighted.
The pandemic and the war in Ukraine are likely to have exposed some firms to risks they have not even considered yet, including those posed by:
- arrangements with CTPs in sanctioned nation states; or
- former CTPs who still have access to their sensitive data and internal platforms.
For the financial sector, these risks could have far-reaching implications.
A worldwide wave of regulatory reform
Financial regulators around the world have responded to the heightened threat environment by focusing on the third-party due diligence of financial services firms, especially in terms of their operational resilience.
In the EU, as in the UK and the US, regulators have been busy overhauling the rules to target outsourcing arrangements and to reflect changing practices.
Nowhere has this been more evident than in the creation of the Digital Operational Resilience Act (DORA), which received formal approval from the EU’s Council of Ministers in late November 2022.
There are several key things to note in relation to DORA’s approach to third-party relationships in the financial sector:
- Financial firms are unlikely to have much time in which to meet DORA’s compliance standards. Even the most generous estimate allows for only 24 months.
- DORA imposes new rules on the management of information and communication technology (ICT) third-party risk.
- EU regulators are clearly worried that the financial sectors’ IT security is not keeping pace with the threat environment. Significantly, DORA now empowers the EU’s supervisory authorities to regulate ‘critical’ ICT third-party service providers to financial firms.
The regulators recognise that no policy or procedure can completely protect a firm from the risks it’s exposed to via its third parties. However, it is equally clear that firms are expected to demonstrate that they are continuously and rigorously monitoring all these relationships.
The upshot is that financial firms will be forced to follow the regulators’ lead. They will have to make minimising third-party risk exposure a greater priority, particularly when it comes to their IT and cyber security. And while that may be a reasonable requirement, it is also a demanding one that – ironically – most firms will be able to meet only with the assistance of a specialist CTP.