Financial regulators around the world have renewed their focus on third-party due diligence, especially in terms of operational resilience. The pressure is now on firms with EU operations to get their houses in order. We look at what’s spurred the reforms and what the key things to know are.
Critical third parties and hidden risk
Across all industries, critical third party (CTP) suppliers are essential to the smooth running of their clients’ day-to-day operations, from pay roll to supply chain continuity. These integral third-party arrangements come with a range of associated risks, however – as has been highlighted by recent global events.
The pandemic and the war in Ukraine are likely to have exposed some firms to risks they have not even considered yet, including those posed by arrangements with CTPs in sanctioned nation states or former CTPs who still have access to their sensitive data and internal platforms. For the financial sector, these risks could have far-reaching implications.
A worldwide wave of regulatory reform
Financial regulators around the world have responded by focusing on the third-party due diligence of financial services firms, especially in terms of their operational resilience.
In the EU, as in the UK and the US, regulators have been busy overhauling the rules to target outsourcing arrangements and to reflect changing practices.
Nowhere has this been more evident than in the creation of the Digital Operational Resilience Act (DORA), which received formal approval from the EU’s Council of Ministers in late November 2022.
There are several key things to note in relation to DORA’s approach to the financial sector’s third-party relationships:
Financial firms are unlikely to have much time in which to meet DORA’s compliance standards. Even the most generous estimate allows for just 24 months.
DORA imposes new rules on the management of information and communication technology (ICT) third-party risk.
EU regulators are clearly worried that the financial sector's IT security is not keeping pace with the threat environment. Significantly, DORA now empowers the EU’s supervisory authorities to regulate ‘critical’ ICT third-party service providers to financial firms.
The regulators recognise that no policy or procedure can completely protect a firm from the risks it’s exposed to via its third parties. However, it is equally clear that firms are expected to demonstrate that they are continuously and rigorously monitoring all these relationships.
The upshot is that financial firms will be forced to follow the regulators’ lead. They will have to make minimising third-party risk exposure a greater priority, particularly when it comes to their IT and cyber security. And while that may be a reasonable requirement, it is also a demanding one that – ironically – most firms will be able to meet only with the assistance of a specialist CTP.