Financial services regulators impose strict expectations when it comes to management of third-party risks. While fever runs hot across the economy over cyber risk exposures and information security, firms are expected to manage all types of risks that their vendors pose.
This article focuses on the operational risk management requirements of the PRA and the FCA for regulated financial institutions in the UK, and their relationship with the EU’s Digital Operational Resilience Act (DORA). Firms that provide services across jurisdictions may need to meet multiple requirements concurrently.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:
The link to operational resilience
In the UK, operational resilience rules from the FCA and PRA already require firms to have an understanding of how third parties support their importance business services and including them in scenario testing. The onus is on the firm to meet its defined impact tolerances during disruption, regardless of whether those important business services are supported by third parties. Firms remain fully accountable for meeting their obligations.
The Digital Operational Resilience Act, covering a broad range of financial entities in the EU, will come into effect January 2025. While it requires you to have an internal governance and control framework over your own ICT environment, effective management of IT-related third-party risks is a key component. Those expectations include:
- An entity level register on the use of ICT services provided by third parties
- Undertake due diligence on third parties during the selection process
- Only enter into contractual arrangements with third parties who comply with information security standards (thus requiring sufficient assessment of those capabilities)
- Regularly review risks arising from contractual arrangements with third parties
While those are specific to third parties, the general principles state that regulated entities remain fully responsible for all of the obligations in the regulations, including for services covered under contractual relationships. This means all other sections you would apply internally also need to be applied proportionally to those third parties.
Outsourcing and third-party risk management
The PRA have issued a supervisory statement on outsourcing[1]. While not all of these requirements apply to all third-party arrangements, the PRA still expects firms to assess for materiality and should implement proportionate controls for material or high-risk third-party arrangements. The PRA also note that the criteria outlined for ‘pre-outsourcing’ activities should also be applied to material third party arrangements.
Those criteria include:
- A materiality assessment (including ongoing assessment of whether materiality has changed)
- Conducting due diligence
- Completing risk assessments, including assessment of concentration risk
- Expectations over contractual agreement
These are further supported by specific sections on:
- Data security
- Access, audit and information rights
- Sub-outsourcing
- Business continuity and exit plans
While the PRA has called these out separately due to their importance in outsourcing arrangements, they need to be considered during the due diligence and risk assessment phases.
The FCA has similar outsourcing rules within its handbook, supported by guidance on cloud and other third-party IT services. Beyond their specific guidance, the two regulators are not afraid to rely on their fundamental rules or principles to point out breaches related to third party failures. Most relevant to management of third parties are their respective positions on managing with due care and skill, taking reasonable care to control affairs responsibly and effectively, and having an adequate risk management system.
How to adopt a common ground approach
You might need to tailor your approach depending on the particular jurisdictions you operate and the regulators you engage with, but we recommend a single approach, stratified by materiality or criticality, supported by due diligence and monitoring that is commensurate with each engagement. This requires:
Initial tiering of third parties
Initial tiering determines materiality or criticality of the third party (aligned with regulatory classification where applicable), which can inform the level of due diligence and risk activities you need to take. Where applicable, this tiering can be based on operational resilience mapping.
Initial due diligence
This includes assessing the third party’s capabilities, authorisations to perform activities, financial condition, and collecting other critical information required to provide confidence that the third party can sustainability deliver.
Particularly for IT-related services or where customer data is shared, this due diligence may be comprehensive. Having a standard set of questionnaires and a consistent way to assess responses is essential. Initial tiering and the nature of the arrangement can allow you to focus on the set of questions relevant to each particular arrangement while enabling consistency. You might be comfortable evidencing a third party simply has a business continuity program; for third parties that support your important business services, you may request more specific evidence that business continuity plans have been tested.
Risk assessments
Risk assessments should be conducted on a regular basis across the range of risks that you face, which may include continuity, information security, or compliance. These risks may change over time, warranting changes to controls or testing frequency. In extreme cases, it may warrant a more dramatic change to the relationship. For example, if you have outsourced to another region where in-country corruption has increased over time, you may choose to cease all engagements in that region.
Ongoing monitoring
While performing ongoing monitoring sounds obvious, it can be a challenging activity without the right tools, and also easily forgotten or perpetually falling to the bottom of the ‘to do’ pile. Without the right tools, there may not even be any visibility into the status of third-party monitoring across the organisation.
Monitoring should include:
- Monitoring and tracking of performance against expectations, including ongoing compliance with laws, regulations and policies as applicable
- Testing of controls over the third party, receiving reports from the third party related to their controls, or testing the third party’s controls directly
- Reviewing risk assessments and monitoring for change
- Ensuring any authorisations, certifications and insurance remain up to date
- Tracking and responding to issues and incidents related to the third party
Effective tools can centralise this monitoring, allowing for an aggregated view of how effectively stakeholders are managing this process.
Termination
Particularly for material outsourcing arrangements, regulators expect you to have contingency or transition plans prepared in advance.
Beyond that, it’s also integral to ensure that offboarding and termination processes are sufficiently followed, particularly in relation to access to data and destruction of information. If these are not managed effectively, you may still suffer from information security breaches long after the relationship has ended.
Governance and record keeping
Regardless of whether there is a regulatory imperative, we recommend effective governance over all third-party relationships. This includes:
- Board accountability for third-party risk management, including setting risk appetite and approving the framework and policies, and ensuring that procedures and practices are put into place to support them
- Management responsibility for developing and implementing those policies, procedures and practice in accordance with the risk appetite and business strategy
- Roles and responsibilities for performing day-to-day activities related to third-party risk management are clear
- consistent collection of data to demonstrate effective management of individual third-party arrangements
- Reporting to management and the board on the effectiveness of the third-party risk framework, including sufficient information on critical third parties
Approaches will differ, and some third-party risk management frameworks will be more distributed than others – though in nearly all cases multiple people or teams will be involved throughout the lifecycle. What is important is that those roles and responsibilities are clear in your organisation, and that processes are designed to ensure a seamless flow of information.
Key questions and next steps
Here are some key questions to ask about whether you are regulator-ready:
- Do you have processes in place to identify the resources required (people, information, systems, and other assets) to support your important business services, enabling you to effectively identify those owned or managed by third parties?
- Is your due diligence sufficient? Do you have standards and processes that define the level of detail needed for each type of engagement? Do you make it easy for third parties to respond to due diligence enquiries?
- Not all third parties are created equal – is the frequency of your risk assessments commensurate with the risks posed, driven by a standard risk management process and automation?
- Are roles and responsibilities clear to enable effective governance? Is it clear who owns each third party relationship, and who is responsible for specific tasks throughout the third party lifecycle?
If you want to know more about your vendor risk profile, download our Vendor Risk Management eBook for a detailed step-by-step guide of to build an effective vendor risk management program.
Subscribe to our Knowledge Hub to make sure you catch the rest of our Vendor Risk Management blog series:
[1] https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss221-march-21.pdf