The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Richard Mapes, Director, Compliance and Operational Risk, UBS

Why is regulation of third parties important?

Effective management of third party provided services is vital to ensuring financial services institutions continue to meet their obligations with end customers, third parties act with the customer in mind and third parties integral to the stability of the financial system itself are managed effectively, particularly those outside the sphere of the financial services supervisory authorities.

Financial institutions often have third party service providers of data and services who are based throughout the world. Moreover, these service providers have typically provided high-value, time-sensitive information that must be provided regardless of commercial or operational challenges. As financial services firms have continued to evolve their business models to deliver their products and services in a more cost-effective manner or through digitally enabled means, the use of third parties has evolved and become more prominent.

Regulation related to the use of outsourcing and third parties, as with any regulation, is part of ensuring the safety and soundness of the financial system and protecting end customers. Supervisory authorities across the globe aim to put a clear set of rules in place for financial services firms in order for all these firms to manage outsourcing and third party risk consistently. What we have seen in the past few years is a plethora of new regulatory requirements, discussion papers and consultation papers from supervisory authorities across the globe. This demonstrates the level of concern that regulators have in relation to risk of third party provided services and this focus doesn’t appear to be abating with incoming requirements likely from the Monetary Authority of Singapore and the ICT third party provider requirements through the EC’s DORA, as examples.

How can organisations align regulation across geographies?

Commonality exists across requirements set by each supervisory authority albeit with varying levels of nuances applied specifically by each supervisory authority. Significant movement in relation to third party specific regulations and indirect requirements through new operational resilience papers has been experienced throughout the past 24 months. Unfortunately, supervisory authorities have been moving at different speeds and some of the additional requirements set out in new or revised regulatory requirements mean significant changes to existing processes, roles, governance, reporting, systems and operating models. In response to these there are a few lessons I have found that prevent having to work harder to just stay on top of a constantly changing environment:

• Create your baseline for what you want to apply globally. Usually you may want to consider your ‘home supervisory authority’ as the baseline, but in the case of ours we used the UK as our baseline (not our home supervisory authority). You cannot apply everything globally as this is just not sustainable or even achievable, so you have to distinguish what you will only apply locally, but this has to be offset with the fact that the more ‘if’ statements you apply (if this legal entity impacted then this rule applies) the more complex the process becomes and your contract managers/ relationship managers become more confused and frustrated
• Predict which new regulatory requirements are likely to be implemented by other regulators. Build your framework for the future, not just for now. New regulatory requirements, such as a focus on all third parties and not just those meeting the definition of outsourcing, may only be expected by one or two of your key regulators today, but this will likely be quickly expanded in the next couple of years. Typically a project / programme of work is created to address new/emerging regulatory requirements as they are released and the temptation (because it is the easiest approach, at least short term) is to implement this for the entities/jurisdiction affected. Bite the bullet and ensure the likely common requirements are implemented globally
• Ensure your governance, operating model and policy/procedure enables effective management of regulations. All changes to processes, roles, systems etc. should be reviewed against the baseline and go through a central team responsible for managing any regulatory changes. This prevents local teams from implementing additional controls in isolation and creating a myriad of complex processes.

How can organisations implement regulatory framework effectively?

Each organisation is different, but a starting point for me is to look at other set-ups within your organisation and steal with pride. Typically, third party risk teams are relatively new in organisational terms and other teams have been around for much longer, so speak to them and find out why they have set up in the way they have, find out how they manage regulation across the same business divisions and organisational silos that the third party risk function is going to have to navigate.

As previously mentioned, that regulatory baseline and establishment of key controls controlling any change to the process, systems, roles etc. is key. Ensure that any changes to process, roles etc. as a result of regulation have to go through risk/operating forums for the appropriate challenge.

Ensure linkage is created with the relevant regulatory or Compliance teams who is responsible for any kind of firm-wide regulatory tracking. Set up the regulatory baseline using the core components of a third party risk framework and complete detailed assessments against the baseline each time new regulations, discussion papers or consultation papers are released. Utilise your second line to review and challenge each review and leverage key committees to communicate gaps and required remediation.

How can organisations begin to prepare for the implications of the German Supply Chain Act?

On 11 June 2021 the Bundestag passed the Supply Chain Due Diligence Act, which imposes obligations on companies in all industries that source products and/or services from developing and emerging countries. The legislation sets out human rights and environmental requirements with violations potentially resulting in considerable liability for firms and individuals.

The legislation will enter into force on 1 January 2023 and applies to any company having a subsidiary, joint venture or a branch in Germany and applies to those organisations with over 3000 headcount until 2024 and over 1000 headcount thereafter.

The maturity of an organisation’s ESG framework and its application to the supply chain will determine the extent of activity that needs to be applied to comply with the requirements, but largely the following would need to be considered:

• Assessment of the environmental and human rights risks (inherent risk) to determine which goods and/or services (broken down by third party categories) pose the biggest risks, what existing processes, controls, governance and reporting already exist to determine the remaining residual risk, whether the current ESG policy or modern slavery policies provide sufficient provision for addressing the requirements and what remaining gaps exist within these policies and any associated processes and controls
• Locations of goods and/or services need to be understood for existing arrangements, which should already have been identified as part of an existing third party risk framework. Controls should be established to ensure environmental and human rights risks can be identified at onboarding and changes to this risk profile identified throughout the relationship. Review of whether due diligence requires additional considerations as part of existing AML and related financial crime compliance assessments
• Review existing contract templates for additional contractual provisions that will be required to be incorporated. This should be followed by review of existing contracts against the additional contractual obligations and, on a risk proportionate basis determine which contracts may need to be renegotiated with the new contractual provisions

Future fluidity of the requirements should be considered and so an effective monitoring and review mechanism should be established to incorporate these changes as and when they take place

What impact will Digital Operational Regulatory Act (DORA) have on an organisation’s supply chain management?

The DORA is seeking harmonise digital resilience in the European Union through the introduction of specific and often highly prescriptive requirements as it was felt that the absence of detailed and comprehensive rules on digital operational resilience at EU level was leading to a proliferation of uncoordinated national regulatory initiatives. The implementation period is yet to be finalised, but a working assumption is a 24 month implementation period. Although DORA will bring new specific requirements the premise is based on developing further existing guidelines such as the EBA’s Guidelines on Outsourcing Arrangements and Guidelines on ICT and Security Risk Management and the MFSA’s Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements, as well as many other regulations and industry-set guidelines and recommendations.

In terms of impact, this is likely to depend upon organisations’ current compliance status against other areas, but the additional requirements can be grouped into:

• ICT risk management – focus has been placed on identification of critical assets in relation to processes that they support, understanding of their location/where they are hosted and set up of prevention, detection, response and recovery mechanisms related to these critical assets. Much of this understanding may have come from work conducted for the PRA, but depending on scope this is likely only to have been conducted on PRA regulated entities.
• Incident reporting – Reporting of ‘major’ incidents to supervisory authorities is obligatory using standardised templates, procedures and criteria. This will require initial, intermediate and final reports to be submitted to supervisory authorities and informing of users and clients where the incident has or may have an impact on their financial interests. Some of these incident reporting requirements may be difficult to achieve for some organisations and may require additional information to be captured.
• Resilience testing – the increased requirements regarding conducting of threat led penetration testing for those tools and systems identified by supervisory authorities as ‘significant’ and ‘cyber mature’ may require significantly increased testing within the organisation, but is likely to require the involvement of third parties either directly or indirectly. The concept of ‘proportionality’, that is applied throughout will be particularly pertinent here.
• ICT third party risk – These requirements focus on more than just outsourcing which may require firms to reconsider the scope of their third party risk management programs/functions to also accommodate ICT third party risk. As with the PRA requirements, focus on those third parties not deemed outsourcing may need to be expanded beyond those identified supporting legal entities regulated by the PRA. This will include expansion of third parties in scope for exit planning, key contractual provisions (e.g. guarantees for access, reporting obligations of the third party, inspection and audit by supervisory authorities etc.) and performance targets. As with proposals by HMT, DORA seeks to bring ‘non financial services’ firms under the regulatory oversight framework.
• Information Sharing – DORA ‘allows’ financial entities to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.

Richard Mapes will be speaking at our upcoming Vendor & Third Party Risk Summit, taking place on November 15-16 at the Leonardo Royal Hotel London City