The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Richard Mapes, Director, Compliance and Operational Risk, UBS
Effective management of third party provided services is vital to ensuring financial services institutions continue to meet their obligations with end customers, third parties act with the customer in mind and third parties integral to the stability of the financial system itself are managed effectively, particularly those outside the sphere of the financial services supervisory authorities.
Financial institutions often have third party service providers of data and services who are based throughout the world. Moreover, these service providers have typically provided high-value, time-sensitive information that must be provided regardless of commercial or operational challenges. As financial services firms have continued to evolve their business models to deliver their products and services in a more cost-effective manner or through digitally enabled means, the use of third parties has evolved and become more prominent.
Regulation related to the use of outsourcing and third parties, as with any regulation, is part of ensuring the safety and soundness of the financial system and protecting end customers. Supervisory authorities across the globe aim to put a clear set of rules in place for financial services firms in order for all these firms to manage outsourcing and third party risk consistently. What we have seen in the past few years is a plethora of new regulatory requirements, discussion papers and consultation papers from supervisory authorities across the globe. This demonstrates the level of concern that regulators have in relation to risk of third party provided services and this focus doesn’t appear to be abating with incoming requirements likely from the Monetary Authority of Singapore and the ICT third party provider requirements through the EC’s DORA, as examples.
Commonality exists across requirements set by each supervisory authority albeit with varying levels of nuances applied specifically by each supervisory authority. Significant movement in relation to third party specific regulations and indirect requirements through new operational resilience papers has been experienced throughout the past 24 months. Unfortunately, supervisory authorities have been moving at different speeds and some of the additional requirements set out in new or revised regulatory requirements mean significant changes to existing processes, roles, governance, reporting, systems and operating models. In response to these there are a few lessons I have found that prevent having to work harder to just stay on top of a constantly changing environment:
Each organisation is different, but a starting point for me is to look at other set-ups within your organisation and steal with pride. Typically, third party risk teams are relatively new in organisational terms and other teams have been around for much longer, so speak to them and find out why they have set up in the way they have, find out how they manage regulation across the same business divisions and organisational silos that the third party risk function is going to have to navigate.
As previously mentioned, that regulatory baseline and establishment of key controls controlling any change to the process, systems, roles etc. is key. Ensure that any changes to process, roles etc. as a result of regulation have to go through risk/operating forums for the appropriate challenge.
Ensure linkage is created with the relevant regulatory or Compliance teams who is responsible for any kind of firm-wide regulatory tracking. Set up the regulatory baseline using the core components of a third party risk framework and complete detailed assessments against the baseline each time new regulations, discussion papers or consultation papers are released. Utilise your second line to review and challenge each review and leverage key committees to communicate gaps and required remediation.
On 11 June 2021 the Bundestag passed the Supply Chain Due Diligence Act, which imposes obligations on companies in all industries that source products and/or services from developing and emerging countries. The legislation sets out human rights and environmental requirements with violations potentially resulting in considerable liability for firms and individuals.
The legislation will enter into force on 1 January 2023 and applies to any company having a subsidiary, joint venture or a branch in Germany and applies to those organisations with over 3000 headcount until 2024 and over 1000 headcount thereafter.
The maturity of an organisation’s ESG framework and its application to the supply chain will determine the extent of activity that needs to be applied to comply with the requirements, but largely the following would need to be considered:
Future fluidity of the requirements should be considered and so an effective monitoring and review mechanism should be established to incorporate these changes as and when they take place
The DORA is seeking harmonise digital resilience in the European Union through the introduction of specific and often highly prescriptive requirements as it was felt that the absence of detailed and comprehensive rules on digital operational resilience at EU level was leading to a proliferation of uncoordinated national regulatory initiatives. The implementation period is yet to be finalised, but a working assumption is a 24 month implementation period. Although DORA will bring new specific requirements the premise is based on developing further existing guidelines such as the EBA’s Guidelines on Outsourcing Arrangements and Guidelines on ICT and Security Risk Management and the MFSA’s Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements, as well as many other regulations and industry-set guidelines and recommendations.
In terms of impact, this is likely to depend upon organisations’ current compliance status against other areas, but the additional requirements can be grouped into:
Richard Mapes will be speaking at our upcoming Vendor & Third Party Risk Summit, taking place on November 15-16 at the Leonardo Royal Hotel London City
You may also be interested in…
Have you made your free account?