A round-up of third-party risk management regulations

  • 26 Jun 2024
Noggin-News-June-edited.png

The pandemic turbocharged a pre-existing trend toward higher levels of third-party dependence, particularly dependence on cloud-service providers (CSPs) to perform mission-critical tasks. For context, a staggering 88% of Deloitte global survey respondents stated that they expect to have moderate to high levels of dependence on CSPs in the coming years. 

As a result, regulators, particularly in the financial services industry, have been intervening.

Which regulators and which regulations? That’s what this article tackles, summarizing some of the most significant interventions in advanced markets.

Operational resilience: Impact tolerances for important business services

The first in the space, U.K. financial and prudential regulators put out operational resilience regulations in the late 2010s, whose effective date was subsequently delayed due to COVID. 

Parsing out these regulations, we find that regulated entities are required to map their important business services and test their ability to remain within impact tolerances for the purposes of building operational resilience. 

Bringing it back to third-party risk, compliance is expected regardless of whether the operational resources are being provided wholly or in part by a third party. 

Indeed, mapping and testing on third parties is necessary, per the statute, for the entity and the supervisor to obtain an accurate understanding of the entity’s level of operational resilience.

The Digital Operational Resilience Act (DORA)

A binding EU regulation on digital operational resilience for the financial sector, DORA addresses potential systemic and concentration risks posed by the financial sector’s reliance on information and communication technology (ICT) third-party providers (TPPs).

Indeed, the very rationale for the regulation came from the clear emergence of ICT third-party risk as a key threat to digital operational resilience.

To regulate third-party risk, therefore, DORA requires entities to adopt and regularly review their ICT third-party risk strategies, as part of the broader ICT risk management framework.

Sound practices to strengthen operational resilience

Like their counterparts in the EU, U.S. regulators have also acknowledged that firms have become increasingly dependent on third parties for business-critical functions – third parties who are themselves vulnerable to disruption.

As a result, the Sound Practices to Strengthen Operational Resilience, which brings together already-existing regulations and guidance to better assist in the development of comprehensive approaches to operational resilience, requires measures like the following to promote the sound management of third-party risk:

  • Identify and analyze third-party risk of critical operations and core business lines 
  • Prioritize third-party dependencies that are most significant and understand, manage, and mitigate risks 
  • Periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties

APRA CPS 230

APRA CPS 230 is a relatively new prudential standard designed to strengthen the management of operational risk in the Australian banking, insurance, and superannuation industries. It works by establishing minimum standards for managing operational risk, including updated requirements for service provider management. 

What are the specific requirements for the management of service provider arrangements? 

For one, regulated entities are being asked to maintain a comprehensive service provider management policy. That policy must cover how the entity will identify material service providers and manage service provider arrangements, including the management of material risks associated with the arrangements.

Finally, regulators have cottoned on to the explosion of third-party risk. In the financial services space, they’ve imposed stringent requirements on regulated entities to better understand and manage the third-party risk management lifecycle. 

This article summarizes some – but by no means all – of the regulations. However, what’s clear from even this cursory look is that addressing this new regulatory environment will take robust third-party risk management measures. 

What are some of those best-practice measures? Check out Noggin’s Introductory Guide to Third-Party Risk Management to find out.
 

More on