Despite what one might think, the externalisation of key processes for effective organization is not a new phenomenon. Historically, even ancient Rome outsourced its defense to allied tribes known as the Foederati. More recently, the allied troops during World War I made heavy use of outsourced logistics for food and ammunition supply. However, outsourcing inevitably introduces certain risks. The use of third parties while cost-effective increases the risk surface of an organization. Without appropriate oversight, third parties can become liabilities as the Romans and allied forces would find out. More recently, many global organizations have learned that lesson painfully through third party breaches and vulnerabilities. It is perhaps for that reason that many jurisdictions have come out in the last three years with stricter third-party oversight regulations and guidelines. This is the case for the Federal Reserve in the US, OSFI in Canada, and the Monetary Authority of Singapore. But one such regulation stands out. It is the Digital Operational Resilience Act (DORA) of the European Union.

Lessons from DORA

Through an intricate oversight framework, DORA gives to the three financial European Supervisory Authorities (ESAs) which include the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA) the authority to directly oversee critical technology third parties that provide services to financial institutions operating in the Union. Third parties are deemed critical based on the systemic impact their disruptions would bring to the financial sector. Other factors include how heavily financial entities rely on these services and how easily the providers can be replaced. Those designated third parties will be by the end of this year subject to direct scrutiny from the European authorities. This is an interesting development as financial regulators generally delegate the oversight of third parties to financial institutions. As it seems, the European financial regulators want more involvement in the third-party oversight process but to what extent?

Areas of Oversight

Each European Supervisory Authority (ESA), known as Lead Overseer (LO) will oversee specific designated Critical Third-Party Providers (CTPPs). According to Article 33 of the DORA, the LO ought to assess whether the designated third parties that it oversees have comprehensive procedures to manage the ICT risks that they may pose to the financial sector. Among other criteria, the assessment of CTPPs is to focus on the security, availability, continuity, scalability and quality of services. Specific areas of oversight include physical security, business continuity and disaster recovery policies and practices, ICT risk governance, incident monitoring and reporting. Other areas of oversight include the mechanisms of data and application portability to ensure that financial institutions of the union may effectively exercise their contractual termination rights. The testing of ICT systems and the use of relevant national and international standards will also be closely monitored by the lead overseers. This oversight framework is quite comprehensive, but what about its applicability?

Powers of the Overseers

The powers of the financial regulatory overseers of Critical Third-Party Providers (CTPPs) are quite extensive. The European Supervisory Authorities (ESAs) have the authority to directly request information and documentation from CTPPs. This includes business and operational documents, contracts, policies, audit and incident reports. They may conduct investigations and inspections at the CTPP’s sites. They may summon CTPP representatives for oral or written explanations and request records of telephone and data traffic. They may issue recommendations on the use of specific security requirements and subcontracting activities. Most importantly, the ESAs have the power to impose financial penalties on CTPPs in case of non-compliance with their recommendations. Such penalty is to be disclosed publicly. Furthermore, subject to certain conditions, the ESAs may choose to conduct inspections even at third parties’ sites located outside of the union if such sites are used to provide services to Union financial entities.

Conclusion

In the last three years, financial regulators in many jurisdictions have published measures and guidelines aiming to strengthen the oversight of third-party service providers of financial institutions. The European authorities have gone even further by giving broad powers to their financial regulators to directly oversee critical technology providers to financial institutions operating in the Union. Such development might lead one to speculate that other regulators will follow suit. In fact, the United Kingdom already has a similar regulation in place. It is, therefore, safe to presume that service providers to financial institutions in all jurisdictions are to expect more scrutiny from financial regulators in the years to come. As we learn from history, a lack of third-party governance and oversight can only end in disaster. The Foederati system previously mentioned eventually led to the fall of the western roman empire. The logistical failures of the Gallipoli campaign resulted in approximately 250,000 Allied casualties during World War I. As it is often said, an organization is only as strong as its weakest link. As regulatory landscapes evolve, service providers must proactively enhance their resilience and compliance frameworks to remain competitive and secure.