Understanding RTS for Third-Party Risk Management

Regulation (EU) 2022/2554

In June 2023, the first wave of Draft RTS (Regulatory Technical Standards) and ITS (Implementing Technical Standard) was published by the European Supervisory Authorities. The objective of these additional Policy Products is to provide detailed specifications and guidelines on how certain provisions in the basic legislative Act should be implemented across the EU.


The first batch of Policy Products are Draft and have been published for consultation consists of:

  • RTS to specify the policy on ICT services performed by ICT third-party providers (Article 28(10))
  • RTS on criteria for the classification of ICT-related incidents (Article 18(3))
  • ITS to establish the templates for the register of information (Art.28(9))
  • RTS on ICT risk management framework (Article 15) and RTS on simplified ICT risk management framework (Article 16(3))
Let’s dive deeper into the contents of the RTS, specifying the policy on ICT services performed by ICT third-party providers.
 
 

RTS on ICT third-party provider management

The financial industry has been increasingly dependent on Information and communication technology (ICT) service providers for various business functions. 
One of the foremost regulatory goals for DORA is the assessment and ongoing monitoring of risks arising from those business relationships. 
The RTS sets out guidelines and requirements that financial institutions (FIs) must adhere to when engaging ICT third-party service providers (TPS).

The DORA regulation (article 28.2) states that financial entities should:

  • perform regular reviews of their strategy for using third-party ICT providers.
  • take the use of crucial ICT services into consideration, which are supported by those providers.

On top of this, the RTS establishes the following set of principles for a TPS policy:

  • Consistent and coherent application within the group and its subsidiaries.
  • Definition of review frequency to keep an eye on ICT risk.
  • Definition of internal representative for managing ICT-related risks.
  • Focus on risks for the entire life cycle of ICT contract management (including due diligence, change management).
  • Evaluation criteria for ICT third-party service provider (e.g., business reputation, technical resources, information security posture, governance, internal controls).
  • Rights to inspection, access to information and termination process.

Risk Considerations

Third Party service

LIFE CYCLE – ICT SERVICES
Supporting Critical Functions by ICT Third-Party Service Providers 
  • ICT policy should clearly assign the responsibilities for the approval, management, control, and documentation of relevant contractual arrangements.
  • Ensure that appropriate skills, experience, and knowledge are maintained for useful oversight.

ICT policy should have:

  • Documented exit plans for TPS including its review & testing. Further, possible service interruptions, failed delivery, or unexpected termination of contracts should be considered.

Inspection and audits could be conducted by FIs through following methods:

  • Own internal audit or an appointed third party.  
  • Pooled audits and pooled ICT testing, including threat-led penetration testing, 
  • Third-party certifications and third-party or internal audit reports made available by the ICT TPS.

Life Cycle - ICT Services

  • Involvement of business and internal units in contracting ICT services from TPS for critical functions.

The following factors should be assessed at a minimum before entering a formal contract for the ICT TPS:

  • Business reputation, capability, competency, adequate financial, human and technical resources, information security standards, appropriate governance structure, authorized service provider, cyber resilience, adequate BCP/DR. 
  • Existing or planned material service provided by ICT sub-contractors.
  • Evaluate operational, reputational risks and sanctions impacts for effective service delivery by service providers. 
  • Access to audits, certifications, and public information, including the right to audit and its exercise. 
  • Adherence to environmental protection, human and children’s rights.
  • KPIs for monitoring of ICT service provider should be defined in policy.
  • Compliance monitoring with regulations pertaining to the CIA and authenticity of data and information.
ICT Third-Party Risk Management
Conclusion, Challenges and Support
RTS Conclusion

The relationship between the financial sector and third-party ICT service providers is a significant area that requires special attention while implementing DORA. The RTS therefore requires strategy and policy which should: 

  • be proportionate to the size, nature, scale and complexity of the financial entity and the criticality of the functions supported by the ICT services provided by the third-party service provider,
  • be integrated into the overall risk management framework of the financial entity,
  • include a risk assessment of the ICT third-party service provider,
  • include a due diligence process for selecting an ICT third-party service provider,
  • include provisions for monitoring and reviewing the performance of the ICT third-party service provider, and
  • include provisions for terminating or replacing an ICT third-party service provider.
Challenges

Following are the common challenges faced by the financial sector while going through the implementation of RTS for ICT third-party risk management.

  • Co-operation with the competent authorities (e.g. US-based entities)
  • Effective access to data and premises for FIs, Auditors and Competent Authorities
  • Frequent changes in regulatory requirements
  • Scalability
  • Costs
  • Change management
  • Compatibility issues
  • Data privacy
  • Information Security requirements
  • Capacity Management
 How BDO can help?

The RTS addresses the complete life cycle of ICT third-party risks.

The continuous growth in threats for unanticipated occurrences have prompted businesses to prepare for such disasters, which often emerge as a result of weaknesses in governance, pitfalls in strategy, risk identification and mitigation. 

We are a team of certified professionals with roots in the EU and a global presence who can assist any problem organisations may face. 

We have dedicated IT, Audit, Advisory, Cyber security and Risk Management teams who can support you with all possibilities to sort out governance, security, business continuity, and disaster recovery issues.