Are your third parties operationally resilient? Key considerations for UK firms

On July 21, 2022, the UK’s Bank of England (BoE), in partnership with the Financial Conduct Authority (FCA), published DP3/22 – Operational resilience: Critical third parties for the UK financial sector. The Discussion Paper notes that financial institutions “increasingly rely upon third-party services to support their operations”. These third parties offer myriad benefits, not least that in many instances these third parties provide “greater resilience than firms’ own technology infrastructure”.

However, as with all technology, this reliance on third parties has also exposed some firms to increased risk – take the recent fine against TSB, for example, where they received a £48 million fine for failures in managing the operational resilience of third parties in a mass data migration.

The UK Discussion Paper therefore looks to establish a framework which would:

1. Allow supervisory authorities to identify potential critical third parties (CTPs),

2. Set minimum resilience standards for CTPs in respect of the material services they provide to firms; and

3. Create a range of tools for the testing of operational resilience within CTPs and the services they provide.

The Discussion Paper closed to responses on December 23, 2022, with regulators set to consult on new requirements and expectations this year. In that interim period, the focus on operational resilience for third parties is a key priority for many financial organizations. New regulatory obligations are clearly on the horizon, especially given the implementation of the Digital Operational Resilience Act (DORA) in the EU.

With that in mind, we’ve set out five key considerations that should be front of mind when onboarding or selecting a third-party vendor for material services:

1. Does your third party have the requisite experience?

A key feature in the downfall of TSB’s data migration was that the service provider they selected to carry out the migration project had, according to the FCA, “no experience of managing service delivery from a large number of UK subcontractors”. This inexperience ultimately led to a series of failures which, again owing to inexperience, took a protracted amount of time to fix.

When engaging with a third-party vendor, especially one that will deliver critical services, you should look at their experience of successfully completing similar projects. If possible, speak to other clients to establish what their experience was. Did the project run as expected? Were there unexpected hurdles along the way? If your project is a large, important one, you do not want to be a test-case for a fledgling third-party organization. 

2. Is the third party financially sound?

Financial soundness may or may not be linked to experience, but should be considered in isolation. It is important to establish early on whether your selected third party has the financial stability and resources available to complete your project to a high standard.

At a recent EY FinTech Breakfast, ex-FCA Chair Chris Woolard noted that it is key to look at a third party’s financial credentials, because their financial failings could have significant ramifications for the success of your project. As well as establishing whether they have the necessary funds and resources, also consider whether they are currently seeking investment, looking to go public, or entering new funding rounds. All of these factors could have implications for how, and how well, the third party can deliver a service.

3. Does your third party rely on subsequent third parties to deliver, and how strong is that reliance?

The interesting fact about third parties is that some rely heavily on their own third parties to deliver a service. In the aforementioned case of TSB, for instance, TSB unwittingly entered into an indirect relationship with 85 fourth parties (the third parties of TSB’s third party).

When third, fourth, and fifth-party nets become too wide, gaps start to appear – as do risks. In the event that your project fails, this can lead to a lot of administrative effort to establish 1) where the problem occurred and 2) how to repair the breakage. Ask potential third party providers how they are able to deliver their service. Is their third-party net consolidated? Do they build their technology themselves? Do they have a strategy in place in the event that their third parties fail?

4. Is your third party successful and secure?

Although a relatively obvious consideration, the success record of a third party should not be understated. As is often the case, what a company tells you they can deliver, and what they actually deliver, can be at odds. The key to understanding whether a third party will consistently and continuously deliver in an operationally resilient way is to look at their record for success.

In particular, look to understand the third-party’s outage record – does their technology go down a lot? Have they suffered data breaches or security lapses in the past? Do they have certification to show that they are independently accredited? Only by understanding your third party’s success rate, can you be assured that they will be operationally resilient now, and in the future.

5. Is your third party meeting ESG requirements?

If the regulatory landscape has taught us anything over the past three years, it is that regulators expect firms to give serious consideration to environmental, social, and governance (ESG) factors. This extends beyond a firm’s own climate risk management to the risk management of third-party vendors too. After all, there is little merit in implementing policies, procedures, and controls if you then engage third parties who fail to mitigate climate risk.

As regulatory scrutiny for ESG increases, with the likes of the Sustainable Financial Disclosure Regime (SFDR) causing headaches for even the most seasoned regulatory experts, firms should look to mitigate climate-related risk wherever they can. For instance, ask potential third parties about their own policies, procedures, and controls surrounding ESG. Are they exposed to climate risk themselves? And if so, do they have Business Continuity Plans (BCP) in the event of an outage or climate-related disaster? Get ahead of increased regulatory obligation by factoring ESG into your third-party selection criteria.

Global Relay has 23 years of experience in data storage, migration, and eDiscovery. We build our product internally, so your third-party net is consolidated, and we operate a green data center to meet your ESG requirements. As well as this, we hold your hand through the due diligence and onboarding process. If you’re looking for operationally resilient technology, look no further.