“Dependency on ICT providers and inability to easily replace the services offered by them is an operational challenge”, Jose Manuel Campa (Chair of the European Banking Authority) explained back in October 2023.
And that’s not the only demand. The DORA EU Regulation requires a significant digital transformation for financial entities themselves, but it’s ensuring that third party critical providers are compliant that might become the biggest challenge.
Rob Mason, Director of Regulatory Intelligence at Global Relay has over twenty years experience on both the compliance and enforcement sides of regulation. He explains that the five biggest considerations for DORA compliant financial services firms using third party service providers are:
- Vendor assessment
- Reducing overall third party reliance
- Data security
- Service scalability
- Onboarding new vendors
Vendor assessment
Third party due diligence is a key pillar of the DORA legislation, with Chapter V of the text titled Managing of ICT Third Party Risk.
The general principle requires potential new vendors to undergo a risk assessment, and the institutions themselves must create standard internal procedures. Similar to Know Your Vendor, it aims to distance and protect the security of institutions (and its data), even if their third party becomes compromised.
For example, Citigroup was one of many banks to pull out of Russia after the Ukraine war began. The bank lost out on approximately $3 billion because of the move – and yet this enabled the organization to reduce overall risk by cutting their ties with Russian vendors.
Although the rapidly changing geopolitical landscape makes these things hard to predict, financial sanctions quickly followed, proving that this was the right decision. However, this instability means that performing a comprehensive vendor assessment in the financial sector could be challenging as we enter the DORA enforcement period.
So, what could make the third party vendor assessment process easier and better meet DORA requirements?
- Open channels of communication: let’s not make this any harder than it needs to be. A collaborative and open approach is needed so that you can get the right information from third parties to properly assess them. Make it easy to ask for with an open comms channel, and just as easy for your third parties to get in touch if they have any issues in delivering it.
- Clear expectations: just because you’re familiar with DORA, doesn’t mean your third parties are (which is another challenge in itself). That’s why clear expectations, and their appropriate ICT incident documentation, are essential when assessing a new vendor
- Automation: many of the DORA due diligence measures can be automated, without the need to go back and forth with a human contact. Save on time by integrating data from forms into your vendor database, for example, or by validating company and bank details with an automated software program
- Best Practices: a set of best practice documents can let vendors know what needs to change in order to meet your due diligence standards and protect against cyber threats. If there is only a small level of risk within their systems, this proactive approach can enable vendors to quickly operate at your level of standards.
By taking these measures and performing a thorough risk assessment for each potential vendor, financial firms can ensure they comply with DORA’s rigorous due diligence framework. By identifying any vulnerabilities ahead of time, institutions can also increase their confidence levels in third parties, and as such, boost their own data protection and operational resilience.
Reducing overall third party reliance
That’s because the cyber, data and operational risks of each critical ICT provider must be defined – highlighting exactly how many ways in which your financial institution may be compromised.
But business continuity must be the number one priority. The key to reducing the potential points of failure is therefore by relying on fewer third parties to cover more services.
Rob explains it best by using Global Relay’s suite of products as an example:
“If you’ve got a suspicion of market abuse, for example, our tools could initially help to identify that abuse. Then, by integrating the other tools in Global Relay’s kit, you could put together a case, which can be securely transferred through the various stages of the investigation. For example, it can travel straight to a regulator or enforcement body, without ever leaving the system.
The key distinction about Global Relay is the bolting together of those services. Fundamentally, you can monitor communications, which get automatically added into the archive. And if you need to access them again, they’ll go seamlessly into the e-discovery trail, ready to be made available”.
Reliance on a single third party to facilitate each of these services means that fraudsters have fewer opportunities to penetrate ICT systems in financial companies. Similarly, there are fewer vulnerabilities to protect, ensuring that resources aren’t spread thin and instead applied liberally to safeguard anything left exposed.
Data security
The recent ICBC hack makes it obvious that data security is a huge challenge for institutions in the financial services industry. The International and Commercial Bank of China became compromised in November 2023 after ransomware attacked its systems. The fallout included a $9 billion capital injection, alongside a complete disconnection of their systems in order to avoid contagion.
At this point, it’s unclear whether trade secrets or even customer information were accessed. What is clear, however, is that the likes of DORA and other regulations were introduced specifically to prevent catastrophic data security incidents like this in Europe.
Ensuring that data remains secure with an ICT third party provider is therefore a huge challenge for financial institutions to overcome, especially when working with external partners.
There are three factors for financial services firms to consider around the challenge of third party data security under DORA regulation:
- Prevention: What technical standards do you mandate across each ICT service provider to secure the storage and transfer of data? How can you identify deviations from such mandates and get things back on track?
- Detection: What measures have you put in place across partners to ensure that data security is monitored? How can financial service facilitators automate the flagging of suspicious activity to ensure that no time is wasted before a response is planned?
Response: How soon should a compromised third party cut the cord with their external partners in order to protect others against the same danger? How would this limit your operations, and what contingency plans are in place?
Scalability of services
Not quite so obvious from the regulation itself, but a financial entity must consider the scalability of merchant services before they sign the dotted line. As part of operational resilience, financial organizations must ensure that their services and access levels remain continuous even when there is a surge of new customers.
Scalability and operational resilience are therefore inherently linked.
And considering the large extent of resources invested into third party services, it’s important to think about scalability even when there’s no immediate need. Treating this factor like an afterthought means that it will inevitably present as a challenge later down the line.
One recommendation is that scalability is considered as part of your vendor risk assessment. Investigating the following platform features, and their scalability, could ensure that when the time comes, both your company and the third party is ready to grow:
- Data integration: does confidential information flow securely from one digital location to another?
- Scope: as you grow, will the platform be able to serve as many customers as required at once?
- Quality: is there the same level of security, support and fulfilling of customer needs after a jump in customer acquisition?
For example, Rob tells us about an upcoming data transfer for a Global Relay client which will require the safe and secure transport of more than 10 petabytes of data. That’s the digital equivalent to 10 million tall filing cabinets!
What’s important to note is that this isn’t the first secure data transfer for this client, but it is the first one at this scale. Imagine if the client had opted for a competitor who could manage the smaller transfers, but realized too late that the 10 petabytes would be impossible. Not only would the client have wasted the onboarding time and costs, but they’d be back to square one looking for a new third party.
Enter: more vendor due diligence, negotiations, security and scalability checks… the list goes on. For tier one banks in particular, this type of scalability for ongoing communication transfers and monitoring should be a minimum requirement.
Onboarding
As Rob puts it, “onboarding a third party vendor at a tier 1 bank can be painful”.
His own experience prior to his role at Global Relay saw Rob spending an entire year verifying, integrating and securing a new third party platform before it was comfortable to use on a daily basis.
With DORA’s heavy focus on third party risk management, incumbents can’t avoid the time they spend performing full due diligence checks. And as markets and technologies evolve, so will the need for new partnerships within the financial services sector.
So how can you beat the onboarding problem?
Well, Rob comes up with a perfect solution; opting for an established and trustworthy vendor that has done it all before.
While new wave startups might have some brilliant ideas, many have never before had to adhere to ICT risk management frameworks or resilience testing.
Rob says, “DORA compliance is going to take some real heavy lifting for smaller firms of 50-100 employees. Fortunately at Global Relay, we’re already fundamentally compliant with the regulations. The only new requirement that we’re having to get to grips with is the reporting itself, as we’ve not had to directly report to a regular before”.
Endorsed firms like Global Relay not only have a twenty-five year history within the industry, but also continuously iterate, bringing the latest developments in communication monitoring to its clients. Expect simple and compliant onboarding practices, with open channels of communication for support, and a perfect record of zero cyber outages.
Partner with Global Relay to tame the DORA third party challenges
MiFID II equips EU financial firms with a robust framework to navigate the complexities of financial regulation. By adhering to its principles of investor protection, fair market practices, and best execution, firms not only comply with regulations but also contribute to a more secure and trustworthy financial environment within the EU. While MiFID II’s intricacies demand a strategic approach, the resulting benefits foster confidence and stability for both firms and investors.