The increasing reliance on third-party service providers, particularly cloud service providers (CSPs), has prompted regulators worldwide to implement measures addressing the associated risks. A Deloitte survey indicates that 88% of respondents expect moderate to high dependence on CSPs in the coming years. This growing dependency, especially in the financial services sector, has driven regulatory interventions aimed at mitigating operational and systemic risks.
Here is a summary of key regulations from major markets:
Operational Resilience Regulations in the U.K.
The U.K.’s financial and prudential regulators introduced operational resilience regulations in the late 2010s, though their implementation was delayed due to the COVID-19 pandemic. These regulations require financial entities to:
- Map critical business services.
- Test their ability to stay within established impact tolerances.
These requirements extend to third-party providers, ensuring entities can accurately assess their operational resilience, even when services are outsourced.
The Digital Operational Resilience Act (DORA) in the EU
DORA is an EU-wide regulation aimed at enhancing the financial sector’s resilience against risks posed by information and communication technology (ICT) third-party providers. It mandates that financial entities:
- Develop and regularly review strategies for managing ICT third-party risks.
- Integrate these strategies into their broader ICT risk management frameworks.
This regulation addresses concerns about systemic and concentration risks associated with ICT dependencies.
U.S. Sound Practices to Strengthen Operational Resilience
U.S. regulators have also responded to the growing reliance on third-party providers. The Sound Practices to Strengthen Operational Resilience compile existing guidelines to aid financial institutions in managing third-party risks. Key requirements include:
- Identifying and analyzing third-party risks for critical operations and business lines.
- Prioritizing significant dependencies and implementing measures to manage and mitigate these risks.
- Regularly reviewing reports on systems, controls, and test results of third-party providers.
APRA CPS 230 in Australia
The Australian Prudential Regulation Authority (APRA) introduced CPS 230, a prudential standard focused on managing operational risks in the banking, insurance, and superannuation sectors. The standard establishes minimum requirements for managing service providers, including:
- Developing a comprehensive service provider management policy.
- Identifying material service providers and managing associated risks.
Conclusion
As the reliance on third-party providers grows, regulators across different regions are enforcing measures to strengthen operational and digital resilience. These regulations emphasize the need for robust risk management strategies to navigate the evolving landscape effectively.
Your go-to source for supply chain logistics news updates: The Supply Chain Report. Enhance your international trade knowledge at ADAMftd.com.
#ThirdPartyRisk #RiskManagementRegulations #ComplianceUpdates #SupplyChainRisk #RegulatoryCompliance #VendorRiskManagement #CorporateGovernance
