Estimated reading time: 5 minutes
What is a “critical third party”?
Third-party integrations are everywhere. Think about how you can now pay using apps on your phone, access loans from non-banks and get in touch with virtual customer services for your bank or building society.
Third parties are a genius way for FinTechs to increase their offerings – but working with them also increases risk. With increased exposure to threats, critical third parties have not been appropriately regulated in order to protect financial institutions and their customers.
It’s been recognised that leaving third-party risk management up to the financial institutions has caused a significant strain on resources through the supply chain. So, supervisory authorities have turned their attention towards how they designate a critical third party, and how to successfully regulate third party services to minimise the impact of threats.
What are third parties?
Critical third parties are external businesses that team up with financial institutions. Usually, it’s because the third parties have the technology suite to offer something innovative to the bank’s customers, and the bank itself does not.
But in order to work together, sensitive information must be shared between the organisations. Most third parties do not have to comply with regulatory requirements – this is the weak point where the entire system is exposed to threats such as cyber-attacks.
Current regulations for information sharing
General data protection regulation (GDPR) is European legislation based on how to correctly collect and store personal information. There are ‘data controllers’ and ‘data processors.’ Controllers collect and use the data and are mainly free from regulation. Processors must maintain the integrity of the data while processing the data on behalf of the controller and are subject to GDPR.
Brazil’s financial regulators have their version of the data protection regulation, Lei Gerai de Protecao de dados Pessoais. Similarly, individual states in the US have followed suit, with both Colorado and California passing consumer privacy acts. Each of these regulations aims to protect consumers by preventing improper data sharing.
The digital operational resilience act (DORA) goes one step further to actually regulate critical third-party providers (CTPPs). Only those who deal with information communication technology (ICT) fall under the regulation, with the designation of protective measures against cyber risk.
Why do critical third parties need to face stricter regulations?
The current vendor risk when working with third-party services has been deemed too large for any financial firm to manage. There are calls for industry-wide changes to reduce these risks in a blanket approach.
There are two types of risks affected by third-party activities: systematic and unsystematic.
The systematic risks apply across the industry, with the most prominent being a threat to financial stability. If the services of a single third party are compromised, it could affect multiple financial institutions and millions of customers, completely changing the course of the economy. Moreover, threats to market integrity are not currently managed by any agreed ‘best practices,’ which means that some financial services could be more exposed than others. This only expands third-party risk to consumers.
Individually, firms have traditionally been tasked with maintaining governance, testing and dependency on third parties, but where each organisation implements different measures, critical scenarios may be missed. This leads to unidentified points of failure within third-party operations and unknown risks. While some regulations, like DORA, aim to regulate critical third parties, not all third parties would fall under these regulations. The gaps leave dangerous room for cyber threats.
Proposed criteria for designating critical third parties
There are two factors to this criteria:
Materiality refers to the documents and information that CTPs interact with. If there were to be a breach, is that information essential to the financial stability of the economy?
Concentration refers to the number of financial institutions that each CTP is integrated with. Do you work with multiple firms, or just one? It’s clearer to designate a CTP if the third-party works with five financial services firms, for example.
While it’s still a little unclear on the exact requirements to be a designated critical third party, if your company is on the higher end for either of these factors, be prepared to make some risk management changes to comply.
Prospective regulatory changes
Although the discussion paper was released on August 1st 2022, potential measures are expected to be introduced into the UK finance world around December 2022.
It’s likely that after being designated as a CTP, there will be a minimum standard for operational resilience. This will include stress testing against particular scenarios in the finance sector, for example, cyber threats.
We also expect to see the appointment of skilled persons to act as external auditors and complete vendor assessments for third parties. External auditors would focus on three factors for review:
- Aggregation risk: what is the range of services and how dependent are financial institutions?
- Substitutability: can these services be easily interchanged with another service provider in case of an issue?
- Survivability: how easy would it be for financial institutions to operate at a normal level without a third party?
And in the case that potential failures are found, there would likely be severe consequences.
With the aim to create industry-wide operational resilience standards, many third parties have a long way to go in order to match the regulated firms. But CUBE was built to help exactly that. With an arsenal of industry-leading AI in your pocket, financial entities and third parties alike can simplify complex, multi-jurisdictional regulatory content.
If you’re struggling to keep up with the pace of regulatory change, we’d love to hear from you.