Many readers of my posts will have come across the more specific contractual requirements of the EBA Guidelines on Outsourcing, which kick in when suppliers are contracting with EU-based financial services entities. The EBA Guidelines are different from many previous regulatory provisions (such as SYSC in the UK) in the sense that they are (a) not really “guidelines” at all, but rather are mandatory, and (b) are rather more specific and directional in terms of the kinds of provisions that any outsourcing agreement falling with their scope would need to contain (eg in relation to termination rights and audit provisions).
Unfortunately (!), it seems that there may be a further and potentially broader scoped level of similar FS related requirements on the way, and which would likely impact upon contract negotiations between ICT service providers and any F.S entities in Europe (and which would apply to all ICT engagements, and not just outsourcing).
The draft Digital Operational Resilience Regulation for FS was published last week: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=COM:2020:595:FIN&rid=1
Much of the draft Regulation goes to the processes, reviews and oversights that a financial institution would be expected to have over the provision of such ICT services and the assurances to be sought at a practical level as to the level of security/risk associated with them. However, from the point of view of what would need to be included in the underlying contracts, I would flag the following as being of more direct potential impact upon the negotiation process:
Article 17 – imposes an obligation on the reporting of “major ICT related Incidents” which includes specific time frames for reporting to the relevant Competent Authority (without delay and in any event by end of business day/not more than 4 hours from start of next business day re one that occurred within 2 hours of the end of the previous one). Clearly the financial institution would only be able to comply with such an obligation to the extent that such a notification obligation had been imposed on the relevant service provider. Note that this includes notifications of incidents which “may” have an impact on the financial interests of service users and clients, as well as those which actually have done so.
Article 23 – imposes an obligation to carry out “advanced testing by means of threat led penetration testing” at least once every three years, and which must include the service provider’s systems; Article 23(2) says that “where ICT third party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers” (my emphasis). One can accordingly expect to see financial services clients pushing for a more intrusive level of ICT related audits and tests under this proposed Regulation (despite knowing that allowing pen testing of systems which may be used to support multiple clients is always going to be a contentious issue….!)
Article 25 – this Article gets into more detail vis a vis the contract details to be included. I would flag the following:
- Sub Article 25(6) states that “Financial Entities may only enter into contractual arrangements with ICT third party service providers that comply with high, appropriate and the latest information security standards”. I can see that being subject to a fair amount of interpretation and debate….!
- Sub Article 25(8) includes some specifically mandated termination rights. There are DIFFERENT to those mandated by section 13.4 of the EBA Guidelines (which were already pretty broad), in particular as to subarticles (b) and (c) which read as follows
(b) circumstances identified throughout the monitoring of ICT third party risk which are deemed capable of altering the performance of the functions provided through the contractual arrangement including material changes that affect the arrangement of the situation of the ICT third party service provider
(c) ITC third party service provider’s evidenced weaknesses in its overall ICT risk management and in particular in the way in ensures the security and integrity of confidential, personal or otherwise sensitive data or non personal information
One can see the risk of some potential subjective decision making from an F.S entity in this regard, so as to seek to justify termination on the basis of relatively minor defaults.
Article 27– more specifics as to contractual provisions, and again some deviations from what the EBA Guidelines require (in section 13 of the EBA Guidelines). In particular:
- The contract is to be accessible in “one written document”. I wonder how that might be applied re the contract set proposed by the likes of at least one major cloud services provider, which is instead contained in a multitude of separate docs and online terms…!
- A proactive obligation to “without undue delay [take] appropriate corrective actions when agreed service levels are not met”
- An obligation on the service provider to provide assistance in the case of an ICT incident “at no additional cost or at a cost that is determined ex-ante” (ie in advance)
Another key change to be brought in by the Regulation concerns what it says about the specific oversight that the regulators may now have over “Critical Service Providers” (which are determined by reference to some pretty broad criteria in the draft Regulations), and in particular the potential fines for Critical Service Providers. In this regard:
- The European Supervisory Authorities (ESA, comprising the EBA, EIOPA and ESMA) will have direct oversight of Critical Service Providers.
- Critical Service Providers are providers which are critical for financial entities, as identified by the ESA using a prescribed criteria (see article 28 of the draft Regulations at page 56 onwards; as noted above, there are some pretty broad criteria here. Major cloud services providers will certainly fall within the scope of the definition, as will most ICT companies who have large contracts with multiple FS entities)
- Each Critical Service Provider will be allocated one of the ESA regulators as its Lead Overseer.
- Art 31 (1) (a)-(c) (page 60) sets out powers to request information and documentation from the Critical Service Providers (and potentially to set mandatory contract provisions). At Art 31 (4) – (9) if the service provider does not comply with the information and documentation request it can be fined up to 1% daily worldwide turnover, each day, for up to 6 months. That is obviously a very significant level of potential financial exposure….!
The next step is for this proposed regulation to be adopted, 12 months after which most, but not all, of it will come into force. Note that as it is an EU Regulation, it would then have direct effect into the laws of the relevant EU member states, ie it would not need additional local enacting legislation.