Operational resilience is a key focus area for regulators across Europe, at both the domestic and European level. The banking crisis prompted regulators to strengthen the financial sector’s ability to weather financial risks. But as the financial sector has become increasingly dependent on outsourced and third-party service providers, regulators have turned their attention to digital operational resilience to reduce the risk of technological disruption harming consumers or disrupting the financial sector more generally.
In Europe, the Commission recently adopted its Proposal for a Regulation on Digital Operational Resilience for the Financial Sector (“draft Regulation”). Covering a wide range of financial sector businesses (including banks, insurers and reinsurers) and now also proposing a direct oversight arrangement in relation to their service providers as well (to include cloud service providers and crowd funding providers), the draft Regulation sets out a wide range of requirements and regulatory powers relating to:
- ICT risk management, such as continuity of service / continuity of operations, resilience testing, same day notification of major incidents to regulatory authorities, and intelligence sharing;
- mandatory specific contract rights to terminate ICT contracts, including where the regulator can no longer effectively supervise the entity as a result of the contractual arrangement; and a wide list of other required contract obligations;
- the establishment of an oversight regime for critical service providers to assess how they manage ICT risks for financial sector customers. Significantly, competent authorities will be able to impose significant fines upon suppliers for non-compliance.
This note considers the contractual requirements aspects of the draft Regulation, and in particular some of the aspects of the draft which might create some difficulties in contract negotiations going forwards, were the draft to be enacted without amendment.
Financial sector institutions will naturally be interested in how the contract requirements set out in this draft Regulation compare with those required by the EBA Outsourcing Guidelines – and in particular to pick out any additional requirements over and above what the EBA would require (given that they are already engaged in remediation and contract update exercises in the light of the EBA Outsourcing Guidelines).
As a starting point, however, is it important to understand that the draft Regulation does not limit itself to outsourcing arrangements, its scope of application is much broader. As Article 1 explains, it sets out “uniform requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities”. “ICT Services” is defined widely, meaning “digital and data services provided through the ICT systems to one or more internal or external users, including provision of data, data entry, data storage, data processing and reporting services, data monitoring as well as data based business and decision support services”. In short, the draft Regulation will be relevant to a wide range of technology related contracts.
Much of the draft Regulation sets out the processes, reviews and oversights that a financial sector customer would expect in order to manage ICT related risk. However, when looking at what would need to be included in the underlying contracts, it is worth noting the following:
- An obligation on the reporting of “major ICT related Incidents” which includes specific time frames for reporting to the relevant Competent Authority (without delay and in any event by end of business day/not more than four hours from start of next business day re one that occurred within two hours of the end of the previous one). The financial entities will only be confident of compliance with such an obligation where such a notification obligation has been imposed on the relevant service provider. Note that this includes notifications of incidents which “may” have an impact on the financial interests of service users and clients, as well as those which actually have done so. (Article 17); and
- An obligation to carry out “advanced testing by means of threat led penetration testing” at least once every three years, and which must include the service provider’s systems; Article 23(2) reads: “where ICT third party service providers are included in the remit of the threat led penetration testing, the financial entity shall take the necessary measures to ensure the participation of these providers” (our emphasis). Perhaps unsurprisingly given that the draft Regulation is all about resilience, this goes further than the EBA Outsourcing Guidelines’ more general requirement to ensure that security penetration testing can be carried out (section 94). However, ICT suppliers will usually be very reluctant to agree to penetration testing of their systems, especially if they are also used to support the provision of services to other of their customers, and it therefore remains to be seen whether they can or will comply with such a requirement, or what limitations they may try to impose upon such tests.
More details as to contract drafting requirements is set out in Article 25. Points to note here include:
- “Financial Entities may only enter into contractual arrangements with ICT third party service providers that comply with high, appropriate and the latest information security standards” (sub Article 25(6); there is inevitably the prospect of some debate here as to what this means in practice, and whether it will ultimately be the responsibility of either the financial services institution or the ICT service provider to take the risk of specifying what these standards should be;
- Some specifically mandated termination rights which differ from the equivalent in the EBA Outsourcing Guidelines (section 13). Note, in particular, sub articles 25 (8)(b) (c) and (d) of the draft Regulation which require the contract to be terminated in the following circumstances:
(b) circumstances identified throughout the monitoring of ICT third party risk which are deemed capable of altering the performance of the functions provided through the contractual arrangement including material changes that affect the arrangement of the situation of the ICT third party service provider
(c) ITC third party service provider’s evidenced weaknesses in its overall ICT risk management and in particular in the way in ensures the security and integrity of confidential, personal or otherwise sensitive data or non-personal information;
(d) circumstances where the competent authority can no longer effectively supervise the financial entity as a result of the respective contractual arrangement; and
- A continued focus on exit, particularly those that have been described elsewhere as “stressed” exits, such that Financial Entities shall ensure that they are able to exit contractual arrangements without:
- disruption to their business activities,
- limiting compliance with regulatory requirements, or
- detriment to the continuity and quality of their provision of services to clients.
Minimum expectations of financial entities in assessing the suitability of a proposed contractual arrangement are set out at Article 26. These include consideration of concentration risk (meaning the risk of overreliance on one supplier and/or contracting with a supplier which it is difficult to replace) and sub-contracting risk (in particular, location and/or long contract chains which are difficult to monitor or supervise).
Article 27 contains more specifics as to contractual provisions, and again some deviations from the EBA Outsourcing Guidelines (section 13). In particular:
- The contract is to be accessible in “one written document”. Query how this sits with the reality that technology contracts often incorporate multiple documents by reference and / or links;
- A requirement for the provider to have in place ICT security measures, tools and policies which “adequately guarantee a secure provision of services by the financial entity in line with its regulatory framework”. “Guarantee” is a high standard to meet, although linking the standard to regulatory framework may make the provision more palatable;
- Access and audit rights which specifically include the right to “take copies of relevant documentation” (the EBA’s mandatory outsourcing audit rights are certainly comprehensive but don’t expressly allow documents to be copied) and “details on the scope, modalities and frequency of remote audits”;
- The right to agree alternative assurance levels if the provider’s other clients’ rights are affected;
- A proactive obligation to “without undue delay [take] appropriate corrective actions when agreed service levels are not met”. This obviously goes beyond a provision to impose service credits or even to create a termination trigger linked to service level performance ;
- An obligation on the service provider to provide assistance in the case of an ICT incident “at no additional cost or at a cost that is determined ex-ante” (i.e. in advance);
- Exit requirements which are slightly more prescriptive on the return of data. Data which must not only be accessed (as per the EBA’s Outsourcing Guidelines) but also recovered and returned in an easily accessible format;
- A requirement to establish a mandatory adequate transition period “during which the ICT third party service provider will continue providing the respective functions or services with a view to reduce the risk of disruptions at the financial entity”;
- An obligation for both parties to consider using standard contract clauses developed for specific services. The Commission is working on standard clauses for Cloud services.
Interestingly, there is also a plan to create draft regulatory technical standards for the subcontracting of “critical or important” functions, which may then set out certain flow down requirements. Given that the flow down of contract provisions mandated by the EBA Outsourcing Guidelines has been a particularly difficult area of discussion between financial institutions and their outsource service providers, it will be important to see what kind of standards are to be imposed in this regard.
SUPERVISIONS AND POWERS OVER SERVICE PROVIDERS
The other key development in the draft Regulations is the proposed direct supervision and degree of potential control that the regulators will have over critical ICT third party providers.
It is proposed that the European Supervisory Authorities (“ESA”, which comprises the EBA, EIOPA and ESMA) will have oversight of “critical service providers”. In this context critical service providers means those providers which are critical for financial sector entities, as identified by the ESA using a prescribed criteria including:
- The systemic impact on the stability, continuity or quality of the provision of financial services in the case the relevant ICT third-party provider faces a large scale operational failure, especially in light of the number of financial entities using those services,
- The systemic character of the financial entities that rely on the services,
- The reliance of financial entities on the relevant services in relation to critical or important functions that ultimately involve those services from that ICT third-party provider, irrespective of whether financial entities rely on those services directly or indirectly, by means or through subcontracting arrangements,
- The degree of substitutability of the ICT third-party provider, measured by reference to real alternatives and the difficulties associated with migration, and
- The number of Member States in which the relevant ICT third party services provider provides services, and the number of Member States in which financial entities using relevant ICT third-party services are operating.
These criteria may well have been drafted with the likes of the “hyper scale” cloud service providers in mind.
Each critical service provider will be allocated one of the three ESA regulators as its Lead Overseer. Article 31 (1) (a)-(c) sets out powers of the Lead Overseer to request information and documentation directly from a critical service provider, and potentially to start imposing requirements regarding the contract terms that they use and the degree of subcontracting that they undertake. Suppliers who expect to be caught by this regime will note that if a critical service provider does not comply with its Lead Overseer’s information and documentation request it can be fined up to 1% of its daily worldwide turnover, each day, for up to six months (see Article 31 (4) – (9)).
The draft Regulation was adopted by the Commission on 24 September. The European Parliament and Council of the European Unions will now consider the proposal.
Once adopted and in force it will apply directly in EU member states after 12 months (save for the advanced testing by means of threat led penetration testing provisions, which will come into force after 36 months).
Please contact your usual DLA Piper contact or one of the authors for more information.