Contractual Arrangements; a key challenge for Financial Entities and Third-Party Providers alike

Contractual arrangements

The contractual arrangements’ obligations are set out across the level 1 text and level 2 RTS & ITS for both the financial entity and the third-party ICT service provider. The task faced by both parties is firstly to identify and understand the status of their existing contracts, and from there establish contact with counterparties. The shared objective will be agreeing terms of a contractual arrangement that allows both financial entity and third-party ICT service provider to be DORA compliant.

Straight-forward it may appear at first glance – an uplift of the existing contract and the implementation of a due diligence process within the financial entity that manages the onboarding of third-party ICT service provider via the stages set out under DORA?

But the financial services industry is not one sized, and nature, scale and complexity differences means that the conversations when they start between financial entities and their ICT providers, are likely to produce more questions than answers. And these conversations have started, and the questions coming from these engagements are being directed, in part, to the supervisory authorities for direction, and answers.

At the recent Joint ESAs public hearing on the second batch of DORA policy products on 23rd January 2024, the session dedicated to the RTS on subcontracting ICT services drew considerable interest and questions were submitted from organisations across the financial services industry. Some entities called out a concern and an uncertainty regarding being able to meet the DORA contractual arrangement requirements fully by January 17^th , 2025.

Industry view

Whilst there was a variety of queries on the above theme at the online hearing, the following were the most pressing issues;

1. the ability of financial entities with large numbers of critical third-party ICT service providers to meet all contractual arrangement requirements by the compliance deadline, given that the finalised regulatory technical standards will not be available until mid-summer 2024.
2. the ability of financial entities to successfully look-through the subcontractor supply chain of their critical third-party ICT service providers, especially for certain large and global providers who may have large numbers of parties supporting critical functions.
3. the potential that a financial entity may not be able to contract with some of the key, large service providers, due to the inability to look through their contractor supply chain and validate compliance.
4. the ability of the ICT third party service provider industry to manage the volume of diverging and perhaps contradictory viewpoints on the regulation from their many and varied financial entity clients.

In response to the questions at the online hearing, the ESA reminded participants that the level 1 text was not within the scope of the hearing and these requirements would need to be met.

With respect to the timeline concerns, the challenge facing the industry was acknowledged by the authorities, but it was noted that DORA came into force over 12 months previous, to allow time for financial entities to address challenges. A point applicable and fair in response to some queries, less so perhaps in relation to the final text of the second batch of RTS which will not be finalised until summer 2024.

Additionally, participants attending the online hearing were reminded that the outsourcing guidelines  have been in place for some time and these required entities have a lot of the groundwork done in respect of audit and third-party oversight queries. It was however acknowledged that larger firms with high volumes of third-party ICT providers may find it difficult to comply fully by the January 17^th, 2025, timeline but must make their ‘best efforts’ to comply.

Whilst no concessions were given on timeline, and fewer definitive answers to questions that industry participants may have hoped, the financial entities and ICT service providers will have the opportunity to respond in writing by March 4^th, the deadline for submissions of feedback on the second batch of RTS’ consultation.

Where does industry go from here?

With the March 4^th deadline only one week away, the opportunity to respond to the questions posed on the appropriateness and clarity of the RTS articles by the supervisory authorities is now.

Pragmatism has been called out previously by Gerry Cross, as Chair of the European Supervisory Authorities’ Sub-Committee on DORA implementation, as a key ingredient to the DORA implementation. The in-scope entities under DORA will be hoping that the translation of this, in the context of contractual arrangements, sees the final version RTS on subcontracting bring in more of the language from other RTSs such as ‘if possible’ or ‘where applicable’ and perhaps look at the challenge facing entities in the repapering of contracts with an evolving mindset of being in progress vs. complete  by January 2025.

Whilst there are indeed very tangible challenges facing the implementation teams across the financial services sector in relation to being compliant across all their contractual arrangements by January 2025, getting started now will be key marker in that objective’s success.

Final RTS on subcontracting texts may be 5 months away, but the level 1 requirements must be tackled, and solutions found. Level 2 RTS detail may change but this will need to be incorporated into the works-in-progress, rather than adopting a wait-and-see strategy – this latter option simply places a greater risk of not being compliant within the regulatory deadline or being able to demonstrate best efforts in the achievement of compliance (something that does not equal compliance but is a stronger position than starting late).

Early engagement between entities and providers to chart a course for both parties to work together over the course of 2024 is a crucial step that should be considered now by vendor management teams within DORA projects. Ahead of that, the maturity assessment and gap analysis phases within programmes of work will need to place a strong weighting on identifying the in-scope parties, whether you are a financial entity with providers, or a provider with a large client base.

Whilst the timeframe may feel short in mid-Q1 2024, it remains early enough in the year to get key foundations set, that can then be built on post-July when full information exists.

Action rather than reaction will prove to be the prudent strategy.

For more insights and guidance on DORA, feel free to reach out to Parva Consulting’s team to explore how we can assist you with your regulatory compliance needs.