Back

Assess third parties' relevant experience during due diligence.


CONTROL ID
12070
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Before selecting a service provider AIs should perform appropriate due diligence. In assessing a provider, apart from the cost factor and quality of services AIs should take into account the provider's financial soundness, reputation, managerial skills, technical capabilities, operational capability… (2.3.1, Hong Kong Monetary Authority Supervisory Policy Manual SA-2 Outsourcing, V.1-28.12.01)
  • A licensed corporation should only keep Regulatory Records with an EDSP which is suitable and reliable, having regard to the EDSP's operational capabilities, technical expertise and financial soundness. (7.(c), Circular to Licensed Corporations - Use of external electronic data storage)
  • experience and capability to implement and support the outsourcing arrangement over the contracted period; (5.4.3 (a), Guidelines on Outsourcing)
  • Where the outsourced service is the internal audit function of an institution, there are additional issues that an institution should deliberate upon. One of these is the lack of independence or the appearance of impaired independence, when a service provider is handling multiple engagements for an … (5.12.1, Guidelines on Outsourcing)
  • With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, … (4.12.3 70, Final Report on EBA Guidelines on outsourcing arrangements)
  • the degree of substitutability of the ICT third-party service provider, taking into account the following parameters: (Art. 31.2.(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • capability, expertise, and reputation; (§ 5.19 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (Domain 4: Assessment Factor: Relationship Management, DUE DILIGENCE Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • When reviewing information provided by the institution's third-party providers, determine the adequacy of third-party provider audit reports in terms of scope, independence, expertise, frequency, and corrective actions taken on identified issues. Work with the examiner reviewing the third-party mana… (App A Objective 12:17, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the directors perform sufficient due diligence to satisfy themselves of the audit vendor's competence and objectivity before entering the outsourcing arrangement. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:8, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review of operational history of customer (e.g., length of time in business, relocations of operations, and business reputation); (App A Tier 2 Objectives and Procedures M.4 Bullet 1 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Years in business (for commercial customers). (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 3, Sub-Sub Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assesses the service provider's length of operation and market share; (App A Tier 2 Objectives and Procedures O.2 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Shortcomings in the service provider's expertise that the institution would need to supplement in order to fully mitigate risks; (App A Tier 2 Objectives and Procedures O.3 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider's experience and ability in the industry; (App A Tier 2 Objectives and Procedures O.3 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider's experience and ability in dealing with situations similar to the institution's environment and operations; (App A Tier 2 Objectives and Procedures O.3 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)