Back

Assess third parties' legal risks to the organization during due diligence.


CONTROL ID
12078
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • corporate governance, business reputation and culture, compliance, and pending or potential litigation; (5.4.3 (c), Guidelines on Outsourcing)
  • government policies; (5.10.1 ¶ 1 (a), Guidelines on Outsourcing)
  • its business model, nature, scale, complexity, financial situation, ownership and group structure; (4.12.3 71(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • comply with all legal and regulatory requirements; (4.4 31(c)(ii), Final Report on EBA Guidelines on outsourcing arrangements)
  • the laws in force, including laws on data protection; (4.12.2 68(d)(i), Final Report on EBA Guidelines on outsourcing arrangements)
  • the law enforcement provisions in place; and (4.12.2 68(d)(ii), Final Report on EBA Guidelines on outsourcing arrangements)
  • the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; (4.12.2 68(d)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • Where contractual arrangements concern ICT services supporting critical or important functions, financial entities shall duly consider the insolvency law provisions that would apply in the event of the ICT third-party service provider's bankruptcy as well as any constraint that may arise in respect … (Art. 29.2. ¶ 2, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • legal risk; and (Table 5 Column 2 Row 3 Bullet 1 Sub-Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • Set up a procedure for establishing, modifying and terminating contracts for all suppliers. The procedure should cover, at a minimum, legal, financial, organisational, documentary, performance, security, intellectual property, and termination responsibilities and liabilities (including penalty claus… (AI5.2 Supplier Contract Management, CobiT, Version 4.1)
  • How the financial institution risk rates existing customers, on a recurring basis, and how they qualify potential customers; (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The service provider's ability to comply with appropriate federal and state laws. In particular, ensure management has assessed the service providers' ability to comply with federal laws (including GLBA and BSA); and (App A Tier 2 Objectives and Procedures O.3 Bullet 9, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The Agencies' supervisory approach to cross-border outsourcing emphasizes the responsibility of the serviced financial institution to conduct adequate due diligence, manage risks appropriately, comply with applicable U.S. and foreign laws and regulations, and ensure access to critical information wi… (Supervision of Foreign-Based TSP Program ¶ 2, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)