Back

Assess third parties' compliance environment during due diligence.


CONTROL ID
13134
CONTROL TYPE
Process or Activity
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Conduct all parts of the supply chain due diligence process., CC ID: 08854

This Control has the following implementation support Control(s):
  • Document that supply chain members investigate security events., CC ID: 13348
  • Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary., CC ID: 12064
  • Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members., CC ID: 11888
  • Request attestation of compliance from third parties., CC ID: 12067


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • legal due diligence is undertaken to ascertain that any applicable local or overseas legal or regulatory requirements have been complied with (especially if AIs partner with overseas platforms/portals), including those relating to personal data privacy if customers' personal data would be transmitte… (§ 7.2.2(ii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The licensed corporation should conduct proper initial due diligence on the EDSP and its controls relating to its infrastructure, personnel and processes for delivering its data storage services, as well as regular monitoring of the EDSP's service delivery, in each case commensurate with the critica… (12., Circular to Licensed Corporations - Use of external electronic data storage)
  • the EDSP's internal governance for the safeguard of the licensed corporation's Regulatory Records (where Regulatory Records are kept with the EDSP), and may include assessing the physical security of the storage facilities, the type of hosting (ie, whether it is dedicated or shared hardware), securi… (12.(a), Circular to Licensed Corporations - Use of external electronic data storage)
  • corporate governance, business reputation and culture, compliance, and pending or potential litigation; (5.4.3 (c), Guidelines on Outsourcing)
  • security and internal controls, audit coverage, reporting and monitoring environment; (5.4.3 (d), Guidelines on Outsourcing)
  • external environment (such as the political, economic, social and legal environment of the jurisdiction in which the service provider operates); and (5.4.3 (i), Guidelines on Outsourcing)
  • ability to comply with applicable laws and regulations and track record in relation to its compliance with applicable laws and regulations. (5.4.3 (j), Guidelines on Outsourcing)
  • An institution should assess all relevant aspects of the service provider, including its capability to employ a high standard of care in the performance of the outsourcing arrangement as if the service is performed by the institution to meet its obligations as a regulated entity. The due diligence s… (5.4.2, Guidelines on Outsourcing)
  • An institution should ensure that independent audits and/or expert assessments of all its outsourcing arrangements are conducted. In determining the frequency of audit and expert assessment, the institution should consider the nature and extent of risk and impact to the institution from the outsourc… (5.9.5, Guidelines on Outsourcing)
  • Evaluation of the design of information security controls of third parties and related parties necessitates an understanding of the controls in place or planned. This can be maintained over time through a combination of interviews, surveys, control testing, certifications, contractual reviews, attes… (63., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • the independent review and audit of compliance with legal and regulatory requirements and policies; (4.7 42(d)(iii), Final Report on EBA Guidelines on outsourcing arrangements)
  • assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; (4.12 61(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution contr… (4.12.2 68(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • whether or not the service provider is supervised by competent authorities. (4.12.3 71(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • Where contractual arrangements on the use of ICT services supporting critical or important functions are concluded with an ICT third-party service provider established in a third country, financial entities shall, in addition to the considerations referred to in the second subparagraph, also conside… (Art. 29.2. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • compliance with the Fundamental Rules; (§ 5.11 Bullet 2 Sub-Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • requirements under 'relevant legislation' and the PRA Rulebook; (§ 5.11 Bullet 2 Sub-Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • ability to meet the Threshold Conditions; (§ 5.11 Bullet 2 Sub-Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • have the authorisations or registrations required to perform the service; (§ 5.20 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Periodically review the organization's supply chain partners' IT governance policies and procedures. (STA-13, Cloud Controls Matrix, v4.0)
  • Outsourcing of an organization's operations usually does not relieve the organization of its legal responsibilities or compliance obligations. If there is any outsourcing of the organization's activities, the organization needs to undertake effective due diligence to ensure that its standards and co… (§ 8.3 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall assess compliance risks related to outsourced and third-party processes. (§ 4.6 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall assess compliance risks related to outsourced and third-party processes. (§ 8.1 ¶ 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector. (DM.ED-5.1, CRI Profile, v1.2)
  • Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. (Domain 4: Assessment Factor: Relationship Management, DUE DILIGENCE Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Management's determination of the service provider's compliance with applicable financial institution and consumer regulations and with third-party requirements (e.g., NACHA, GLBA, bankcard company, and interchange). (App A Tier 1 Objectives and Procedures Objective 3:2 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Review a sample of consumer contracts for ATM services to ensure they adequately set forth responsibilities and liabilities of the institution and the customer. Evaluate compliance with applicable regulations. (App A Tier 1 Objectives and Procedures Objective 7:4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • If the financial institution accepts RCCs from retail business customers or payment processing customers, assess the appropriateness of, and adherence to, policies and procedures regarding customer due diligence, customer contracts, third-party service provider's due diligence, and activity/transact… (App A Tier 2 Objectives and Procedures M.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Customer due diligence performed at the initiation and periodically throughout the business relationship, including; (App A Tier 2 Objectives and Procedures M.4 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Obtain and review the financial institution's policies and procedures for RDC. Assess whether they define the function, responsibilities, operational controls, vendor management, customer due diligence, BSA/AML compliance monitoring, and reporting functions, etc. Identify the date they were last rev… (App A Tier 2 Objectives and Procedures N.9 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Compliance. TSPs are expected to provide services to client financial institutions to help them comply with applicable laws, rules, regulations, and policies. (Risk-Based Supervision ¶ 2 Bullet 5, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Federation authorities SHALL establish parameters regarding expected and acceptable IALs, AALs, and FALs in connection with the federated relationships they enable. Federation authorities SHALL individually vet each participant in the federation to determine whether they adhere to their expected sec… (5.1.3 ¶ 3, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)
  • Assertions generated by IdPs adhere to the requirements in Section 6. (5.1.3 ¶ 4 Bullet 1, Digital Identity Guidelines: Federation and Assertions, NIST SP 800-63C)