Establish, implement, and maintain third party reporting requirements.

Establish/Maintain Documentation


This Control directly supports the implied Control(s):
  • Third Party and supply chain oversight, CC ID: 08807

This Control has the following implementation support Control(s):
  • Define timeliness factors for third party reporting requirements., CC ID: 13304


  • An institution should specify in its outsourcing agreement the type of events and the circumstances under which the service provider should report to the institution in order for an institution to take prompt risk mitigation measures and notify MAS of such developments under paragraph 4.2.1; (5.5.2 (g) ¶ 1, Guidelines on Outsourcing)
  • Copies of audit reports should be submitted by the institution to MAS. An institution should also, upon request, provide MAS with other reports or information on the institution and service provider that is related to the outsourcing arrangement. (5.9.8, Guidelines on Outsourcing)
  • where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the se… (4.2 23(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • ensuring that they receive appropriate reports from service providers; (4.14 104(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • Upon request of the cloud customer, the cloud provider provides information of the results, impacts and risks of these audits and assessments in an appropriate form. The cloud provider commits their subcontractors to such audits, asks for the submission of the audit reports in the same intervals and… (Section 5.15 SPN-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • If an outsourced service provider in a material outsourcing arrangement is unable or unwilling to contractually facilitate a firm's compliance with its regulatory obligations and expectations, including those in paragraph 6.4, firms should make the PRA aware of this. (§ 6.5, SS2/21 Outsourcing and third party risk management, March 2021)
  • Examine documented procedures and interview personnel to verify that the provider has a mechanism for reporting and addressing suspected or confirmed security incidents and vulnerabilities, in accordance with all elements specified in this requirement. (A1.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Hit confirmation. (§ ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Agreements include a provision of minimum acceptable control standards, the ability of the institution to audit the technology service provider's operations, periodic submission of financial statements to the institution, and contingency and business recovery plans. (App A Tier 2 Objectives and Procedures A.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Written agreements with originators require the submission of periodic financial information. (App A Tier 2 Objectives and Procedures H.2 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The integrity and timeliness of MIS reports on individual and aggregate customer activity/transaction and exposure levels; (App A Tier 2 Objectives and Procedures M.4 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)