Ensuring Robust Contractual Arrangements For ICT Services in Financial Institutions

by Sneha Naskar

‘Electronic money institution’ means an electronic money institution as defined in Article 2, point (1), of Directive 2009/110/EC of the European Parliament and of the Council. In today's rapidly evolving financial landscape, electronic money institutions (EMIs) play a pivotal role in facilitating digital transactions and enhancing financial inclusion. These institutions, governed under Directive 2009/110/EC, provide a secure and efficient means for handling electronic money and related services. Given the critical functions they perform, ensuring robust contractual arrangements between financial entities and ICT third-party service providers is paramount for maintaining operational resilience, safeguarding critical functions, and protecting customer data.

Essential Contractual Elements

Clear Allocation of Rights and Obligations

The regulation emphasizes the need for transparency, security, and cooperation to maintain operational resilience and safeguard critical functions. The rights and obligations of both the financial entity and the ICT third-party service provider must be clearly allocated and documented in writing. The entire contract, inclusive of service level agreements, shall be consolidated into a single written document accessible to both parties in either paper format or a downloadable and accessible electronic format.

Essential Contractual Elements

Contractual arrangements for the use of ICT services shall encompass the following essential elements:

  • Function and Service Description: A comprehensive description of all functions and services to be provided by the ICT third-party service provider, specifying whether subcontracting of critical or important functions, or significant parts thereof, is permissible and under what conditions such subcontracting may occur.
  • Service Location Specifications: Specification of the locations where contracted or subcontracted functions and services will be performed and where data will be processed, including storage locations. The ICT third-party service provider must notify the financial entity of any intended changes to these locations.
  • Data Protection Provisions: Provisions regarding accessibility, availability, integrity, security, and protection of personal data. Additionally, provisions ensuring access, recovery, and return of personal and non-personal data in an easily accessible format in cases of the ICT third-party service provider's insolvency, resolution, or discontinuation of business operations.
DORA Compliance Framework
  • Service Level Descriptions: Detailed service level descriptions, including updates and revisions, and precise quantitative and qualitative performance targets within agreed service levels. These provisions enable effective monitoring by the financial entity and prompt corrective actions if agreed service levels are not met.
  • Notification and Reporting Obligations: Notice periods and reporting obligations of the ICT third-party service provider to the financial entity. This includes notification of any developments that could materially impact the ICT third-party service provider's ability to perform critical or important functions in accordance with agreed service levels.
  • Incident Assistance: Obligations of the ICT third-party service provider to assist in case of ICT incidents at no additional cost or at a pre-determined cost.
  • Business Contingency Plans: Requirements for the ICT third-party service provider to implement and test business contingency plans and maintain ICT security measures, tools, and policies ensuring secure service provision aligned with the financial entity's regulatory framework.
  • Ongoing Performance Monitoring: Rights for ongoing monitoring of the ICT third-party service provider's performance, including:
    • Rights of access, inspection, and audit by the financial entity or appointed third parties, without hindrance from other contractual arrangements or implementation policies.
    • Agreement on alternative assurance levels if rights of other clients are affected.
    • Commitment to full cooperation during onsite inspections by the financial entity, detailing scope, methods, and frequency of remote audits.
  • Cooperation with Authorities: Obligations of the ICT third-party service provider to fully cooperate with competent authorities and resolution authorities of the financial entity, including their appointed representatives.
  • Termination and Exit Strategies: Termination rights and minimum notice periods for contract termination, aligned with expectations of competent authorities. Exit strategies should establish a mandatory transition period:
    • During which the ICT third-party service provider continues providing functions or services to minimize disruption at the financial entity.
    • Allowing the financial entity to transition to another ICT third-party service provider or shift to on-premises solutions, considering the complexity of the service provided.

Standard Contractual Clauses and Regulatory Standards

During contract negotiations, financial entities and ICT third-party service providers should consider employing standard contractual clauses tailored to specific services. This ensures that all critical aspects are covered comprehensively and consistently, reducing risks associated with miscommunication or oversight. The ESAs, through the Joint Committee, will develop draft regulatory technical standards specifying additional elements necessary for financial entities to determine and assess when subcontracting critical or important functions, ensuring compliance with the provisions outlined in point (a) of paragraph 2. These draft standards will be submitted to the Commission by [OJ: insert date 1 year after the date of entry into force]. The Commission is authorized to adopt these regulatory technical standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010 to supplement this Regulation.

Conclusion

Robust contractual arrangements for ICT services are essential for financial institutions to mitigate risks and ensure regulatory compliance. These contracts must cover key aspects like data security, service levels, and contingency planning, fostering a strong partnership between institutions and service providers. As the financial sector continues to digitize, well-crafted contracts will enable institutions to navigate challenges, enhance innovation, and remain agile in a rapidly changing environment. Ultimately, prioritizing comprehensive ICT agreements is crucial for financial institutions to secure sustainable growth, maintain resilience, and stay competitive in the digital age.

DORA Compliance Framework