Key Elements of Contractual Arrangements For ICT Third-Party Service Providers

by Sneha Naskar

‘Account information service provider’ means an account information service provider as referred to in Article 33(1) of Directive (EU) 2015/2366. In today’s digital financial landscape, the role of account information service providers (AISPs) has become increasingly critical. These entities, governed under the Directive (EU) 2015/2366, commonly known as PSD2, facilitate secure and efficient access to customers' financial data, enabling enhanced financial services and improved customer experiences. Ensuring robust contractual arrangements between financial entities and ICT third-party service providers is vital for maintaining operational resilience, safeguarding critical functions, and protecting customer data.

Essential Contractual Elements

Clear Allocation of Rights and Obligations

The regulation emphasizes the need for transparency, security, and cooperation to maintain operational resilience and safeguard critical functions. The rights and obligations of both the financial entity and the ICT third-party service provider must be clearly allocated and documented in writing. The entire contract, inclusive of service level agreements, shall be consolidated into a single written document accessible to both parties in either paper format or a downloadable and accessible electronic format.

Essential Contractual Elements

Contractual arrangements for the use of ICT services shall encompass the following essential elements:

  • Function and Service Description: A comprehensive description of all functions and services to be provided by the ICT third-party service provider, specifying whether subcontracting of critical or important functions, or significant parts thereof, is permissible and under what conditions such subcontracting may occur.
  • Service Location Specifications: Specification of the locations where contracted or subcontracted functions and services will be performed and where data will be processed, including storage locations. The ICT third-party service provider must notify the financial entity of any intended changes to these locations.
  • Data Protection Provisions: Provisions regarding accessibility, availability, integrity, security, and protection of personal data. Additionally, provisions ensuring access, recovery, and return of personal and non-personal data in an easily accessible format in cases of the ICT third-party service provider's insolvency, resolution, or discontinuation of business operations.
  • Service Level Descriptions: Detailed service level descriptions, including updates and revisions, and precise quantitative and qualitative performance targets within agreed service levels. These provisions enable effective monitoring by the financial entity and prompt corrective actions if agreed service levels are not met.
  • Notification and Reporting Obligations: Notice periods and reporting obligations of the ICT third-party service provider to the financial entity. This includes notification of any developments that could materially impact the ICT third-party service provider's ability to perform critical or important functions in accordance with agreed service levels.
  • Incident Assistance: Obligations of the ICT third-party service provider to assist in case of ICT incidents at no additional cost or at a pre-determined cost.
DORA Compliance Framework
  • Business Contingency Plans: Requirements for the ICT third-party service provider to implement and test business contingency plans and maintain ICT security measures, tools, and policies ensuring secure service provision aligned with the financial entity's regulatory framework.
  • Ongoing Performance Monitoring: Rights for ongoing monitoring of the ICT third-party service provider's performance, including:
    • Rights of access, inspection, and audit by the financial entity or appointed third parties, without hindrance from other contractual arrangements or implementation policies.
    • Agreement on alternative assurance levels if rights of other clients are affected.
    • Commitment to full cooperation during onsite inspections by the financial entity, detailing scope, methods, and frequency of remote audits.
  • Cooperation with Authorities: Obligations of the ICT third-party service provider to fully cooperate with competent authorities and resolution authorities of the financial entity, including their appointed representatives.
  • Termination and Exit Strategies: Termination rights and minimum notice periods for contract termination, aligned with expectations of competent authorities. Exit strategies should establish a mandatory transition period:
    • During which the ICT third-party service provider continues providing functions or services to minimize disruption at the financial entity.
    • Allowing the financial entity to transition to another ICT third-party service provider or shift to on-premises solutions, considering the complexity of the service provided.

Standard Contractual Clauses and Regulatory Standards

Financial entities and ICT third-party service providers should consider employing standard contractual clauses tailored to specific services during contract negotiations. This ensures that all critical aspects are covered comprehensively and consistently, reducing risks associated with miscommunication or oversight.

The ESAs, through the Joint Committee, will develop draft regulatory technical standards specifying additional elements necessary for financial entities to determine and assess when subcontracting critical or important functions, ensuring compliance with the provisions outlined in point (a) of paragraph 2.

DORA Compliance Framework