If you enjoy reading our articles and want to support our mission of sharing valuable insights on AML and investment funds, the easiest way to help is by subscribing to our Fundiligence newsletter.
For us it is very important, for you it is FREE.

This article follows the discussion from the previous one: Principles of Proportionality and Due Diligence Process, where the principles of the Digital Operational Resilience Act (DORA) were discussed, particularly focusing on proportionality and the due diligence process. In this second part, we explore the practical implementation of these principles within the Alternative Investment Fund Manager industry, emphasizing the Compliance Officer’s role in managing ICT third-party risks and the prioritization of the evaluation of contractual arrangements related to ICT services, particularly those that support “critical or important functions.” According to the Digital Operational Resilience Act a “critical or important function” is one whose disruption would materially impair the financial performance, soundness, or continuity of the entity’s services and activities. This necessitates a risk assessment to determine if these functions are adequately protected under contractual agreements.

Evaluating Contractual Arrangements and Termination clauses

As the date of application, Compliance Officers must first assess whether the ICT services covered by contractual arrangements support critical or important functions, which is very impactful for the controls of the Compliance Officers. This assessment should include a detailed analysis of the service provider’s capabilities, the importance of the service to the AIFM’s operations, and the potential impact of service disruptions. The goal is to ensure that any disruption to these services would not significantly affect the entity’s ability to operate or meet regulatory requirements.

At time of implementation, it is important to ensure that contracts with third-party ICT service providers include specific termination clauses for defined situations is a critical control measure. Termination conditions should be clearly articulated and include provisions for significant breaches by the service provider, such as violations of applicable laws, regulations, or agreed contractual terms. Changes in the service provider’s risk profile or performance issues identified during ongoing monitoring should also be grounds for termination. This is key for maintaining operational resilience, as it allows the AIFM to swiftly respond to any issues that may arise.

Termination clauses should address several critical aspects to safeguard the integrity and security of ICT services. Firstly, they must cover significant breaches, including violations of laws, regulations, or contractual terms, which could jeopardize the quality or security of the services provided. This ensures that any legal or regulatory non-compliance by the service provider can lead to termination, protecting the client’s interests. Secondly, changes in the service provider’s risk profile that could impact the delivery of critical functions should be included. This includes any developments that might affect the provider’s ability to maintain the agreed-upon service levels, such as shifts in business operations or market conditions.

Persistent performance issues are another crucial factor. If the service provider consistently fails to meet performance standards or Service Level Agreements, this can severely disrupt operations. The termination clause should allow for ending the contract if these issues are not resolved satisfactorily.

Additionally, material changes affecting the arrangement or the service provider’s situation must be considered. This includes mergers, acquisitions, significant financial instability, or other substantial changes in the business structure or ownership of the service provider. Such changes can alter the nature of the service provision and the reliability of the provider. By covering these aspects, termination clauses provide a robust framework for ensuring that the ICT services remain secure, compliant, and reliable, thereby protecting the interests of the client and maintaining the continuity of critical business functions. Additionally, the ability of the competent authority to effectively supervise the financial entity must not be compromised by the contractual arrangement. Compliance Officers must ensure that these termination clauses are not only included but also effectively monitored and enforced.

Monitoring Data Security and Compliance

Another key aspect of managing ICT third-party risks is the continuous monitoring of the service provider’s ability to manage ICT risks, particularly concerning data security. Compliance Officers must ensure that contractual arrangements include strict data security measures. These measures should include the availability, authenticity, integrity, and confidentiality of both sensitive and non-sensitive data.

Furthermore, to maintain these standards, contracts should mandate that service providers implement robust data protection protocols. This includes setting clear expectations for how data should be handled, stored, and transmitted, as well as procedures for responding to potential security breaches.

Regular audits and assessments of the service provider’s security practices are essential to verify compliance with these requirements. These evaluations should be conducted systematically, ensuring that the service provider adheres to the agreed-upon data security protocols. Any deviations or vulnerabilities identified during these audits must be addressed promptly to maintain the integrity and security of the financial entity’s data.

Continuous monitoring of the service provider’s data security capabilities helps ensure that the financial entity’s information remains protected against emerging threats, thus safeguarding the overall resilience of ICT services.

Ensuring Regulatory Supervision and Continuous Risk Assessment

Contracts with third-party service providers should ensure that financial entities remain under proper regulatory supervision. This means that service providers must follow all regulatory reporting requirements and provide access to information needed for audits and evaluations. The Compliance Officer plays a crucial role in this process, working closely with management and relevant departments to keep accurate records of all contracts and their compliance status. Ongoing risk assessment is essential for managing risks associated with ICT (Information and Communication Technology) service providers. The Compliance Officer should establish a system for continuous monitoring and evaluation of these third-party services. This includes regular risk assessments, performance reviews, and updates to risk management policies to reflect the latest regulatory changes and technological advancements. Continuous monitoring allows financial entities to quickly identify and address any issues that may arise, ensuring that ICT services remain secure and compliant with regulations.

In conclusion, the role of Compliance Officers is important in managing ICT third-party risks under DORA. Through the evaluation of contractual arrangements, implementation of specific termination clauses, continuous monitoring of data security, and ensuring regulatory supervision, Compliance Officers can significantly enhance the operational resilience of AIFMs. This ensures that all potential risks are systematically evaluated and managed, contributing to the long-term stability and security of the financial sector in Luxembourg.

If you arrived until here, it means that you potentially enjoyed this article. I personally thank you and I invite you to subscribe to the newsletter. Also, feel free to get in contact and suggest any particular topic for the next release.

The views and opinions expressed in this article are my own and do not reflect the official policy, position, or opinions of any financial institution, or other organization.
The content of this article is based on personal research of the author and understanding of AML (Anti-Money Laundering) and compliance topics.