+Third-party Due Diligence and Selection
---+Suitability Criteria
---+Selection Criteria
|
1. Overview
Third-party Due Diligence and Selection
| Summary |
Standard |
|
Suitability Criteria
|
Ensure that the third-party service provider has the business reputation, sufficient abilities, expertise and adequate financial, human and technical resources, information security standards, appropriate organisational structure (including risk management and internal controls) and, if applicable, the required authorisation(s) or registration(s) to provide ICT services supporting the critical or important functions in a reliable and professional manner.
|
|
Selection Criteria
|
Take the following into account when selecting and assessing the service provider: audits conducted by the financial entity or on its behalf, third-party certifications, independent audit reports, internal audit function reports, and publicly available information. Confirm adherence to ethical, social, human, and environmental (sustainability) principles, encompassing appropriate working conditions including the prohibition of child labour. Assess if the service provider operates in a third country and evaluate if this practice heightens operational, reputational, or sanctions-related risks. Secure consent from the service provider for effective audit conduct, both onsite and by designated parties, including auditors from the financial entity, external (third-party auditors), and by competent authorities (such as the regulator). Verify if the service provider intends to engage ICT sub-contractors for substantial portions of their services.
|
1.1 References
1.2 Identified Requirements
1.2 Related Regulation
2. Identified Requirements
Requirements
| Source |
Requirement |
3. Related Regulations
Regulations
| Source |
Regulation |
|