3.2. Onboarding and ongoing monitoring of service providers
3.2.1. Due diligence
Financial institutions may conduct appropriate planning and due diligence before entering into a third-party arrangement for a critical service, which can then support financial institutions' subsequent development of appropriate risk monitoring and mitigation measures. In the case of critical services, financial institutions should clearly articulate their expectations for the proposed third-party service relationship (for instance, their expected level of resilience of the critical service) as early as reasonably practicable during the service provider selection process.
The level of due diligence can be applied proportionately to the criticality of the relevant service (see Section 3.1). Tools that financial institutions can leverage as part of their due diligence can include those supporting (i) an analysis of the relative benefits, costs and risks of the proposed arrangement, and an (ii) assessment of the service provider's ability to provide the relevant service. These may include the service provider's:
- Operational and technical capability and track record, including (if applicable) drawing on any prior engagement between the financial institution and the service provider (in general or in connection with the service to be provided);
- Financial soundness insofar as it can affect the delivery of the relevant services;
- Internal controls and risk management, including its ability to manage ICT, cyber and other operational risks;
- Management of supply chain risks, including use and oversight of nth-party service providers (further discussed in Section 3.5);