3.5. Management of risks from service providers' supply chains
3.5.1. General expectations
Financial institutions may:
- Identify risks to critical services relating to third-party service providers' supply chain; and
- Implement appropriate and proportionate measures to monitor, manage and mitigate these risks that may affect the delivery of critical services.
Third-party service relationships often involve indirect reliance on other entities in the third-party service provider's supply chain (nth-party service providers) for the delivery of services to financial institutions. This indirect reliance should not lessen the regulatory responsibilities and accountability of financial institutions. Third-party service providers, through their own management of third- and nth-party risks, may have appropriate processes in place to address supply chain risks that may impact their ability to deliver services in line with contractually agreed service levels. As part of due diligence and ongoing monitoring, financial institutions may assess the effectiveness of these processes to determine if additional actions may be appropriate. For example, contracts between financial institutions and third-party service providers may cover whether the latter may sub-contract critical services (or parts thereof) and, if so, subject to which conditions.