Annex 2: Regimes pursuing supervision of certain critical third-party services and/or service providers
Some supervisory authorities have or are in the process of acquiring powers to supervise the provision of certain critical services by third-party service providers, such as those deemed to give rise to systemic third-party dependencies. Box 1 summarises these regimes.
Box 1: Examples of regimes
US Bank Service Company Act (BSCA)
The BSCA allows for the US Federal Banking Agencies (FBA) to supervise and regulate certain bank services provided by third parties. In particular, the BSCA provides that when an FBA-regulated bank or its affiliate causes to be performed for itself (by contract or otherwise) bank services, then the performance of the bank services is subject to regulation and examination by the FBA to the same extent as if those services were being performed by the bank. Title VIII of the Dodd-Frank Act also allows supervisory agencies of designated financial market utilities (DFMUs) - currently the FRB, SEC, and CFTC - to examine the provision of a service provided by another entity when such a service is "integral" to the operation of the DFMU.
EU Digital Operational Resilience Act (DORA)