Chapter 36: Further Reading — Vendor Selection, Due Diligence, and Implementation Management
Essential Primary Sources
DORA — Digital Operational Resilience Act (EU) 2022/2554
Full Text: Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector Articles 28, 29, and 30 are the foundational regulatory text for this chapter. Article 28 establishes the general principles of ICT third-party risk management. Article 29 specifies the mandatory content of contracts with ICT third-party service providers. Article 30 sets out the enhanced requirements for arrangements covering critical or important functions.
The Level 2 implementing technical standards (ITS) and regulatory technical standards (RTS) published by EBA, ESMA, and EIOPA provide the technical detail for DORA implementation. Key instruments include: - EBA/RTS/2024/006: Joint RTS on the Register of Information (subcontracting chains) - EBA/RTS/2024/007: Joint RTS on policy for ICT services supporting critical or important functions - EBA/GL/2024/008: Guidelines on oversight of critical ICT third-party service providers
Available at: https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience
DORA Supervisory Guidance on Third-Party Risk Management — ESAs Joint Position Paper Published in 2024, this joint position paper from EBA, ESMA, and EIOPA provides supervisory expectations for third-party risk management under DORA, including the standard for contract provisions.
FCA Operational Resilience Framework
FCA Policy Statement PS21/3: Building Operational Resilience The foundational UK document for operational resilience, establishing the Important Business Services framework, impact tolerances, and the regulatory expectation that firms map operational resilience through to third-party dependencies. Available at the FCA website.
FCA Supervisory Statement SS1/21: Operational Resilience (joint with PRA) Published alongside PS21/3, this statement provides the prudential perspective on operational resilience for PRA-regulated firms, including treatment of third-party operational risk.
FCA Discussion Paper DP22/3: Operational Resilience — Critical Third Parties The precursor document to the CTP regime. Provides the regulatory rationale for direct oversight of systemically important ICT providers and the expectations that would be placed on both CTPs and the firms that use them.
FCA/PRA/Bank of England — Critical Third Party Regime
HM Treasury Consultation: Regulatory Framework for Systemic Digital Infrastructure The policy framework that enabled the CTP designation powers in FSMA 2023.
PRA Policy Statement PS6/25 / FCA Policy Statement PS3/25: Critical Third Parties The joint regulatory statement implementing the CTP regime. Specifies the criteria for CTP designation, the operational resilience standards that CTPs must meet, and the supervisory expectations for firms using designated CTPs. Available at the Bank of England and FCA websites.
GDPR — Vendor Contracting
UK GDPR Article 28: Processor The primary legal provision governing data processor relationships. Every RegTech contract involving personal data must include a Data Processing Agreement that meets Article 28 requirements. The provision specifies the mandatory content of such agreements.
ICO Guidance on Data Processors The UK Information Commissioner's Office guidance on controller-processor relationships, including practical guidance on Data Processing Agreement drafting and sub-processor management. Available at https://ico.org.uk
EDPB Guidelines 07/2020 on the Concepts of Controller and Processor under the GDPR European Data Protection Board guidelines on the controller/processor relationship, which remain relevant for UK GDPR interpretation and for firms with EU operations.
Practitioner and Academic Sources
IT Sourcing and Contract Negotiation
Gartner Research: IT Sourcing and Vendor Management Methodologies Gartner publishes a suite of research notes on vendor evaluation methodology, RFP best practices, and IT contract negotiation. Of particular relevance: - "Best Practices for Evaluating Software Vendors" (Gartner, updated annually) - "How to Negotiate SaaS Contracts" (Gartner) - "IT Vendor Risk Assessment Framework" (Gartner)
Access requires a Gartner subscription, but many corporate libraries and university business schools carry access.
Celent: RegTech Vendor Landscape Reports Celent publishes annual landscape reports covering major RegTech categories including AML/transaction monitoring, trade surveillance, regulatory reporting, and KYC. Reports include vendor profiles, technology comparisons, and client satisfaction data. The firm's "XCelent Awards" methodology provides a framework for comparing functional breadth, technical architecture, and market penetration.
Chartis Research: RiskTech100 and RegTech Category Reports Chartis Research publishes the RiskTech100 annual ranking of risk technology vendors and category-specific vendor evaluation reports (AML, regulatory reporting, conduct risk). The Chartis methodology is particularly strong on technology architecture assessment.
Financial Services Third-Party Risk Management
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04) Pre-DORA guidelines that established the foundational framework for ICT risk management in European banking. Although partially superseded by DORA, these guidelines remain relevant for understanding the regulatory expectations that DORA codified and for firms not yet fully within DORA's scope.
BIS Principles for the Sound Management of Operational Risk (BCBS 195) The Basel Committee's operational risk management principles, including Principle 9 on third-party relationships. The international standards-level articulation of what sound third-party risk management looks like for banking organizations.
FSB Report on Financial Stability Implications from Fintech (2017) and Cyber Lexicon (2018) The Financial Stability Board's assessments of technology risk in financial services, including third-party concentration risk. These documents provide the macro-prudential context for why individual firms' vendor management choices have systemic implications.
SaaS Contract Negotiation
"Negotiating Software Contracts: A Practitioner's Guide" Several professional associations (including the International Association for Contract and Commercial Management — IACCM) publish practical guides to software contract negotiation. For RegTech-specific procurement, the following IACCM guidance categories are most relevant: SaaS agreements, data rights and portability, and service level agreement design.
"The SaaS CTO Security Checklist" — Aaron Bedra (updated annually, publicly available) While addressed to CTO practitioners, this checklist provides a useful framework for the technical due diligence questions that compliance teams should ask of SaaS vendors, covering data security architecture, incident response, and sub-processor management.
"Cloud Contract Clauses: What Financial Services Firms Need" — Cloud Security Alliance Financial Services Working Group A practical guide to cloud-specific contract provisions for financial services firms, including data sovereignty, exit provisions, audit rights, and incident notification requirements. Available at https://cloudsecurityalliance.org
Regulatory Sources Table
| Jurisdiction | Framework | Key Provisions | Regulator/Source |
|---|---|---|---|
| EU | DORA — Regulation (EU) 2022/2554 | Art. 28-30: Third-party ICT risk management; contractual requirements | EBA / ESMA / EIOPA |
| EU | EBA/GL/2019/04 | ICT and security risk management; third-party guidelines | EBA |
| UK | FCA PS21/3 | Operational resilience; Important Business Services; third-party mapping | FCA |
| UK | FSMA 2023 / PS6/25 / PS3/25 | Critical Third Party regime; direct CTP oversight | FCA / PRA / Bank of England |
| UK | FCA SYSC 8 | Outsourcing requirements; risk management; governance | FCA |
| UK | MLRs 2017 / JMLSG Guidance | AML systems and controls; CDD platform requirements | HM Treasury / JMLSG |
| UK/EU | UK GDPR / EU GDPR Article 28 | Data processor obligations; DPA requirements; sub-processor governance | ICO / EDPB |
| International | BCBS 195 | Operational risk management; third-party risk (Principle 9) | Basel Committee |
| International | FSB Cyber Lexicon (2018) | Systemic third-party concentration risk | Financial Stability Board |
| US | FFIEC IT Examination Handbook | Technology outsourcing; vendor management; contract requirements | FFIEC |
| US | OCC Bulletin 2013-29 | Third-party relationship risk management (banking) | OCC |
Online Resources and Tools
EBA DORA Implementation Hub The EBA maintains a dedicated DORA implementation page with all Level 2 RTS, ITS, and guidelines, Q&A publications, and supervisory guidance. Essential for compliance teams implementing DORA third-party risk requirements. https://www.eba.europa.eu/regulation-and-policy/digital-operational-resilience
FCA RegTech Sandbox and Innovation Portal The FCA's Innovation Hub provides guidance on RegTech solutions and, importantly, publishes feedback from firms that have used RegTech in regulatory compliance contexts. This feedback provides informal evidence of what regulators have seen working (and not working) in practice. https://www.fca.org.uk/firms/innovation
ICO Accountability Framework: Data Processors The ICO's accountability framework tool includes specific guidance on processor relationships and a self-assessment tool for DPA completeness. https://ico.org.uk/for-organisations/accountability-framework
ACAMS (Association of Certified Anti-Money Laundering Specialists) For AML technology procurement specifically, ACAMS publishes guidance on technology assessment, and its member community is a valuable source of peer intelligence on vendor performance. https://www.acams.org
FinTech Global RegTech100 An annual ranking of the 100 most innovative RegTech companies, with brief profiles and categorization by solution type. Useful for initial market mapping. https://fintech.global/regtech100
Looking Ahead to Chapter 37
Chapter 37 addresses the organizational dimension of RegTech strategy: how to build and scale a RegTech function within a regulated financial institution. Where Chapter 36 focused on the procurement and vendor management activities that acquire the technology, Chapter 37 addresses the people, organizational structures, and internal processes that operate it sustainably. Key themes include: the RegTech team's position in the organizational chart; the skills mix required; the governance of ongoing technology investment; and the challenge of maintaining regulatory agility in a function that must also deliver operational stability.
Chapter 36 is part of Part 7: RegTech Strategy and Implementation. See also Chapter 35 (Building the Business Case for RegTech Investment) and Chapter 37 (Building and Scaling a RegTech Function).