Note: While this article uses the phrase ‘Vendor Management’ throughout, readers should understand this to be a general reference to the framework(s) used to govern and oversee their outsourced, delegated and other third-party arrangements.  

Vendor Management Fundamentals 

As highlighted in the ECB’s recent article on outsourcing trends in the banking sector, the reliance placed by banks on IT Outsourcing continues to increase; with all indications pointing to this trend continuing for the foreseeable future. In addition, it is unlikely that this trend is confined to the banking sector as we continue to see firms across the wider financial services industry exploring the operational and commercial opportunities of increased automation and the use of artificial intelligence (“AI”) technologies.  

Recognising this growing dependence on IT Outsourcing in a time of increasing regulatory complexity, this article aims to highlight the key components of a robust vendor management programme which will support firms in managing and governing their third-party arrangements whilst also achieving their technology and AI strategy.  

1. Centralised Repository  

As many firms will have realised during their implementation of the EBA’s Guidelines on outsourcing arrangements and/or or the Central Bank of Ireland’s Cross Industry Guidance on Outsourcing (collectively the “Outsourcing Guidelines”), compiling an accurate and complete list of all external third-party and intragroup service providers who support your operations is rarely straightforward. Instead, firms often face a range of complicating factors, which have been known to include: 

• The lack of a centralised contracts repository within the firm and/or group

• Details of external third-party service providers being spread across a variety of billing and payment systems

• Transfer pricing arrangements which do not capture the full extent of intragroup outsourcing arrangements – for example, in the situation where the costs associated with IT Services and related support is allocated to the largest revenue generating entity as opposed to the entities making use of the services; and  

• The unintended consequences of internal mobility within a group structure on the ability to identify the most appropriate contracting entity, as well as the location of service delivery, and location of data storage and processing.  

However, without this holistic view of service providers, it is impossible for a firm to fully quantify and manage the ICT and Third-Party Risk arising across their outsourcing universe. In addition, if a firm does not have clear visibility into all services received from a service provider, it can greatly reduce their ability to develop effective business continuity and resilience strategies, or to negotiate preferential terms or fee rates with their service providers.   

2. Standardised Methodologies and Processes

To accurately identify, classify and categorise outsourcing arrangements, each and every proposal to engage a service provider should be subject to the same standardised assessments at prior to contract execution and on an ongoing basis thereafter. Put simply, irrespective of who the service provider is or what types of services are to be provided, the firm should not approach the governance or oversight of any arrangement differently until such time as it has determined at least the following:   

1. Whether the arrangement is aligned to the firm’s business model, strategy and risk appetite  
2. Which legal and regulatory requirements apply to the governance and oversight of the arrangement (see below for further details)
3. Whether the arrangement is itself critical or important, and/or supports the performance a critical or important business service or function; and  
4. Whether the arrangement is subject to regulatory notification and filing requirements.

Despite the volume of regulations which have recently been introduced to govern technology and AI services, regulators have made it clear that each new requirement is intended to build on the last. In adopting this approach, there is a clear expectation that the oversight frameworks adopted by each firm can be continuously scaled up and adapted to incorporate the requirements introduced by each regulation, which as of the time of this article, may include: 

Regulation	Primarily Applicable To:
General Data Protection Regulation (GDPR)	Any Firm who handles the personal data of EU residents.
ESMA Guidelines on outsourcing to cloud providers (353 KB)	AIFMs, UCIT Management Companies, certain investments firms and credit institutions, central counterparties, central securities depositories, credit rating agencies, securitisation repositories and administrators of critical benchmarks.
ECB Guide on outsourcing cloud services to cloud service providers (PDF, 214 KB)	Any institution that is supervised directly by ECB Banking Supervision.
Central Bank of Ireland’s Cross Industry Guidance on Operational Resilience (PDF, 995 KB)	All firms regulated by the Central Bank of Ireland.
Network and Information Systems Directive, 2022/2555 (NIS2)	Certain firms operating within the eighteen critical sectors named within the legislation, with the exception of those financial entities in scope of the Digital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA) (PDF, 1,458 KB)	All financial entity types listed within Article 2 of DORA
EU AI Act	Providers and deployers of AI technologies
Payment Services Directive and Payment Services Regulations	Banks and non-bank payment service providers and e-money firms who support payments within the EU
Corporate Sustainability Reporting Directive	Large EU-domiciled firms who meet the at least two of the following criteria:  an annual net turnover exceeding €50 million,  a balance sheet total exceeding €25 million, or  an average of 250 employees. Non-EU firms who have substantial operations within the EU, such as subsidiaries or branches.

What this means in practice is that firms do not have the time to review their arrangements and contracts each time a new requirement is introduced. Instead, gathering all necessary information at the outset of an arrangement and ensuring it remains up to date through periodic reviews allows the firms to keep pace with regulatory changes and provides enriched information to be used in management and the Board decision-making.   

3. Clarity of Roles and Responsibilities  

To effectively manage and oversee an arrangement with a service provider, particularly one which supports a critical or important service or function, there needs to be a clear understanding of who is responsible for what within the vendor management programme as well as who may be called upon for further support and guidance. In clarifying the roles and responsibilities of each stakeholder, the firm will benefit from: 

• strengthened service provider relationships through a co-ordinated and joined-up approach to oversight and due diligence i.e. the service provider is not asked to deal with multiple teams/individuals  

• optimised servicer provider performance as risk, compliance, operational, technology etc. queries and concerns can be quickly identified and resolved; and  

• enhanced clarity in the expectations of service providers as the firm’s multi-disciplinary team contribute to the design of oversight and due diligence engagements, including the contents of the service level agreement.   

In defining roles and responsibility, it is important to recognise that the resources available to firms is likely to differ significantly depending on the nature, scale and complexity of their operations and whether they are part of a wider group structure. That being said, in accordance with the Outsourcing Guidelines, firms must ensure that they assign responsibility for the oversight of outsourcing risk and outsourcing arrangements to an appropriately designated individual, function and/or committee and that they maintain appropriate skills and knowledge to effectively oversee outsourcing arrangements from inception to conclusion. This is especially important where the activities being outsourced are technical and/or complex in nature, for example in the case of outsourcing to IT Service Providers. 

Where a Firm’s vendor management programme is managed or co-ordinated centrally within their group, care must be given to ensuring that any oversight is conducted in line with local requirements and that the local individual/function delegated responsibility for the oversight of outsourcing risk and outsourcing arrangements can fulfil their obligations.  

4. Defined Approach to Proportionality   

All too often, firms choose to adapt or amend the oversight and due diligence requirements they apply to service providers under the guise of applying proportionately. Over time, these changes unintentionally create inconsistencies in the approach taken to similar arrangements and ultimately undermine the integrity of a firm’s vendor management program. In the same way firms should have a defined approach to identifying and classifying arrangements, they should also have a defined methodology to how and when the principle of proportionality will be applied which should consider at least the following:  

• The regulatory expectations which apply to the firm based on its assigned PRISM/SREP rating.
  • The higher the overall risk profile of the firm, the more robust and comprehensive its internal control and governance arrangements will need to be.

• the importance of the overall relationship with the service provider.  
  • The frequency and intensity of oversight and due diligence of any service provider should be informed by the level of dependence the firm has on the uninterrupted delivery of services by the service provider.  

• the importance of the specific services received by the firm to its continued operations. 
  • Certain licensed services are subject to strict regulatory and legal requirements. Where a service provider is engaged to support services which underpin the firm’s licensed activities and authorisations, the oversight of these services should be proportionately heightened.  

By formally documenting the criteria to be used in determining the appropriate frequency and intensity of oversight and due diligence to be applied to each service provider, the firm will benefit from a scalable and standardised approach to vendor management which will withstand the scrutiny of both clients and regulators.  

How can we help?  

Our multi-disciplinary team of lawyers and industry practitioners is uniquely placed to support you in the design and implementation of your vendor management programme. Whether you are looking for legal advice and guidance on which regulations apply, support in the drafting or review of contracts, practical implementation support or post-implementation assurance reviews, we are here to help.  

For further details on the services we can offer, please contact any member of the Technology and Innovation or Governance and Consulting Services Group.  

To read the previous articles within this series, please use the links below:  

Part 1 – A Practitioner’s Guide to IT Outsourcing 

Part 2 – A Practitioner’s Guide to IT Outsourcing – The Complexities of Sub-Outsourcing 

Part 3 – A Practitioner’s Guide to IT Outsourcing – When Things go Wrong 

Part 4 – A Practitioner’s Guide to IT Outsourcing – A Review of Risk and Reliance