[Reading time: 33 seconds]


I recently wrote about the underlying trends that I am seeing within financial services firms.

So, what does this mean for the IT MSPs, SaaS, consultancy, and professional services providers that sell to these firms?


Short answer:

  • More questions from more informed people.


Long answer:

  1. Financial services firms need to comply with an increasing number of regulatory and legal obligations to ensure their service providers are not exposing them to operational resilience or security weaknesses.
  2. To comply with these obligations, they are allocating more of their people to:
    • Assess and monitor existing service providers, and to identify substitute service providers in case an existing provider is too weak*.
    • Evaluate any new service provider, before they are allowed in the door**.
  3. These people are asking service providers more detailed questions about how they are managing operational resilience and security.
  4. These people are doing this all day every day. They know what ‘good’ looks like.


So, if you sell services to financial services firms:

  1. You are going to be asked more questions by more informed people.
  2. They are going to know if your answers are weak.
  3. They may be the reason why you are going to struggle to convert an interested prospect into a paying client.


So what?

If you don’t like the sound of this, you may need to pick a different target market.



* Identifying substitutes is not a choice. It’s an obligation:

“Where interdependencies on third parties for the delivery of critical or important business services have been identified, it should be verified that these arrangements have appropriate operational resilience conditions to ensure the firm can remain within its impact tolerances. [..] The firm should consider identifying the dependencies that can be substituted in the event of an unexpected disruption.” [Central Bank of Ireland Guidance on Operational Resilience, Guideline 11, Page 24-25)].

“For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge [, including] any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service. [..] Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services.” [DORA Regulation, Article 28(8)].


** Performing due diligence is not a choice. It’s an obligation:

“A firm should undertake due diligence in respect of its [Outsourced Service Providers] prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances.” [Central Bank of Ireland Guidance on Operational Resilience, Guideline 8, Page 20]

“Before entering into a contractual arrangement on the use of ICT services, financial entities shall[..] undertake all due diligence on prospective ICT third-party service providers and ensure [..] that the ICT third-party service provider is suitable” [DORA Regulation, Article 28(4)(d)]