How to manage geopolitical risk in financial services technology contracts

Cyber attacks, complex and divergent regulatory regimes, and supply chain management issues are three of the many risks financial services providers will likely have to navigate in 2023 and beyond.

As part of a broader risk management strategy, it is essential that contracts with technology and other third party suppliers include robust protections against geopolitical risk.

Geopolitical risk in the financial services technology context

Technology arrangements are particularly sensitive to geopolitical risk. Cyber risk is one of the biggest threats to businesses within the financial sector. This threat is magnified by the multi-jurisdictional data transfer and hosting arrangements, often involving sensitive data, which typically underpin technology solutions for financial services providers. 

In addition, financial services providers face challenges in mitigating the risk posed by global regulatory change as governments adapt to strike a balance between growth, national security, and competition when deciding policy for the technology sector. A lot of attention, for example, has been paid to semiconductor export restrictions, strategic competition, and the potential fragmentation of technology markets – all of which may have an impact on the approach a financial services provider takes towards its third party technology arrangements.

Third party contracts, geopolitical risk and regulation

Financial regulatory frameworks often set out broad requirements for managing third party geopolitical issues. The European Banking Authority, for example, has said that "political risks are a factor of operational risks and should be taken into account”. Thought should be given to the operational impacts of engaging in technology arrangements in jurisdictions with different legal and political landscapes to those of the financial services provider.

As part of pre-contractual risk assessment and due diligence activities, financial services providers should assess the political stability and security situation of jurisdictions relevant to the provision of services by the third party. This assessment may include consideration of legal risks such as differences in data protection, law enforcement, and insolvency regimes, trade laws, political climate risks such as ongoing or potential future instability, physical climate risks such as extreme weather or a potential lack of information to manage climate risks, and employment conditions.

A financial services provider may also need to tailor its IT security due diligence before entering into a relationship with a supplier, and at regular intervals throughout the term of the agreement, to satisfy itself that the supplier’s controls from a geopolitical risk perspective are adequate. Some jurisdictions may pose greater IT security risks than others and so a nuanced approach is necessary to deal with this risk.

Dealing with geopolitical risk through the contract

Assurances that the financial services provider receives through its pre-contractual activities can be translated into the contract in the form of representations and warranties which test the accuracy of the responses provided by the supplier. Those assurances can also form the basis for commitments from suppliers to adhere to the financial services provider’s internal standards, international standards, or more specific frameworks, if preferable.

In managing geopolitical risk relating to subcontracting, a financial services provider may opt to include provisions which limit the extent to which suppliers permit work to be subcontracted to businesses or individuals located in countries with a ‘very high risk’ or ‘high risk’ rating according to risk indices. There are several risk indices available that provide information about the level of political, economic, and security risks in different countries which may be used to assess the overall risk level in a particular country.

Depending on the financial services provider’s approach to risk and tolerance level for operational disruption, the limitation may take the form of a process which allows for risk assessments to be conducted before giving approval to an arrangement. In other circumstances, a prohibition against subcontracting may be required.

In addition, the financial services provider may require the supplier to provide it with a list of all of its subcontractors and their locations before any subcontracting takes place and to further be able to exercise discretion on whether to approve any new subcontractors proposed by the service provider – or otherwise exercise a right to terminate as a result of such proposals. Such an arrangement should be balanced with the nature of the service and some regulatory frameworks will require that the financial services provider has a right to terminate the contract if the supplier subcontracts work to companies or individuals in countries that create significant or undue operational risk.

Financial services providers will also want to ensure that geopolitical events do not expose them to risks which may cause them to fail to meet their operational resilience regulatory requirements. For example, geopolitical risks could result in the financial services provider going beyond the maximum level of tolerance it has set for one of its important business services. The contract should provide for business continuity plans and broader resilience programmes to take into account political risks in the service provider’s relevant jurisdictions where relevant.

With regulatory scrutiny of supplier arrangements increasing, there is good reason for financial services businesses to ensure that they have taken all steps necessary not only to assess but protect against the geopolitical risks of engaging with third parties and to obtain commitments from suppliers which effectively address those risks.

Co-written by David Tilbury of Pinsent Masons.