-
Third party risk management for non-vendors
Our Third Party Risk Management Framework focuses on operational resilience and data protection. The TPRM Framework reflects our commitments to our customers, investors, Board, regulators, society and employees to continue meeting expected service levels and safeguard confidential data against malicious attacks. Below is a summary of what we expect from our Third Parties. For Third Parties who are our Suppliers, please also refer to the Supplier Charter.
1. Operational Resilience
Standard Chartered expects its Third Parties to maintain operational resilience through minimum standards of continuity planning, crisis management and resolution planning capabilities. These requirements include participating in testing of and continuing operational arrangements during recovery, resolution, restructuring, operational disruptions and/or crisis to minimise any adverse effects to the Bank, its clients and wider economy that we operate in. Third Parties demonstrate requirements via the contractual agreements with the Bank or via adherence to industry certifications and standards, financial sector regulation or governance oversight by a trusted party.
Where integrally supporting one or more of the Bank’s Important Business Services (“IBS”), Third Parties are requested to note SCB’s reliance on their continuity of support, such that SCB is able to meet the relevant IBS’ impact tolerance statement timeframe in the event of disruption.
Where providing Financial Market Infrastructure or Intermediary services integrally supporting the Bank, Third Parties are requested to note SCB’s reliance on their continuity of support in the event of potential SCB’s recovery, resolution or restructuring.
2. Information and Cyber Security
Standard Chartered expects its Third Parties (and sub-contractors, where applicable) to collaborate in its efforts to preserve and manage the Confidentiality, Integrity and Availability of its Information and data when used or accessed so as to maintain client, regulator, and investor confidence. Standard Chartered is committed to achieving a high standard of protection of its clients’ Information, data and hence expects its Third Parties to provide the same level of security and protection. The Third Parties should apply adequate physical, technical and organisational security measures and shall adopt recommended security best practices by the industry. We encourage Third Parties to regularly validate their compliance with our policies, standards, applicable regulations and relevant Industry Standards, obtaining attestations to demonstrate cybersecurity maturity.
3. Data Protection
Standard Chartered is committed to achieving a high standard of protection of our clients’ and colleagues’ personal data and privacy, and we expect our suppliers and other third parties to provide the same level of protection for any data that they process on our behalf. Our suppliers and other third parties should apply adequate technical and organizational measures to protect data made available to them, in line with all applicable data protection laws and regulations. Wherever data is processed by a Third Party on behalf of Standard Chartered or Standard Chartered obtains data from a Third Party, we expect the Third parties to collect, handle and otherwise process the data in a lawful manner. Third Parties acting in the capacity of a data processor are expected to inform Standard Chartered of any data incidents, data subject requests and requests for data disclosure from governmental authorities within the time periods set forth in applicable laws (unless they are prohibited to do so by applicable laws or regulations).
We expect all material Sub-Contractors, managers and staff employed by our Third Parties to also be made aware of the above.
Should you have any questions or clarifications, please reach out to your counterpart in the Bank.