Banca Monte dei Paschi di Siena

35. b. What is the need for the policy to differentiate between authorized and unauthorized service providers?
40. The Business Continuity Plan is a high sensible information, since it exposes situations that can compromise supplier safety, therefore many suppliers are reluctant to provide their plan or not provide it at all.
Is it possible to provide for the obligatory delivery of the Operational Continuity Plan by the Supplier?
Should the Bank be able to participate in the BCM tests carried out by the Supplier / Outsourcer?

44. d. This fulfilment presupposes that the service provider is required to adopt risk assessment criteria that are comparable with the institution’s ones. How to fulfil where the Service Provider is not obliged to formalize his risk appetite or does it follow different criteria than the institution’s ones?
47. b. The service provider could have a very complex sub-service network. To which level of sub-service is it necessary to include and which type of sub-service?

The Bank registers Suppliers (Outsourcers) and acquires all the information necessary to identify the outsourced processes / procedures; in the event that the outsourcer intends to make use of the collaboration of another supplier (sub-outsourcer), he must acquire and transmit to the Bank all the information necessary for the sub-supplier's census and communicate which part of the process has been entrusted to him?

Furthermore, should the supplier be contractually required to act as guarantor of the operational continuity aspects adopted by the sub-outsourcer?

47. c. viii What does “time critical” mean? Is there a precise classification than involves significant consequences?
51. g. What does “to be scaled up” mean?
54. In addition to the difficulty of obtaining such information when the service provider has its address abroad, it is assumed that the institution has the internal expertise to be able to assess aspects related to foreign regulation.

56. It is difficult to check that the service provider, and in the case the subcontractors, adhere to the international standards on human rights, the environment and adequate working conditions, including the prohibition of child labor.
57. We ask you to confirm that the monitoring and reporting process is internal to the institution

58. It is asked to clarify whether the indication of any increase / decrease in operational risk is qualitative


61. Please specify in detail what is meant by risk assessment during continuous monitoring"

61. e. Should security measures be foreseen and defined in the outsourcing agreement?"
63. e. What level of detail and punctuality should the relevant data be stored in the outsourcing agreement?
What do you mean by relevant?

70. What is meant by:
Sensitive data?
Sensitive payment data?
Specific data according to EU Regulation 2017/679?
Confidential data of the institution that outsources?
83. Does this mean that the institution should monitor the sub-sub-contractors?

85. Making periodic assessments in the absence of any variation may not be productive. It is proposed to carry out evaluations only if there are variations on the contract
90. b. Please clarify whether the scenario transition from one supplier to another" should be included in the business continuity plans and if this scenario should be tested."
92. Is an Excel sheet sufficient or should a dedicated software application be used?

93. Is the requirement adequately satisfied by a prior notificaton to the supervisory authority before the agreement finalization
99. Please clarify which risk analysis" activities are concerned, considering that on-site inspections are carried out by the Audit Function and not by the Risk Function"
Marcello Conforti
B