FSB consults outsourcing and third-party relationships
FSB consults on regulatory and supervisory issues relating to outsourcing and third-party relationships.
In December 2019, the Financial Stability Board (FSB) published a report on the financial stability implications of third-party dependencies in cloud services. Although the report concluded that there do not seem to be immediate financial stability risks arising from the use of cloud services by financial institutions, it suggested that it may be useful for authorities to engage in more discussion in specified areas. One of the areas identified was the management of outsourcing and third-party risks and the relevant regulatory and supervisory approaches.
Following this in early 2020, the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC) conducted a survey among its member jurisdictions on the existing regulatory and supervisory landscape relating to outsourcing and third-party risk management, including cross-border supervisory challenges and potential financial stability issues (SRC survey).
On 9 November 2020 the FSB published Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships (the Discussion Paper) that discusses the results of the SRC Survey in order to facilitate and inform discussions among authorities, financial institutions and third parties. The intention of the FSB is to address the issues identified in the SRC survey and the December 2019 FSB report.
The Discussion Paper is split into three chapters:
- overview of existing regulatory and supervisory landscape on outsourcing and third-party relationships;
- supervisory approaches for managing outsourcing and third-party risks; and
- regulatory and supervisory challenges.
Overview of existing regulatory and supervisory landscape on outsourcing and third-party relationships
The Discussion Paper notes that the regulation and supervision of Financial Institutions' (FIs) outsourcing and third-party relationships differs across jurisdictions. However, there are shared common objectives and principles. As FIs rely more heavily on ICT solutions and tools provided by or through third parties, supervisory authorities have renewed their interest in the area.
The SRC survey found that all respondents agreed that outsourcing and third parties could not relieve a FI, its board or senior managers of their accountability. FIs are expected to manage the risk and have oversight over these relationships. This is often achieved through contractual provisions, but this has limitations. For example, these contractual clauses will often only bind the third party, not its subcontractors or its supply chain. A number of supervisory authorities saw this as a significant limitation on the ability of FIs to manage risk. In some jurisdictions, supervisory authorities have legal powers giving them some level of access to third parties’ data, personnel, premises and systems for the purposes of gathering information relevant to the exercise of their regulatory and supervisory functions.
The SRC survey identified a range of issues and challenges relating to outsourcing and third-party risk management:
- regulatory scope - the definition of outsourcing used in some jurisdictions may not capture all third-party relationships with a potential impact on financial stability or the safety and soundness of FIs;
- information technology outsourcing - supervisory authorities are trying to address the risks posed by the cloud and have:
- issued standalone cloud-specific policies; or
- included specific references to or sections on cloud in their overall policies on outsourcing and third-party risk management, cybersecurity and/or IT;
- data protection - many jurisdictions have recently introduced revised requirements relating to the protection of data that FIs transfer to or share with third parties;
- access, audit information rights - contractual obligations granting appropriate rights to access, audit and obtain information from third parties can be difficult to negotiate and exercise in practice; and
- supply chain management - managing the risks in complex supply chains involved in some outsourcing and third-party agreements can be difficult in practice.
The discussion paper also notes that the FIs' responses to the COVID-19 pandemic also highlights more issues with third-party risk management. This includes the importance of:
- understanding the ability and capacity of third parties (and their technology) to remain resilient;
- protecting data when employees are increasingly relying on third-party technology solutions;
- identifying, monitoring and managing risks across the supply chain;
- implementing effective business continuity plans to ensure that FIs can recover from an outage or failure at a service provider; and
- having a feasible exit plan.
Supervisory approaches for managing outsourcing and third-party risks
All supervisory authorities have set out requirements and/or expectations regarding FIs’ outsourcing and third-party relationships. However, the extent of further powers and requirements differs across the jurisdictions.
In many jurisdictions there are detailed requirements for outsourcing and, in some cases, other important third-party relationships. These requirements include adequate governance and internal controls to manage third-party risks and ensure that their arrangements with third parties allow FIs to comply with their legal and regulatory obligations.
Some supervisory authorities also have legal powers giving them direct access or oversight over relevant activities provided by third parties. This includes powers to request certain information directly, conduct on-site inspections, supervise some services provided by third parties or bring third parties meeting certain criteria into their direct supervisory remit. These supervisory powers are often limited to services provided to certain FIs such as banks and services meeting specific criteria (generally the criticality or the importance of the service). These powers complement, and are not instead of, the primary responsibility of FIs for managing the risks in their outsourcing and third-party relationships.
Regulatory and supervisory challenges
These challenges are divided into three sub-sections in the Discussion Paper. First are practical challenges:
- shortage of relevant resources, and ICT skills - ensuring that FIs have appropriate resources and skills to effectively address outsourcing and third-party risks, in particular where these rely on complex and constantly evolving ICT solutions;
- limitations on access, audit and information rights - issues relating to the ability of FIs to negotiate and exercise appropriate access, audit and information rights in outsourcing and third-party arrangements including:
- third parties are sometimes unaware of the regulatory obligations of their FI clients or face difficulties in facilitating compliance with them;
- imbalances in the respective negotiating power of FIs and third parties can impact on the ability of FIs to exercise effective oversight;
- continuous individual on-site audits can create challenges for third-party service providers;
- third parties may refuse to grant their FI clients (and their supervisor) access to their premises;
- there are limited tools to compel a third party to remedy any issues identified; and
- supply chain management - limitations in the abilities of both FIs and supervisory authorities to identify sub-contractor risk and inability to bind or influence a third party’s sub-contractors.
Secondly the Discussion Paper highlights the cross-border challenges that need to be addressed:
- even if supervisory authorities have powers giving them direct access to third parties, this access may not be exercisable on a cross-border basis;
- challenges due to differing (or the lack of) data confidentiality standards and regulations that could hamper the sharing of information and having an efficient data management policy; and
- challenges for resolution authorities, as a cross border relationship may limit their ability to exercise step-in rights in resolution, especially when critical data or systems are held in a foreign jurisdiction, or where the service providers enter insolvency proceedings in a foreign jurisdiction.
Finally, the Discussion Paper briefly raises the potential systemic risks. Systemic risk arises from a concentration in the provision of some outsourced and third-party services to FIs. This risk increases as the number of FIs receiving critical services from a given third party increases. A major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple FIs.
Conclusion
The risk posed by third-party relationships and outsourcing is becoming increasingly important for regulators. Last month the European Commission published its proposed regulation intended to improve financial services firms' digital operational resilience and response to cyberattacks. This proposed regulation focuses heavily on this area and if adopted in its current form, will also subject some ICT third-party service providers to direct oversight (but not supervision) by the European Supervisory Authorities.
As a part of this ongoing discussion, the FSB is inviting comments on the Discussion Paper and seeks replies to four questions:
- What do you consider the key challenges in identifying, managing and mitigating the risks relating to outsourcing and third-party relationships, including risks in sub-contractors and the broader supply chain?
- What are possible ways to address these challenges and mitigate related risks? Are there any concerns with potential approaches that might increase risks, complexity or costs?
- What are possible ways in which financial institutions, third-party service providers and supervisory authorities could collaborate to address these challenges on a cross-border basis?
- What lessons have been learned from the COVID-19 pandemic regarding managing and mitigating risks relating to outsourcing and third-party relationships, including risks arising in sub-contractors and the broader supply chain?
If you would like to provide feedback to the FSB, the feedback period is open until 8 January 2020.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon.jpg?crop=300,495&format=webply&auto=webp)
_11zon_(1).jpg?crop=300,495&format=webply&auto=webp)
