The Financial Stability Board (FSB) published a discussion paper titled Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships. The paper builds on the FSB’s 2019 report Third-Party Dependencies in Cloud Services and a survey conducted during the first quarter of 2020 on the existing regulatory and supervisory landscape related to outsourcing and third-party risk management.
The paper states:
Outsourcing and other third-party relationships can bring multiple benefits to FIs, including: enhanced operational resilience; faster and more tailored financial products and services; cost reduction; greater innovation; and improved internal processes. They can also bring increased benefits to small and medium FIs that often lack the scale of larger FIs, particularly in technology investment. However, outsourcing and third-party relationships can give rise to new or different risks to FIs and potentially to financial stability that need to be adequately managed. Some of the measures that FIs and supervisory authorities have introduced in response to the COVID-19 pandemic have highlighted the opportunities and risks that outsourcing and third-party relationships can create for the financial sector.
But outsourcing does not relieve institutions from risks:
…all respondents subscribe to the principle that outsourcing and third-party relationships cannot relieve a FI, its board or senior management from their ultimate accountability for any activities, functions, products or services which they outsource or delegate to a third party. All supervisory authorities rely primarily on FIs to manage the risks in their outsourcing and third-party relationships. They do so through regulatory requirements and supervisory expectations regarding how FIs should oversee these relationships, with a particular focus on those that are critical or important to financial stability; the safety and soundness of FIs; or the provision of critical or important functions. FIs have to ensure that their contractual agreements with third parties do not impair their ability to meet their regulatory obligations. These regulatory requirements often include requirements on FIs to ensure that their contractual arrangements with third parties grant them and their regulators rights to access, audit and obtain information from those third parties. While several supervisory authorities have specific requirements or expectations on the management of risks that may arise in a third party’s sub-contractors or its supply chain, contractual arrangements typically only bind the FI and the third party but not fourth, fifth parties and beyond. A number of supervisory authorities see this as a significant limitation on the ability of FIs to manage risks across the supply chain, and expect FIs have adequate visibility of their third parties’ supply chain.
Financial institution’s responses to COVID-19 has shone a light on a number of issues relating to third-party risk management, including:
- the importance of understanding the ability and capacity of third parties (and the capacity, availability and resilience of third-party technology) to remain resilient in challenging economic and operational environments, and continue to adequately provide or support critical functions in FIs;
- a heightened focus on safeguarding confidential and sensitive data at a time when employees are working from home and increasingly relying on third-party technology solutions;
- the importance of identifying, monitoring and managing risks across the supply chain (e.g. in sub-contractors providing critical products or services to a third party), in particular, where the supply chain is spread across jurisdictions, including major offshore hubs;
- the importance of implementing effective business continuity plans to ensure that FIs can recover from an outage or failure at a service provider; and
- the importance of having a feasible exit plan (e.g. by carrying out an analysis of the potential cost and timing implications of transferring an outsourced service to an alternative provider or reincorporating the service in-house).
The paper’s topics include supervisory approaches for managing outsourcing and third-party risks, and regulatory and supervisory challenges (practical challenges, cross-border challenges, and potential systemic risks.)
The FSB is inviting comments on this Discussion Paper and the questions set out below. Responses should be sent to email@example.com by 8 January 2021 with the subject line “Outsourcing and third-party relationships”. Responses will be published on the FSB’s website unless respondents expressly request otherwise.
- What do you consider the key challenges in identifying, managing and mitigating the risks relating to outsourcing and third-party relationships, including risks in sub-contractors and the broader supply chain?
- What are possible ways to address these challenges and mitigate related risks? Are there any concerns with potential approaches that might increase risks, complexity or costs?
- What are possible ways in which financial institutions, third-party service providers and supervisory authorities could collaborate to address these challenges on a cross-border basis?
- What lessons have been learned from the COVID-19 pandemic regarding managing and mitigating risks relating to outsourcing and third-party relationships, including risks arising in sub-contractors and the broader supply chain?
Compliance Services Group offers auditing and consulting for vendor management. If you have any questions, or want us to take a look, contact us!
Please be advised that CSG provides financial services compliance audit and consulting services to our clients. The services that we provide include certain tasks that may be characterized as “law-related services” under Rule 5.7 of the Rules of Professional Conduct governing lawyers. Since some of our employees are lawyers with an active bar license but are NOT engaged in the private practice of law, that Rule requires us to make disclosures clarifying that the services we perform may be law-related services, but they are not legal services. Because they are not legal services, those services and our relationship will not be governed by the Rules of Professional Conduct that guide the client-lawyer relationship, such as rules applicable to privileged communications and prohibitions of conflicts of interest. Notwithstanding this disclaimer, we will continue to govern our relationship with you using reasonable ethical and professional standards that are expected to meet your expectations.