Regulation and supervision of outsourcing arrangements and third-party relationships entered into by financial institutions continues to be an area of great focus for regulators. The FSB notes that many of the issues it highlighted in its December 2019 report (which focussed on cloud services) are relevant more generally.
The FSB’s latest discussion paper sets out an overview of the regulatory and supervisory landscape on outsourcing and third-party risk management across a number of jurisdictions based on a survey carried out in Q1 2020. The deadline for providing feedback is 8 January 2021.
Below are the key themes arising across eight areas of focus – areas which by now will be very familiar to UK financial institutions.
- Outsourcing -v- third-party relationships
The term “outsourcing”, as defined by many supervisory authorities, may not capture all third-party relationships with a potential impact on financial stability or the safety and soundness of financial institutions. The FSB noted that some jurisdictions and international bodies have considered, or are considering, expanding the scope of their regulatory framework or principles to cover all “third-party relationships” – including for example, certain purchases of critical hardware or software from third-party vendors (see e.g. BCBS consultative document on Principles for operational resilience).
- Intragroup outsourcing
The majority of supervisory authorities surveyed did not distinguish between services provided by an entity that is part of a financial institution’s group and non-group third-party service providers. However, supervisory authorities generally recognised that their requirements allowed both the particular risks and efficiencies in intra-group situations to be addressed. The FSB referred to IOSCO’s outline of the benefits and risks of intra-group outsourcing (see Principles on Outsourcing consultation report) – such as having greater control and influence over the provider – compared with the challenges of arms-length arrangements with greater potential for differences in interest.
- Governance and risk management
Regulatory/supervisory expectations in this area were seen as consistent across the surveyed authorities. These included:
- Ultimate board responsibility for management of outsourcing and third-party risks
- Clear roles and responsibilities within the outsourcing framework
- Unit responsible for the monitoring and control of each outsourced function or service, and proper reporting to the Board and management
- Integration of a financial institution’s third-party risk management process with its enterprise-wide risk management framework, and the proper involvement of the three lines of defence or an internal risk management and control model to ensure appropriate segregation of duties
- Outsourcing and third-party risk management policy, approved and periodically reviewed by the Board
- Effective risk management framework for outsourcing and third party arrangements
- Comprehensive risk assessment prior to proceeding with the outsourcing process
- Appropriate due diligence in the selection of the third-party service provider (ability, capacity and authorisation)
- Notification to supervisory authority of material outsourcing arrangement (ex-ante, ex-post, or pre-approval).
- Data security, information and cyber security requirements
Common areas covered across the surveyed jurisdictions included:
- Data location – management of risks relating to routing, storage or transfer of data across jurisdictions
- Data access – for financial institutions and supervisory authorities
- Data classification and protection – remains the responsibility of the financial institution
- Data breach – third party to report to financial institution
- Oversight of relationships across the supply chain: financial institutions and supervisory authorities
A number of supervisory authorities see the typical nature of contractual arrangements – which only bind the financial institution and the third party but not fourth, fifth or subsequent parties – as a significant limitation on the ability of financial institutions to manage risks across the whole supply chain. Supervisory authorities expect financial institutions to have adequate visibility of their third parties’ own supply chain.
Financial institutions should generally have the ability to contractually limit, approve, or object to at least some forms of sub-contracting; be notified of material changes to sub-contractors; and have the opportunity to terminate arrangements in certain circumstances.
Most supervisory authorities expected institutions to ensure that contractual rights for financial institutions and the relevant authorities remain throughout the supply chain (e.g. access and audit rights).
A number of supervisory authorities have legal powers giving them some level of direct access or oversight over relevant activities of third party service providers – to request certain information, conduct on-site inspections or supervise the provision of services. But these powers complement, and do not replace, the primary responsibility of financial institutions for managing the risks in their outsourcing and third-party relationships.
- Appropriate skills and resources
The FSB noted that recruiting, retaining and training employees with the relevant experience and skills to effectively manage the growing range of third-party ICT providers is a challenge for financial institutions, as well as for supervisory and resolution authorities overseeing them.
- Access, information and audit rights
The FSB identified that financial institutions faced challenges in negotiating and exercising appropriate access, audit and information rights in outsourcing and third-party arrangements, both for themselves and for their supervisory and resolution authorities. These challenges ranged from third parties’ lack of awareness and imbalance in negotiating power, to practical access and remediation issues.
The FSB reiterated the importance of financial institutions scrutinising, using their own individuals with relevant expertise, third party assurances of compliance – for example, by certificates and reports evidencing compliance with recognised standards (e.g. ISO/IEC) or pooled audits.
Making sure that any cross-border element in their arrangements would not prevent them from meeting their legal and regulatory obligations concerning access to a third party in another jurisdiction is also important.
- Concentration risk and mitigation (exit) strategies
The FSB identified systemic risk as a common concern across a number of jurisdictions.. This could arise if, for instance, a sufficiently large number of financial institutions (or a single systemic financial institution) became dependent on one or a small number of outsourced or third-party service providers for the provision of critical services that were impossible or very difficult to substitute effectively and in an appropriate timeframe.
The FSB observed that industry practice on mitigation plans was evolving rapidly and encompasses an increasing range of contractual, practical and technological approaches – including retaining the ability to bring data or applications back on-premises, creating and securing back-up copies of sensitive data, use of multiple or back-up vendors, and, in the case of cloud outsourcing, one or more resilience options.
For supervisory authorities the task of mapping and understanding the system-wide effects of third-party dependencies continues to evolve given the increasing range of services and changing ecosystem – particularly given its cross-border nature. This has given rise to an emerging trend of supervisory authorities using standardised inventories or registers of service providers.