The Financial Stability Board (FSB) has published a discussion paper for public consultation, on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships.
Financial institutions (FIs) have relied on outsourcing and other third-party relationships for decades.
However, in recent years, the extent and nature of FIs’ interactions with a broad and diverse ecosystem of third parties has evolved, particularly in the area of technology.
The financial sector’s recent response to the COVID-19 pandemic highlights the benefits as well as the challenges of managing the risks of FIs’ interactions with third parties, and may have accelerated the trend towards greater reliance on certain third-party technologies.
Against this background, this Discussion Paper builds on the The Financial Stability Board’s report published in December 2019 on Third-party dependencies in cloud services and aims to facilitate a broader discussion on current regulatory and supervisory approaches to the management of outsourcing and third party risks.
The Paper does not propose any specific principles or standards but rather seeks to promote greater global dialogue among FIs, supervisory authorities and third parties.
The Paper draws on a survey conducted by the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC), which asked a series of questions regarding the existing regulatory and supervisory landscape relating to outsourcing and third-party risk management in its member jurisdictions.
The survey covered various aspects of the current regulation and supervision of FIs’ outsourcing and third-party relationships, including:
- Definitions of outsourcing and third-party relationships
- Intra-group outsourcing
- Governance and risk management
- Data security
- Information and cyber security
- Supply chain management
- Access, audit and information rights
- Concentration risk considerations
The regulation and supervision of FIs’ outsourcing and third-party relationships varies across jurisdictions but shares common objectives and principles.
For instance, all respondents subscribe to the principle that outsourcing and third-party relationships cannot relieve a FI, its board or senior management from their ultimate accountability for any activities, functions, products or services which they outsource or delegate to a third party.
The evolving landscape of FIs’ third-party relationships has prompted several supervisory authorities to update or consider updating their regulatory and supervisory framework on outsourcing, third-party risk management and related areas, such as business continuity planning, cybersecurity, data protection, operational resilience and risk management.
All responding supervisory authorities have also set out requirements and/or expectations on how FIs’ should manage their outsourcing and third-party relationships.
Many have implemented detailed requirements for outsourcing.
In some cases, supervisory authorities have implemented additional requirements for third-party relationships deemed critical or important, such as to the safety and soundness of individual FIs or the provision of critical or important functions or critical shared services relevant to financial stability.
While mapping and understanding the system-wide effects of third-party dependencies is not a new issue, it remains an evolving area for supervisory authorities due to the heterogeneity of services provided and the changing ecosystem.
Given the cross-border nature of this dependency, supervisory authorities and third parties could particularly benefit from enhanced dialogue on this issue.
The FSB welcomes comments and responses to the questions set out in the discussion paper by 8 January 2021.
Consultation responses will help facilitate a discussion on current regulatory and supervisory approaches to the management of outsourcing and third-party risks.
The post The Financial Stability Board voices growing concerns over 3rd party banking software appeared first on Payments Cards & Mobile.