FSB Publishes Consultation on Enhancing Third-Party Risk Management and Oversight
[35371]
July 10, 2023
TO: ICI Global MembersAsia Regulatory and Policy Committee
Europe Regulatory and Policy Committee
Global Operations Advisory Committee
SEC Rules Committee SUBJECTS: Cybersecurity
Financial Stability
International/Global
Operations RE: FSB Publishes Consultation on Enhancing Third-Party Risk Management and Oversight
On June 22, 2023, the Financial Stability Board (FSB) published a consultation on Enhancing Third-Party Risk Management and Oversight: A toolkit for financial institutions and financial authorities.[1] Comments are due on August 22, 2023, and ICI plans to submit a response. The FSB is holding a virtual outreach event on July 21, 2023, at 13:00-15:00 CEST.[2]
Background
The FSB states that third-party dependencies have grown in recent years as part of the digitalization of the financial services sector. It observes that while this can bring multiple benefits, including flexibility, innovation and improved operational resilience, if not properly managed, disruption to critical services or service providers could pose risks to financial institutions and, in some cases, financial stability.
In November 2020, the FSB published a discussion paper on regulatory and supervisory issues relating to outsourcing and third-party service relationships.[3] Based on the feedback to the discussion paper, in September 2021, the FSB's Standing Committee on Supervisory and Regulatory Cooperation decided to develop a toolkit for financial regulatory and supervisory authorities (financial authorities) focused on their oversight of financial institutions' reliance on critical service providers.[4] The consultation is on the proposed toolkit, which includes common terms and definitions on third-party risk management.
The objectives of the toolkit are to:
1) reduce fragmentation in regulatory and supervisory approaches to financial institutions' third-party risk management across jurisdictions and different areas of the financial services sector;
2) strengthen financial institutions' ability to manage third-party risks and financial authorities' ability to monitor and strengthen the resilience of the financial system; and
3) facilitate coordination among relevant stakeholders (i.e. financial authorities, financial institutions and third-party service providers).
The FSB indicates that the work could also help mitigate compliance costs for both financial institutions and third-party service providers.
Common terms and definitions
The toolkit comprises four main chapters, the first of which presents a list of common terms and definitions. The FSB notes that harmonization of terms is not always possible or desirable because of differences in regulation and industry practices across jurisdictions and in existing definitions used by other standard setting bodies. Nevertheless, a common understanding of common terms can help improve clarity and consistency, assisting and enhancing communication among stakeholders under interoperable approaches.
The defined terms include: service provider, third-party service provider, [N]th-party service provider, intra-group service provider, outsourcing, supply chain, critical service, and systemic third-party dependency.
Scope and general approaches
The second chapter summarizes the approach taken in the consultation. In particular, the primary emphasis is on critical services[5] given the potential impact of their disruption on financial institutions' critical operations and financial stability and the potential systemic implications if systemically important financial institutions or multiple financial institutions across the system are affected.
The toolkit takes a holistic and risk-focused approach. The focus on third-party risk management is wider than the historically narrower focus on outsourcing, reflecting changing industry practices and recent regulatory and supervisory approaches to operational resilience.
The toolkit aims to promote interoperability of regulatory and supervisory approaches, short of full homogeneity. The FSB notes that complete regulatory and supervisory alignment is unlikely to be possible or practical because of legal differences between regimes and financial institutions' varied business models. The FSB further recognizes that risks differ between jurisdictions and regions and across different areas of the financial services sector.
Finally, the principle of proportionality is applicable throughout the toolkit. Taking a proportional risk-based approach allows the tools to be adapted to smaller, less complex institutions and service-providers and intra-group third-party service relationships.
The toolkit is intended to be used by both:
- Financial institutions in their management of third-party risks; and
- Financial authorities as they consider their approaches to the oversight of financial institutions' third-party service relationships (in particular, those involving critical services), and the identification, monitoring and management of systemic third-party dependencies and potential systemic risks.
Critical services
The toolkit's third chapter sets out considerations to help financial institutions identify critical services and tools to manage potential risks throughout the lifecycle of a third-party service relationship. The FSB notes that financial institutions are primarily responsible for and usually best placed to assess the criticality of the services they receive or plan to receive.
These tools seek to help financial institutions to:
- Conduct due diligence, contracting and ongoing monitoring of critical services and service providers;
- Be informed of incidents affecting critical services in a timely way;
- Have consistent mapping of financial institutions' third-party service relationships;
- Manage risks relating to their third-party service providers' use of service supply chain;
- Implement and test business continuity plans and coordinate with their third-party service providers for their business continuity;
- Develop effective exit strategies; and
- Strengthen the identification and management of service provider concentration, and concentration-related risks.
Financial authorities' oversight of third-party risks
The fourth chapter sets out financial authorities' current and developing approaches and tools for supervising how financial institutions manage third-party risks, and for identifying, monitoring and managing systemic third-party dependencies and potential systemic risks. In some jurisdictions or regions, financial authorities have or are in the process of acquiring regulatory powers to formally designate certain service providers as critical for the financial system and oversee these service providers and their services to financial institutions. There may also be dedicated reporting frameworks whereby financial institutions can notify authorities of significant incidents, including those involving third-party service providers. However, jurisdictions have not universally adopted these practices. Therefore, according to the FSB, the tools in the proposed toolkit are versatile and can be adopted through either voluntary collaboration between financial authorities, financial institutions and relevant service providers, requirements or expectations on financial institutions, or direct requirements or expectations on service providers.
The chapter underscores the importance of cross-border supervisory cooperation and information sharing. For this objective, the chapter sets out certain ways to explore greater convergence of regulatory and supervisory frameworks around systemic third-party dependencies, options for greater cross-border information-sharing, and cross-border resilience testing and exercises.
Annette Capretta
Chief Counsel, ICI Global
Notes
[1] FSB, Enhancing Third-Party Risk Management and Oversight: A toolkit for financial institutions and financial authorities (June 2023), available at https://www.fsb.org/wp-content/uploads/P220623.pdf.
[2] Information about the event and a link to register for it are available at https://www.fsb.org/2023/06/industry-outreach-on-third-party-risk-management-and-oversight/.
[3] See FSB, Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships: Discussion paper (November 2020), available at https://www.fsb.org/wp-content/uploads/P091120.pdf.
[4] See FSB Work Programme for 2022, available at https://www.fsb.org/2022/03/fsb-work-programme-for-2022/ and FSB Work Programme for 2023, available at https://www.fsb.org/2023/03/fsb-work-programme-for-2023/.
[5] The toolkit defines a critical service as a "service whose failure or disruption could significantly impair a financial institution's viability, critical operations, or its ability to meet key legal and regulatory obligations."