[35526]
December 07, 2023
TO: ICI Global MembersAsia Regulatory and Policy Committee
Europe Regulatory and Policy Committee
Global Operations Advisory Committee
SEC Rules Committee SUBJECTS: International/Global RE: FSB Publishes Toolkit on Enhancing Third-Party Risk Management and Oversight
On December 4, 2023, the Financial Stability Board (FSB) published Enhancing Third-Party Risk Management and Oversight: A toolkit for financial institutions and financial authorities.[1]
Background
The FSB published a consultation on this subject in June 2023,[2] and ICI Global provided a response that generally supported the FSB's overall goals and approach and its use of a toolkit, rather than recommendations.[3] We also emphasized that the toolkit should be regarded as an optional reference resource that financial institutions and financial authorities may use in developing and implementing their own approaches.
The final report is largely consistent with the consultation. The toolkit aims to:
(1) reduce fragmentation in regulatory and supervisory approaches to financial institutions' third-party risk management across jurisdictions and different areas of the financial services sector;
(2) strengthen financial institutions' ability to manage third-party risks and financial authorities' ability to monitor and strengthen the resilience of the financial system; and
(3) facilitate coordination among relevant stakeholders (i.e. financial authorities, financial institutions and third-party service providers).
The FSB states that the work could also help mitigate compliance costs for both financial institutions and third-party service providers.
Common terms and definitions
The toolkit comprises four main chapters, the first of which presents a list of common terms and definitions. The FSB notes that harmonization of terms is not always possible or desirable because of differences in regulation and industry practices across jurisdictions and in existing definitions used by other standard setting bodies. Nevertheless, a common understanding of common terms can help improve clarity and consistency, assist financial authorities with regulatory cooperation, and improve communication with third-party service providers, and promote interoperable approaches.
The defined terms include: third-party service relationship; service provider (including third-party service provider, Nth-party service provider, and intra-group service provider); outsourcing; supply chain; critical service; critical service provider; and systemic third-party dependency.
Scope and general approaches
The second chapter summarizes the approach taken in the consultation and states that the toolkit is intended to be used by both:
- Financial institutions in their management of third-party risks; and
- Financial authorities as they consider their approaches to the oversight of financial institutions' third-party service relationships (in particular, those involving critical services), and the identification, monitoring and management of systemic third-party dependencies and potential systemic risks.
The toolkit focuses primarily on "critical services" as these are the services whose disruption or failure could impair individual financial institutions' viability, critical operations and/or ability to meet key legal and regulatory obligations. The FSB states, however, that this focus on critical services does not suggest that third-party service relationships involving the provision of non-critical services to financial institutions do not warrant appropriate and proportionate risk management. While the primary focus of the toolkit is on critical services, certain sections of the toolkit consider non-critical service relationships, where appropriate.
The toolkit takes a holistic and risk-focused approach, which includes, but is not limited to, outsourcing.
The toolkit aims to promote interoperability of regulatory and supervisory approaches, short of full homogeneity. The FSB notes that complete regulatory and supervisory alignment is unlikely to be possible or practical because of legal differences between regimes and financial institutions' varied business models. The FSB further recognizes that risks differ between jurisdictions and regions and across different areas of the financial services sector.
Finally, the principle of proportionality is applicable throughout the toolkit. Taking a proportional risk-based approach allows the tools to be adapted to smaller, less complex institutions and service-providers and intra-group third-party service relationships.
Financial institutions' third-party risk management
The third chapter sets out tools to help financial institutions identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship. The FSB notes that financial institutions are primarily responsible for and usually best placed to assess the criticality of the services they receive or plan to receive.
These tools seek to help financial institutions to:
- Identify critical services and assess their level of criticality;
- Conduct due diligence, contracting, and ongoing monitoring of critical services and service providers;
- Be informed of incidents affecting critical services in a timely way;
- Have consistent mapping of financial institutions' third-party service relationships;
- Manage risks relating to their third-party service providers' use of service supply chains;
- Implement and test business continuity plans and coordinate with their third-party service providers for their business continuity;
- Develop effective exit strategies; and
- Manage concentration-related risks.
Financial authorities' oversight of third-party risks
The fourth chapter sets out financial authorities' current and developing approaches and tools for supervising how financial institutions manage third-party risks, and for identifying, monitoring and managing systemic third-party dependencies and potential systemic risks. In some jurisdictions, financial authorities have or are in the process of gaining powers to directly oversee the provision of services to financial institutions by financial sector critical service providers.
The chapter covers:
- Financial authorities' supervision of financial institutions' third-party risk management;
- Incident reporting to financial authorities;
- Financial authorities' identification, monitoring and management of systemic third-party dependencies and potential systemic risks; and
- Cross-border supervisory cooperation and information sharing.
The FSB states that financial institutions must ensure, usually through contractual means, that their third-party service relationships allow them to meet their regulatory responsibilities. This includes financial institutions (including their designated agents) having appropriate access, audit, and information rights relating to the relevant service(s). To the extent required in the regulatory framework, such rights are provided for financial authorities (including their designated agents).
The FSB states that incident reporting by financial institutions is an important tool for financial authorities as it can provide them with important data and actionable insights to fulfil their objectives, including effectively supervising financial institutions, and monitoring and managing potential financial stability risks. It also states that the toolkit is consistent with its recommendations regarding cyber-incident reporting for financial institutions and builds upon them with respect to incidents (including but not limited to cyber-incidents) at third-party service providers that impact their client financial institutions.[4]
The chapter underscores the importance of cross-border supervisory cooperation and information sharing. For this objective, the chapter sets out certain ways to explore greater convergence of regulatory and supervisory frameworks around systemic third-party dependencies, options for greater cross-border information-sharing, and cross-border resilience testing and exercises.
Annette Capretta
Chief Counsel, ICI Global
Notes
[1] FSB, Enhancing Third-Party Risk Management and Oversight: A toolkit for financial institutions and financial authorities (December 2023.
[2] See ICI Memorandum No. 35371 (Jul. 10, 2023) for a summary of the consultation. The consultation is available here.
[3] See ICI Memorandum No. 35415 (Aug. 22, 2023) for a summary of ICI's response. ICI's response is available here.
[4] See FSB, Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report (April 2023).