On 9 November 2020, the Financial Stability Board (FSB) issued a discussion paper on regulatory and supervisory issues relating to outsourcing and third-party relationships.

The discussion paper is based on a survey that the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC) conducted among member jurisdictions on the existing regulatory and supervisory landscape relating to outsourcing and third party risk management, including cross-border supervisory challenges and potential financial stability issues. The discussion paper provides an overview of the current and evolving regulatory and supervisory landscape on outsourcing and third-party risk management in FSB-SRC member jurisdictions. It is intended to facilitate and inform discussions among authorities (including supervisory and resolution authorities), financial institutions and third parties on how to address the issues identified in the survey and a report the FSB published in December 2019 covering third party dependencies in cloud services.

Among other things the report notes that the survey identified a number of issues and challenges relating to regulatory and supervisory approaches to outsourcing and third-party risk management. These include:

  • Financial Institutions (FIs) have to ensure that their contractual agreements with third parties grant to them, as well as to supervisory and resolution authorities, appropriate rights to access, audit and obtain information from third parties. These rights can be challenging to negotiate and exercise, particularly in a multi-jurisdictional context.
  • The management of sub-contractors and supply chains is another challenge that was particularly highlighted in the context of FIs’ response to the COVID-19 pandemic. For instance, some FIs experienced delays and logistical difficulties in obtaining remote working equipment from third parties due to disruptions to their global supply chains.
  • Another key issue whose importance was highlighted during the COVID-19 pandemic is the importance of implementing appropriate and effective business continuity plans and exit/wind-down plans, to ensure that FIs can recover from an outage or failure at a service provider and, if necessary, exit these arrangements in a way that minimises potential disruption.
  • There is a common concern among responding authorities about the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to FIs. These risks may become higher as the number of FIs receiving critical services from a given third party increases. Potential systemic risk could arise if, for instance, a sufficiently large number of FIs (or a single systemic FI) became dependent on one or a small number of outsourced or third-party service providers for the provision of critical services that were impossible or very difficult to substitute effectively and in an appropriate timeframe. Where there is no appropriate mitigant in place, a major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple FIs.

The deadline for comments on the discussion paper is 8 January 2021.