BCBS Sets Out Findings on Outsourcing and Concentration Risk Practices
In a recent statement, the Basel Committee on Banking Supervision, or BCBS, summarized findings of the outreach sessions with private-sector participants and supervisors from various jurisdictions with respect to the practices for third- and fourth-party risk management and concentration risk.
The outreach sessions were aimed to assess the status of better established practices related to third-party risk management and to exchange views regarding evolving practices related to fourth-party risk management and concentration risk. The outreach sessions confirmed the importance of banks implementing the practices set out in the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR). Among other matters discussed, banks and supervisors noted the following:
- Primary gaps related to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defense, and a lack of developed and tested business continuity plans.
- Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
- While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing and identifying the appropriate stage to execute a strategy can be unclear.
- There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.
Consistent with the POR and revised PSMOR, outreach participants indicated that the third- and fourth-party risk management arrangements of banks should reflect strong governance and the integration of risk management in their due diligence processes. Participants noted that when using industry-wide consortia to support their risk assessment and due diligence efforts, banks should not outsource their risk management responsibilities. Participants further observed that appropriate business continuity and contingency planning procedures and exit strategies support banks' operational resilience in the event of a failure or disruption at a third party that would impact the provision of critical operations. As a related matter, it was agreed that banks' business continuity plans should assess the substitutability of third parties that provide services to a bank's critical operations and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house. With respect to concentration risk, participants noted that banks should collaborate with service providers in planning for potential failures and developing appropriate options. The Committee will continue to carefully monitor banks' third- and fourth-party risk management and concentration risk-related arrangements as well as potential systemic risks arising from the concentration of services provided by specific entities.
Related Link: Press Release
Keywords: International, Banking, Operational Risk, Operational Resilience, POR, PSMOR, Systemic Risk, Third-Party Risk, Outsourcing Risk, Cloud Service Providers, Business Continuity, BCBS
Featured Experts
Blake Coules
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
Previous Article
NGFS Report Makes Recommendations to Address Biodiversity LossRelated Articles
BIS and Central Banks Experiment with GenAI to Assess Climate Risks
A recent report from the Bank for International Settlements (BIS) Innovation Hub details Project Gaia, a collaboration between the BIS Innovation Hub Eurosystem Center and certain central banks in Europe
Nearly 25% G-SIBs Commit to Adopting TNFD Nature-Related Disclosures
Nature-related risks are increasing in severity and frequency, affecting businesses, capital providers, financial systems, and economies.
Singapore to Mandate Climate Disclosures from FY2025
Singapore recently took a significant step toward turning climate ambition into action, with the introduction of mandatory climate-related disclosures for listed and large non-listed companies
SEC Finalizes Climate-Related Disclosures Rule
The U.S. Securities and Exchange Commission (SEC) has finalized the long-awaited rule that mandates climate-related disclosures for domestic and foreign publicly listed companies in the U.S.
EBA Proposes Standards Related to Standardized Credit Risk Approach
The European Banking Authority (EBA) has been taking significant steps toward implementing the Basel III framework and strengthening the regulatory framework for credit institutions in the EU
US Regulators Release Stress Test Scenarios for Banks
The U.S. regulators recently released baseline and severely adverse scenarios, along with other details, for stress testing the banks in 2024. The relevant U.S. banking regulators are the Federal Reserve Bank (FED), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).
Asian Governments Aim for Interoperability in AI Governance Frameworks
The regulatory landscape for artificial intelligence (AI), including the generative kind, is evolving rapidly, with governments and regulators aiming to address the challenges and opportunities presented by this transformative technology.
EBA Proposes Operational Risk Standards Under Final Basel III Package
The European Union (EU) has been working on the final elements of Basel III standards, with endorsement of the Banking Package and the publication of the European Banking Authority (EBA) roadmap on Basel III implementation in December 2023.
EFRAG Proposes XBRL Taxonomy and Standard for Listed SMEs Under ESRS
The European Financial Reporting Advisory Group (EFRAG), which plays a crucial role in shaping corporate reporting standards in European Union (EU), is seeking comments, until May 21, 2024, on the Exposure Draft ESRS for listed SMEs.
ECB to Expand Climate Change Work in 2024-2025
Banking regulators worldwide are increasingly focusing on addressing, monitoring, and supervising the institutions' exposure to climate and environmental risks.