BCBS Sets Out Findings on Outsourcing and Concentration Risk Practices
In a recent statement, the Basel Committee on Banking Supervision, or BCBS, summarized findings of the outreach sessions with private-sector participants and supervisors from various jurisdictions with respect to the practices for third- and fourth-party risk management and concentration risk.
The outreach sessions were aimed to assess the status of better established practices related to third-party risk management and to exchange views regarding evolving practices related to fourth-party risk management and concentration risk. The outreach sessions confirmed the importance of banks implementing the practices set out in the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR). Among other matters discussed, banks and supervisors noted the following:
- Primary gaps related to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defense, and a lack of developed and tested business continuity plans.
- Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
- While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing and identifying the appropriate stage to execute a strategy can be unclear.
- There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.
Consistent with the POR and revised PSMOR, outreach participants indicated that the third- and fourth-party risk management arrangements of banks should reflect strong governance and the integration of risk management in their due diligence processes. Participants noted that when using industry-wide consortia to support their risk assessment and due diligence efforts, banks should not outsource their risk management responsibilities. Participants further observed that appropriate business continuity and contingency planning procedures and exit strategies support banks' operational resilience in the event of a failure or disruption at a third party that would impact the provision of critical operations. As a related matter, it was agreed that banks' business continuity plans should assess the substitutability of third parties that provide services to a bank's critical operations and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house. With respect to concentration risk, participants noted that banks should collaborate with service providers in planning for potential failures and developing appropriate options. The Committee will continue to carefully monitor banks' third- and fourth-party risk management and concentration risk-related arrangements as well as potential systemic risks arising from the concentration of services provided by specific entities.
Related Link: Press Release
Keywords: International, Banking, Operational Risk, Operational Resilience, POR, PSMOR, Systemic Risk, Third-Party Risk, Outsourcing Risk, Cloud Service Providers, Business Continuity, BCBS
Featured Experts

Blake Coules
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
Next Article
BaFin Issues Regulatory Updates for Banks in GermanyRelated Articles
EU Agencies Update LCR Rule and Macro-Prudential Policy Recommendation
The European Commission (EC) published the Delegated Regulation 2022/786 with regard to the liquidity coverage requirements for credit institutions under the Capital Requirements Regulation (CRR).
EBA Publishes Regulatory Standards to Identify Shadow Banking Entities
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying the criteria to identify shadow banking entities for the purposes of reporting large exposures.
EIOPA Examines Physical Climate Risk Exposure, SII Non-Compliance
The European Insurance and Occupational Pensions Authority (EIOPA) published a report assessing insurers' exposure to physical climate change risks
NGFS Report Explores Quantification of Climate Risk Differentials
The Network for Greening the Financial System (NGFS) published two reports to aid central banks and regulators in their oversight of the financial sector and in their central bank operations
EC Publishes Results on Review of Web Accessibility Directive
The European Commission (EC) published the results of a public consultation, held in October 2021, on the review of the Web Accessibility Directive.
MAS Consults on Adjustment Spreads for Conversion of SOR Contracts
The Monetary Authority of Singapore (MAS) and the SC-STS are jointly consulting, until June 10, 2022, on setting adjustment spreads for the conversion of legacy SOR contracts to SORA reference rate.
OSFI Discusses Benchmark Rate Transition, Sets Out Work Priorities
The Office of the Superintendent of Financial Institutions (OSFI) published the strategic plan for 2022-2025 and the departmental plan for 2022-23.
EBA Proposes Standards to Support Secondary NPL Markets
The European Banking Authority (EBA) is consulting, until August 31, 2022, on the draft implementing technical standards specifying requirements for the information that sellers of non-performing loans (NPLs) shall provide to prospective buyers.
EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution
The European Council and the Parliament reached an agreement on the revised Directive on security of network and information systems (NIS2 Directive).
EBA Issues Standards for Crowdfunding Service Providers Under ECSPR
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying information that crowdfunding service providers shall provide to investors on the calculation of credit scores and prices of crowdfunding offers.