In a recent statement, the Basel Committee on Banking Supervision, or BCBS, summarized findings of the outreach sessions with private-sector participants and supervisors from various jurisdictions with respect to the practices for third- and fourth-party risk management and concentration risk.
The outreach sessions were aimed to assess the status of better established practices related to third-party risk management and to exchange views regarding evolving practices related to fourth-party risk management and concentration risk. The outreach sessions confirmed the importance of banks implementing the practices set out in the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR). Among other matters discussed, banks and supervisors noted the following:
- Primary gaps related to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defense, and a lack of developed and tested business continuity plans.
- Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
- While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing and identifying the appropriate stage to execute a strategy can be unclear.
- There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.
Consistent with the POR and revised PSMOR, outreach participants indicated that the third- and fourth-party risk management arrangements of banks should reflect strong governance and the integration of risk management in their due diligence processes. Participants noted that when using industry-wide consortia to support their risk assessment and due diligence efforts, banks should not outsource their risk management responsibilities. Participants further observed that appropriate business continuity and contingency planning procedures and exit strategies support banks' operational resilience in the event of a failure or disruption at a third party that would impact the provision of critical operations. As a related matter, it was agreed that banks' business continuity plans should assess the substitutability of third parties that provide services to a bank's critical operations and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house. With respect to concentration risk, participants noted that banks should collaborate with service providers in planning for potential failures and developing appropriate options. The Committee will continue to carefully monitor banks' third- and fourth-party risk management and concentration risk-related arrangements as well as potential systemic risks arising from the concentration of services provided by specific entities.
Related Link: Press Release
Keywords: International, Banking, Operational Risk, Operational Resilience, POR, PSMOR, Systemic Risk, Third-Party Risk, Outsourcing Risk, Cloud Service Providers, Business Continuity, BCBS
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
The European Banking Authority (EBA) published its work program for 2023 as well as the technical package for phase 3 of version 3.2 of its reporting framework.
The Board of Governors of the Federal Reserve System (FED) announced a pilot climate scenario analysis exercise for six largest banks in the U.S.
The Bank for International Settlements (BIS) published a paper that studies impact of fintech lending on credit access for small businesses in U.S.
The Prudential Regulation Authority (PRA) issued the policy statement PS8/22 to amend the Own Funds and Eligible Liabilities (CRR) Part of the PRA Rulebook and update the supervisory statement SS7/13 titled "Definition of capital (CRR firms).
The European Banking Authority (EBA) launched the EU-wide transparency exercise for 2022, with results of the exercise expected to be published at the beginning of December, along with the annual Risk Assessment Report.
The Single Resolution Board (SRB) welcomed the adoption of the review of the Capital Requirements Regulation, or CRR, also known as the "CRR quick-fix."
The European Commission (EC) recently adopted the Delegated Regulation 2022/1622, which sets out the regulatory technical standards to specify the countries that constitute advanced economies for the purpose of specifying risk-weights for the sensitivities to equity.
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.
The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.
The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).