MAS Sets Out Good Practices on Third-Party Risk Management
The Monetary Authority of Singapore (MAS) published an information paper that sets out good practices on third-party risk management by banks. The paper has been published post the thematic inspections of MAS on the operational risk management standards and practices of selected banks over 2020 and 2021, with a focus on third-party risk management.
The information paper sets out the supervisory expectations, good practices, improvement areas, and case examples observed from the thematic inspections on third-party and operational risk management governance and control framework. MAS observed that the banks have generally established frameworks and processes to provide oversight of operational risk, but implementation effectiveness could be improved. There should be better articulation of key operational risk issues and trends, at both the bank-wide and key business unit levels, to identify emerging risks and determine if additional controls were necessary. With regard to the third-party risk management, MAS observed that banks generally have more established frameworks and processes to manage outsourcing arrangements compared to non-outsourcing arrangements; however, some banks fell short of expectations in management oversight and risk reporting of outsourcing activities as well as on due diligence and ongoing monitoring processes. MAS notes that banks that were still in the early stage of setting up a third-party governance structure largely managed their non-outsourcing arrangements in a decentralized manner through the respective business units, instead of subjecting them to the consolidated oversight of a management committee.
The good practices, as mentioned in the paper, on third-party risk management include cultivating staff competencies in operational risk management, raising risk awareness through the rollout of comprehensive accreditation programs, leveraging technology by implementing bank-wide systems and tools, focusing on emerging risks, including third party and cyber risks, and managing operational risk through a wider lens of non-financial risks such as the reputational and conduct risks. All banks are expected to benchmark their practices against this paper and take steps to address gaps, if any, in a risk-appropriate manner. The design of their controls would consider their specific organizational structures, business models, scale of operations, and risk profiles. The inspected banks have taken, or are taking, remedial actions to improve their frameworks and processes. The good practices highlighted should be referenced by all financial institutions given that they are exposed to similar risks. Non-bank financial institutions are encouraged to adopt the recommended practices where relevant and appropriate to the materiality of the risks posed by their third-party arrangements.
Keywords: Asia Pacific, Singapore, Banking, Operational Risk, Third Party Risk, Regtech, Cyber Risk, Outsourcing Risk, MAS
Previous Article
BCBS Focuses on Real Estate and Leveraged Lending RisksRelated Articles
EBA Proposes Standards for IRRBB Reporting Under Basel Framework
The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.
FED Issues Further Details on Pilot Climate Scenario Analysis Exercise
The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.
US Agencies Issue Several Regulatory and Reporting Updates
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
ECB Issues Multiple Reports and Regulatory Updates for Banks
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
HKMA Keeps List of D-SIBs Unchanged, Makes Other Announcements
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
EU Issues FAQs on Taxonomy Regulation, Rules Under CRD, FICOD and SFDR
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
CBIRC Revises Measures on Corporate Governance Supervision
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
HKMA Publications Address Sustainability Issues in Financial Sector
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
EBA Updates Address Basel and NPL Requirements for Banks
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
ESMA Publishes 2022 ESEF XBRL Taxonomy and Conformance Suite
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.