FSB Proposes Toolkit to Enhance Management of Third-Party Risk

Overview of FSB toolkit

The primary emphasis of the FSB toolkit is on critical services, given the potential impact of their disruption on financial institutions’ critical operations and financial stability, though the toolkit also looks holistically at third-party risk management. The toolkit is aimed to reduce fragmentation in regulatory and supervisory approaches to financial institutions’ third-party risk management across jurisdictions and different areas of the financial services sector. The tools that are set out seek to help financial institutions to:

• Identify critical services consistently yet flexibly
• Conduct due diligence, contracting, and ongoing monitoring of critical services and service providers
• Be informed of incidents affecting critical services in a timely way
• Have consistent mapping of financial institutions’ third-party service relationships
• Manage risks relating to their third-party service providers’ use of service supply chain
• Implement and test business continuity plans, which should be informed by a comprehensive Business Impact Analysis and must set out clear, measurable indicators (for example, Recovery Time Objectives or RTOs, Recovery Point Objectives or RPOs, and maximum potential loss)
• Develop effective exit strategies and strengthen the identification and management of service provider concentration and concentration-related risks

Regulatory developments in third-party risk management

Notably, the European Union, the United Kingdom (UK), the United States (U.S.), Canada, Australia, and Singapore are among the regulatory jurisdictions that are working to address this challenge and put in place rules, frameworks, and guidelines that stipulate and/or encourage banks to put in place good third-party risk management practices. As recently as in June 2023, the federal bank regulatory agencies in the U.S. have issued guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies, while the financial supervisory authority in Canada (OSFI) had issued a third-party risk management guideline in April 2023. Similarly, last year, in the UK, HM Treasury had proposed a critical third-party regime that could set the legal foundations for such measures. More importantly, in the European Union, the Digital Operational Resilience Act (DORA) provides for the creation of an oversight framework for critical Information Communication Technologies (ICT) third-party service providers to financial entities in euro area. The rules in DORA will become applicable starting January 17, 2025 while the drafting of accompanying regulatory and implementing technical standards as well as guidelines is ongoing. The expected finalized regimes in the European Union and the UK set forth rules to provide regulatory agencies with powers to designate certain third-party service providers as Critical Third Parties or CTPs.

Moody’s Analytics uses deep risk expertise, expansive information resources, and innovative application of technology to help clients confidently navigate an evolving marketplace. Visit our Banking Solutions page to find out more about the banking solutions offered by Moody’s Analytics. Banks worldwide use our award-winning solutions that include modular and customizable offerings to support credit risk management, balance sheet management, regulatory compliance, training, and more.

Related Links

• FSB Press Release
• Proposed Toolkit (PDF)