Banks increasingly rely on third-party vendors for critical functions such as technology infrastructure, processing of data and payments, and customer support. Failures and disruptions in such third-party services can erode customer confidence and lead to lost business opportunities and reputational damage. To circumvent these challenges and in the interest of ensuring stability of the financial system, many financial regulators worldwide now expect banks and other financial institutions to put in place appropriate practices for third-party risk management. In this context, the Financial Stability Board (FSB) recently published and is seeking comments on a toolkit that sets out tools to help financial institutions identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship. This toolkit is relevant for financial authorities, financial institutions, and various financial service providers, with the comment period ending on August 22, 2023.
Overview of FSB toolkit
The primary emphasis of the FSB toolkit is on critical services, given the potential impact of their disruption on financial institutions’ critical operations and financial stability, though the toolkit also looks holistically at third-party risk management. The toolkit is aimed to reduce fragmentation in regulatory and supervisory approaches to financial institutions’ third-party risk management across jurisdictions and different areas of the financial services sector. The tools that are set out seek to help financial institutions to:
- Identify critical services consistently yet flexibly
- Conduct due diligence, contracting, and ongoing monitoring of critical services and service providers
- Be informed of incidents affecting critical services in a timely way
- Have consistent mapping of financial institutions’ third-party service relationships
- Manage risks relating to their third-party service providers’ use of service supply chain
- Implement and test business continuity plans, which should be informed by a comprehensive Business Impact Analysis and must set out clear, measurable indicators (for example, Recovery Time Objectives or RTOs, Recovery Point Objectives or RPOs, and maximum potential loss)
- Develop effective exit strategies and strengthen the identification and management of service provider concentration and concentration-related risks
Regulatory developments in third-party risk management
Notably, the European Union, the United Kingdom (UK), the United States (U.S.), Canada, Australia, and Singapore are among the regulatory jurisdictions that are working to address this challenge and put in place rules, frameworks, and guidelines that stipulate and/or encourage banks to put in place good third-party risk management practices. As recently as in June 2023, the federal bank regulatory agencies in the U.S. have issued guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies, while the financial supervisory authority in Canada (OSFI) had issued a third-party risk management guideline in April 2023. Similarly, last year, in the UK, HM Treasury had proposed a critical third-party regime that could set the legal foundations for such measures. More importantly, in the European Union, the Digital Operational Resilience Act (DORA) provides for the creation of an oversight framework for critical Information Communication Technologies (ICT) third-party service providers to financial entities in euro area. The rules in DORA will become applicable starting January 17, 2025 while the drafting of accompanying regulatory and implementing technical standards as well as guidelines is ongoing. The expected finalized regimes in the European Union and the UK set forth rules to provide regulatory agencies with powers to designate certain third-party service providers as Critical Third Parties or CTPs.
Moody’s Analytics uses deep risk expertise, expansive information resources, and innovative application of technology to help clients confidently navigate an evolving marketplace. Visit our Banking Solutions page to find out more about the banking solutions offered by Moody’s Analytics. Banks worldwide use our award-winning solutions that include modular and customizable offerings to support credit risk management, balance sheet management, regulatory compliance, training, and more.
Keywords: International, Banking, Financial Stability, Critical Service Providers, Third-Party Risk, Outsourcing Risk, Regtech, Cyber Risk, DORA, Operational Resilience, Cloud Service Providers, FSB
The European Banking Authority (EBA) has published the final templates, and the associated guidance, for collecting climate-related data for the one-off Fit-for-55 climate risk scenario analysis.
The European Banking Authority (EBA) recently published a report that recommends enhancements to the Pillar 1 framework, under the prudential rules, to capture environmental and social risks.
As a follow on from its prudential standard on the treatment of crypto-asset exposures, the Basel Committee on Banking Supervision (BCBS) proposed disclosure requirements for crypto-asset exposures of banks.
The Basel Committee on Banking Supervision (BCBS) and the European Banking Authority (EBA) have published results of the Basel III monitoring exercise.
The Prudential Regulation Authority (PRA) recently issued a few regulatory updates for banks, with the updated Basel implementation timelines being the key among them.
The U.S. Department of the Treasury has recently set out the principles for net-zero financing and investment.
The European Commission (EC) launched a stakeholder survey on the draft International Guiding Principles for organizations developing advanced artificial intelligence (AI) systems.
The finalization of the two sustainability disclosure standards—IFRS S1 and IFRS S2—is expected to be a significant step forward in the harmonization of sustainability disclosures worldwide.
Decentralized finance (DeFi) is expected to increase in prominence, finding traction in use cases such as lending, trading, and investing, without the intermediation of traditional financial institutions.
The Basel Committee on Banking Supervision (BCBS) published reports that assessed the overall implementation of the net stable funding ratio (NSFR) and the large exposures rules in the U.S.