Banks increasingly rely on third-party vendors for critical functions such as technology infrastructure, processing of data and payments, and customer support. Failures and disruptions in such third-party services can erode customer confidence and lead to lost business opportunities and reputational damage. To circumvent these challenges and in the interest of ensuring stability of the financial system, many financial regulators worldwide now expect banks and other financial institutions to put in place appropriate practices for third-party risk management. In this context, the Financial Stability Board (FSB) recently published and is seeking comments on a toolkit that sets out tools to help financial institutions identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship. This toolkit is relevant for financial authorities, financial institutions, and various financial service providers, with the comment period ending on August 22, 2023.
Overview of FSB toolkit
The primary emphasis of the FSB toolkit is on critical services, given the potential impact of their disruption on financial institutions’ critical operations and financial stability, though the toolkit also looks holistically at third-party risk management. The toolkit is aimed to reduce fragmentation in regulatory and supervisory approaches to financial institutions’ third-party risk management across jurisdictions and different areas of the financial services sector. The tools that are set out seek to help financial institutions to:
- Identify critical services consistently yet flexibly
- Conduct due diligence, contracting, and ongoing monitoring of critical services and service providers
- Be informed of incidents affecting critical services in a timely way
- Have consistent mapping of financial institutions’ third-party service relationships
- Manage risks relating to their third-party service providers’ use of service supply chain
- Implement and test business continuity plans, which should be informed by a comprehensive Business Impact Analysis and must set out clear, measurable indicators (for example, Recovery Time Objectives or RTOs, Recovery Point Objectives or RPOs, and maximum potential loss)
- Develop effective exit strategies and strengthen the identification and management of service provider concentration and concentration-related risks
Regulatory developments in third-party risk management
Notably, the European Union, the United Kingdom (UK), the United States (U.S.), Canada, Australia, and Singapore are among the regulatory jurisdictions that are working to address this challenge and put in place rules, frameworks, and guidelines that stipulate and/or encourage banks to put in place good third-party risk management practices. As recently as in June 2023, the federal bank regulatory agencies in the U.S. have issued guidance designed to help banking organizations manage risks associated with third-party relationships, including relationships with financial technology companies, while the financial supervisory authority in Canada (OSFI) had issued a third-party risk management guideline in April 2023. Similarly, last year, in the UK, HM Treasury had proposed a critical third-party regime that could set the legal foundations for such measures. More importantly, in the European Union, the Digital Operational Resilience Act (DORA) provides for the creation of an oversight framework for critical Information Communication Technologies (ICT) third-party service providers to financial entities in euro area. The rules in DORA will become applicable starting January 17, 2025 while the drafting of accompanying regulatory and implementing technical standards as well as guidelines is ongoing. The expected finalized regimes in the European Union and the UK set forth rules to provide regulatory agencies with powers to designate certain third-party service providers as Critical Third Parties or CTPs.
Moody’s Analytics uses deep risk expertise, expansive information resources, and innovative application of technology to help clients confidently navigate an evolving marketplace. Visit our Banking Solutions page to find out more about the banking solutions offered by Moody’s Analytics. Banks worldwide use our award-winning solutions that include modular and customizable offerings to support credit risk management, balance sheet management, regulatory compliance, training, and more.
Keywords: International, Banking, Financial Stability, Critical Service Providers, Third-Party Risk, Outsourcing Risk, Regtech, Cyber Risk, DORA, Operational Resilience, Cloud Service Providers, FSB
The finalization of the two sustainability disclosure standards—IFRS S1 and IFRS S2—is expected to be a significant step forward in the harmonization of sustainability disclosures worldwide.
Decentralized finance (DeFi) is expected to increase in prominence, finding traction in use cases such as lending, trading, and investing, without the intermediation of traditional financial institutions.
The Basel Committee on Banking Supervision (BCBS) published reports that assessed the overall implementation of the net stable funding ratio (NSFR) and the large exposures rules in the U.S.
At the global level, supervisory efforts are increasingly focused on addressing climate risks via better quality data and innovative use of technologies such as generative artificial intelligence (AI) and blockchain.
The finalization of the IFRS sustainability disclosure standards in late June 2023 has brought to the forefront the themes of the harmonization of sustainability disclosures
The European Banking Authority (EBA) recently issued several regulatory publications impacting the banking sector.
The Basel Committee on Banking Supervision (BCBS) launched a consultation on revisions to the core principles for effective banking supervision, with the comment period ending on October 06, 2023.
The U.S. banking agencies (FDIC, FED, and OCC) recently proposed rules implementing the final Basel III reforms, also known as the Basel III Endgame.
The Financial Stability Board (FSB) recently published the second annual progress report on the July 2021 roadmap to address climate-related financial risks.
The recognition of climate change as a systemic risk to the global economy has further intensified regulatory and supervisory focus on monitoring of the environmental, social, and governance (ESG) risks.