A Renewed Focus on Outsourcing and Third-Party Risk from the Financial Stability Board

Those of us who work in financial services are keenly aware that third-party risk management (TPRM) continues to be a key area of focus for global financial services regulators. Recently, we have seen consultations from the Bank of England and the International Organization of Securities Commissions (IOSCO) as well as a legislative proposal from the European Commission offering similar, but not identical, approaches to the issue.

A new discussion paper published by the Financial Stability Board (FSB) explores a number of emerging key themes that TPRM leaders need to pay close attention to and be ready to address.

"Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships" provides a useful overview of the many views, approaches and comparative guidance from across numerous regulatory agencies.

At first glance the broad themes contained in the paper are as expected where regulated firms: cannot outsource accountability; must understand who their vendors are; perform initial and on-going due diligence; and have adequate, qualified personnel and robust systems. Crucially, the paper makes the point that firms must be able to execute these functions at scale and with speed and efficiency.

In addition to these foundational themes, the paper also examines a number of emerging issues, such as concentration risk, supply-chain risk, pooled assessments, vendor definitions, data registers and intra-group arrangements.

Concentration risk is a growing concern

Regulated firms are growing increasingly reliant on vendors to perform business-critical activities, and the trend is causing concern among regulators and business leaders. More recently, the potential exposure to risk has increased as the vendor landscape for technology and cloud services has consolidated into fewer, larger firms.

This issue has been further exacerbated and accelerated by COVID-19, during which time many firms made a rapid shift to a more digital and agile way of working, which, in turn, has pushed the reliance on a small number of IT and communications vendors to an all-time high.

With more and more service providers relying on the same small pool of technology vendors, even firms that use many vendors could still be exposed to higher concentration risk if you have a wide range of vendors who themselves rely on a few technology providers. If your TPRM program is not able to identify, report and mitigate this concentration risk, you will not be able to satisfy a key requirement across multiple regulators.

Extended supply chain risk must be addressed

The topic of sub-tier supply chain management (also known as sub-outsourcing, chain outsourcing or supply chain management), continues to cause exasperation across the TPRM community. The FSB paper recognizes the challenges of managing increasing complex supply chains, noting that, "the longer and more complex a chain of service providers is, the more challenging it becomes for financial institutions and supervisory authorities to manage the relevant risks or even to identify all the different providers involved." However, it also underscores the fact that regulators expect financial institutions to manage those elevated risk, observing that "supervisory authorities see this as a significant limitation on the ability of financial institutions to manage risks across the supply chain, and expect financial institutions have adequate visibility of their third parties' supply chain."

This includes the use of contractual controls that enable financial institutions to have visibility into and—in some cases—control over the sub-outsourcing of their vendors. Regulators do not want firms to have to give up access to best-in-class services through vendors, but this is a difficult issue to address and the paper demonstrates it is not going away. The industry needs to find ways to come together to identify a solution. This will involve collaboration with regulators, key vendors and technology platforms combined with a more targeted approach to understanding which parts of the supply chain needs deeper due-diligence and monitoring.

Pooled assessments are here to stay

The emergence of industry utilities to execute pooled audits over the past five years offers the chance to significantly reduce the level of inefficiency and cost for both financial institutions and their vendors. The paper makes a specific reference to pooled audits saying they "can constitute a more effective and proportionate method of obtaining assurance from third parties". The paper also clarifies that when utilizing a pooled audit approach, financial institution leadership should still review the conclusions and assess against their own standards and risk appetites. The pooled audit will be an increasingly important and useful tool to TPRM leaders to accelerate their due-diligence efforts as long as the right level of supervision or oversight is in place.

When is a vendor a vendor?

For those TPRM leaders overseeing programs operating across jurisdictions, the issue of variations in regulatory definitions will be a familiar and ongoing challenge. The FSB paper notes that "there is considerable variance in how surveyed authorities define 'outsourcing' and 'third-party relationships', or indeed in whether they define these terms at all." On one hand, regulators expect to see consistency in how controls are deployed, yet on the other, key definitions can vary significantly between agencies and guidance.

The FSB paper addresses this issue head on and recognizes that definitions of 'third party', 'vendor' and 'outsourcing' vary between regulatory agencies. TPRM leaders need to be aware of these variations and build a robust program that ensures a consistent level of best practice while having the ability to flag and report specific regulatory or jurisdictional nuances. Again, this is not something that can be managed without the support of technology and automation.

Data registers become the norm

To enable regulators to grapple with the challenge of overseeing the complex and interconnected financial services ecosystem, they are asking for increasing levels of visibility into financial institution supply chains. The FSB paper suggests that a number of regulators are moving towards requiring financial institutions to provide them with a register of their most critical vendors, noting that, "some authorities carry out ad hoc data collection exercises where they ask financial institutions to identify their most important service providers." The paper also indicates that to make this data collection and analysis process as effective as possible, regulators are also starting to standardize these registers. To be ready for this requirement, TPRM leaders need to ensure they have accessible, accurate and up-to date vendor inventories that can be easily shared.

The line between "internal" and "external" blurs

Intra-group arrangements are an often-overlooked element in TPRM, but the FSB paper re-confirms that many regulators do not differentiate between the risks represented by inter-affiliate services and those of a true external third party. There is, however, recognition that firms can meet the requirements in ways that take into account the risks and efficiencies in intra-group situations. For TPRM leaders, the management of intra-group arrangements can be a difficult issue to address, not least because the decisions are made in a different part of the firm, such as finance. At a minimum, TPRM leaders should ensure consistency between the two legs of the program and, wherever possible, use the same technology solution to track, manage and oversee both external and intra-group parties.

Coordination and cooperation are key

It is clear that attention on outsourcing and third-party risk is not going away. The FSB paper highlights the benefits as much as the risks of using vendors and aims to promote dialogue between regulators, vendors, and financial institutions. We can expect to see supervisory cooperation that looks to share and promote best practices and identify and act on risks - both systemic and on a firm-by-firm basis.

Some regulators are already acting to formally address outsourcing risks, and others are sure to follow. In order to meet their expectations, TPRM leaders will need to not only focus on the foundational elements of their TPRM program but also stay abreast of the emerging issues. The ability to capture the finer nuances of risk, track variances in regulatory definitions and provide even greater visibility into supply chains will require financial institutions to ensure they have the tools to collect, manage and act on a far greater volume of information on vendors and supply chains.

- Co-authored with David Cook, Executive Director, Regulatory Affairs, IHS Markit