The COVID-19 pandemic may have accelerated the trend among financial institutions (FIs) toward greater reliance on third parties, according to a recently released discussion paper from the Financial Stability Board (FSB). Based on a survey of member jurisdictions regarding their regulatory and supervisory landscapes, “Regulatory and Supervisory Issues Related to Outsourcing and Third Party Relationships” notes that the mass movement toward remote work and other factors have increased many FIs’ reliance on outsourcing and other third-party partners, even as the pandemic itself has exposed potential risks related to these relationships.
In reviewing the international landscape, FSB acknowledged that various countries still have a variety of definitions and requirements but are moving toward a holistic view of third-party arrangements of which outsourcing (including intragroup outsourcing) is a subset. And while the specifics may vary, there is general agreement that the FI bears the responsibility for compliance and that they must have requirements for managing outsourcing and third-party relationships. Some of the key areas they focus on are access to audit, resilience, and exit strategies, which are relevant to a broad range of industries.
Access to Audit
FSB emphasizes that FIs must have contractual agreements that allow them – as well as the appropriate supervisory or resolution authority – rights related to access, audit, and obtaining information. In some jurisdictions, the supervising authority has direct legal access to personnel, premises, and systems to exercise this oversight without involving the FI, but that doesn’t absolve the FI from having the appropriate contractual requirements in place.
Unfortunately, as the report points out, most authorities don’t provide direct guidance on negotiating and exercising contractual access, audit, and information rights, so TPRM professionals must seek out best practices. In addition to the regulations themselves, leaders can often find valuable insights through peer interactions, professional organizations, and studying how the regulations have been applied in the past.
However, once the negotiation is done, exercising the contractual access and audit terms may be the most difficult part of the process. Onsite inspections are a particular hardship during pandemic restrictions. Third parties may be unaware of their obligations when it comes to audit access or unwilling to comply with the requirements. And if something is amiss, there is little leverage to compel them to make the necessary changes. FSB recommends addressing any potential issues during the onboarding process and setting clear expectations for how these issues would be managed.
The FI and the supervisory authority may face additional challenges when the third party employs subcontractors. The discussion paper estimates that there may be as many as 20 providers in an outsourcing chain, so it’s important for FIs to fully understand what agreements are in place between third parties and their suppliers to ensure access to key fourth and nth parties. In general, supervisory authorities expect that FIs have visibility into their third parties’ supply chains.
These situations can be even more complicated in cross-border transactions. Varying regulatory requirements (or lack of them) can be a challenge, and supervisory authorities may not be able to exercise their authority in other jurisdictions, even when there is sensitive data involved. Because the FI is primarily responsible for managing the risks of these arrangements, they must conduct the appropriate due diligence to ensure that they will not be prevented from meeting their regulatory obligations.
Some jurisdictions are beginning to allow replacements for direct auditing access, such as certificates through trusted organizations, though FSB warns against undue reliance on this external documentation, reminding FIs that they retain primary responsibility. Pooled audits in which a group of FIs agree to accept the findings of a single investigation are another alternative to increase compliance by reducing the burden on the third party.
Maintaining a continuity of supply or service has always been a concern for FIs and their supervisory authorities. FIs are certainly familiar with the need to assess the financial health of their third parties, and the pandemic has increased the urgency of this requirement as some regions face sustained economic uncertainty.
Concern about the resilience of third parties has also increased concern regarding concentration risk, not just for an individual FI, but at a systemic level when multiple FIs or an FI so large as to be considered systemic are reliant on a single provider to sustain their operations.
To better understand this risk exposure, FSB is seeing an increase in identification and mapping to uncover systemic weaknesses. There are also calls for organizations to maintain and file third-party inventories or registers. For example, EU’s Single Resolution Board requires banks to maintain a register of outsourcing arrangement and make it available to supervising authorities on request, and other jurisdictions are following suit. Organizations with centralized solutions for third-party risk management will likely find that compliance with these laws will be trivial.
FSB is also recommending that FIs develop alternatives within their systems that allow them to quickly replace suppliers.
FSB found that jurisdictions are also beginning to offer guidance on exit plans to counter concentration risk and vendor lock-in. In addition to strategies for moving a service in-house or to an alternate supplier, exit plans should include contract terms for the return and deletion of data. FSB recommends that these agreements are determined during the initial onboarding, rather than waiting until the end of the relationship. Automated termination workflows can help FIs protect information assets by ensuring and documenting that all off-boarding steps are completed.
It is especially important to convey these requirements in cross-border and intragroup arrangements. It may be difficult to enforce terms in some jurisdictions, and supervisory authorities may have limited enforcement ability. Intragroup arrangements must define clear terms when these relationships are similar to those established with third parties to ensure that data privacy is preserved.
For programs to be successful, FSB was clear that programs have to be equipped to succeed by having:
- Sufficient resources. Echoing the June 2020 guidance from the US Department of Justice, FIs must have the funding required to adequately conduct third-party risk management assessment and mitigation.
- Board-level support. Boards must assume the ultimate responsibility for overseeing effective management of third-party risk, a success factor confirmed in Aravo’s research year after year
- Clear ownership. There must be a group with empowered leadership that is responsible for overseeing third-party risk management.
- Strong controls. Third-party risk management programs must have defined policies, an appropriate framework, and adequate due diligence processes.
While there may still be some differences in the specific regulations in FSB member jurisdictions, all of them ultimately hold the FI responsible for compliance. FIs must continually evolve their program maturity to fulfill this obligation and meet evolving regulatory requirements.