Regulatory focus is growing on increasing reliance of financial institutions on outsourcing to third parties, particularly but not exclusively in the technology area.  Here are some thoughts on the future direction based on initial reviews of the comments from the public consultation period which has now closed.

Key Takeaways

• Regulatory and supervisory oversight on outsourcing topics should be expected to continue to grow
• At the same time, market trends are towards greater reliance on outsourcing, particularly of technology and cloud solutions, but also
  • in the context of further industry consolidation (intra-group shared services are often classified as outsourcing) as well as
  • with white-labeled or shared products and services
• From a policy perspective, supervisors are showing greater awareness of financial stability issues of concentration risk of many market participants relying on the same critical service providers (e.g., the largest cloud hosting platforms or software providers)
• IT service providers and FinTechs will need to pay more heed to these growing expectations on their customers, including that by serving regulated entities, the service providers themselves increasingly could expect to be subject to examination and indirect oversight
• The topic will require greater executive attention than likely the current situation in many institutions, with increased focus on ongoing monitoring and reporting especially of critical relationships (and of sub-outsourcing chains)
• One should not expect specific “check-list” guidance soon (with the range of issues and players) or ever—as many commenters advocate for a principles-based and/or risk-based approach; financial institutions need to proactively consider these issues

Details

On November 9, 2020 the Financial Stability Board (FSB) issued for public consultation a discussion paper on the topic of “Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships.” ¹  The context of the consultation is the financial industry’s increasing reliance on third parties, particularly in the area of technology, with choices as well as understanding of challenges further accelerated through the COVID-19 experience.  Here are a few thoughts on the consultation paper and from an initial review of the public comment letters now available on the FSB website after the comment period ended on January 8, 2021.

Background on the FSB and the Consultation on Outsourcing

The FSB is an international body which coordinates national financial authorities and international standard-setting bodies as they work toward developing strong regulatory, supervisory and other financial sector policies.  Its secretariat is hosted at the Bank for International Settlements in Basel, Switzerland.  (And its predecessor, the Financial Stability Forum, was called into being in early 1999 a few days before I joined the BIS, so I was fortunate to contribute to aspect of its setup and earliest initiatives.)

The FSB’s consultation grew out of a prior surveys among financial supervisors (of which a summary appears as an annex) and seeks to promote discussion on issues and challenges raised therein.  Of note, “all respondents subscribe to the principle that outsourcing and third-party relationships cannot relieve a FI, its board or senior management from their ultimate accountability for any activities, functions, products or services which they outsource or delegate to a third party.”  Many of the regulatory measures, and in particular definitional approach to outsourcing date back to an earlier global effort among financial supervisors by the Joint Forum in 2005.  (In 2004, the US banking supervisors had issued FFIEC guidance on IT management and outsourcing of technology services ², which with further elaborations still forms the basis for the current approach.)

The past decade has seen great focus by supervisors on broad cybersecurity risks.  The past few years have seen specific focus on cloud-based solutions.  The past year saw a return to broader outsourcing topics.  But the most important broad approach came with the February 2019 issuance by the European Banking Authority (EBA) of the “EBA Guidelines on Outsourcing Arrangements.” ⁴

Focus of Consultation

The FSB has asked:

“What do you consider the key challenges in identifying, managing and mitigating the risks relating to outsourcing and third-party relationships, including risks in sub-contractors and the broader supply chain?”

Supplemental questions seek input on possible ways to address the challenges; including through collaborative approaches on a cross-border basis; and lessons learned from the COVID-19 pandemic.

Comments and Themes

The 34 public comments came from a range of international and national financial industry associations, from individual supervisors, and from a few individual financial institutions and service providers.  There appears to be a common understanding of the importance of these efforts, as well as a view that legacy regulatory, supervisory and examination approaches are not the best fit for the emerging technologies. There appears little doubt of the benefits to the financial services industry of use of outsourcing opportunities generally.

Common themes raised by multiple comments include:

• advocating the need for a coordinated supervisory approach, including more consistent definitions of key terms, particularly on a cross-border basis
• practical difficulties (or the potential for unrealistic expectations) related to sub-outsourcings (sometimes referred to a “fourth-party” issues), particularly in a service provided in a common way to multiple customers
• potential conflicts with data localization initiatives or efforts to limit cross-border transfers of data

Regarding the challenges for financial institutions overseeing their risks with third-party providers, banking associations advocated possible mitigants through: joint industry audits, direct supervisor oversight of third party service provides, or development of certification schemes.

Differing views were expressed as to potential concerns over concentration risks, but some industry representatives noted that individual institutions would not have insight into industry concentration, which issue must be taken up by supervisors on a coordinated basis.

Two of the leading cloud providers, Amazon Web Services (AWS) and Google Cloud, make the case for the potential for decreased risk and improved resilience for financial institutions that take advantage of cloud offerings.

Excerpt from AWS comment letter:

“We also urge the FSB and its members to consider the need to develop a regulatory framework suitable for the digital world. Legacy policies, procedures, tools, and resources may be insufficient to manage the evolving risks faced by Financial Institutions (FIs) as they adopt new technologies at scale, such as cloud infrastructure computing. We believe regulatory and supervisory practices should take into account the evolving technology landscape, for example, by requesting FIs to periodically reassess their technology risk and security methods.”

Excerpts from Google Cloud comment letter:

“[I]mplementation and supervisory practices remain highly fragmented across the globe, even within the same geographical markets. In our experience, this is caused by (1) lack of industry best practice (2) the level of technical cloud-specific expertise available to the supervisors.

“To address these challenges of fragmentation, it would be beneficial to have an [sic] global, principled based, risk assessment framework shared between financial institutions and cloud providers, that could be developed – potentially under auspices of the FSB. Alternatively, global certification schemes for the use of cloud services in the financial sector could be a meaningful avenue to explore.

*  *  *

“Audit rights are provided for in many regulatory guidances globally, including the FFIEC in the United States, the MAS in Singapore, the APRA in Australia and EBA, ESMA and EIOPA requirements in Europe and Google Cloud consistently facilitates audits by our regulated customers, their supervisory authorities and their appointees.”

(emphases in original)

While cloud issues were prominent in the comments, the relevance is much broader.

From the Canadian Bankers Association:

“We note that banks may have some services that are easily commoditized and may be readily ported to other organizations (e.g. payments provider) whereas some services are not readily portable (e.g. clearing and settlement services) and alternatives are not always immediately available due to the limited amount of vendors available and lack of standardization to support portability (e.g. CSPs).”

Other commenters also noted common dependencies on financial market infrastructures.  As noted in the comment of the World Federation of Credit Unions:

“Many credit unions utilize third parties to assist them in carrying out various functions of their operations. These relationships are often very beneficial and allow the credit union to perform tasks or obtain expertise that would not otherwise be unavailable to them. Credit unions as a whole are much smaller than their banking counterparts and often do not have the capital or resources available to larger banks.”

Insurance Europe emphasized in its comment addressing key challenges:

“a significant imbalance of negotiating power making it difficult to ensure appropriate sectoral regulatory constraints are reflected in their contractual agreements. In many cases, thirdparty providers offer their standard terms on a ‘take-it-or-leave-it’ basis, leaving very little, if any, opportunity for financial institutions to negotiate terms.”

A number of the commenters referenced the EU Commission’s September 2020 proposal for a Regulation on Digital Operational Resilience for the financial sector which, among other things, would further emphasize the need for risk assessments with respect to information and communication technologies, and provide a framework for critical service providers.

A few regulators and supervisors submitting comments noted the importance of the issue and the need for an international approach.  More will come on this topic.

Sources:

¹ https://www.fsb.org/2020/11/regulatory-and-supervisory-issues-relating-to-outsourcing-and-third-party-relationships-discussion-paper/

² https://www.ffiec.gov/press/pr071504.htm; https://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services.aspx

³ https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1

⁴ https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0595&from=EN