FSB warns of rising over-reliance on outsourcing

The Financial Stability Board has warned that over-reliance by banks on third party service providers poses a threat to financial stability, as one firm predicts a “major compliance exercise” to come with a brace of forthcoming regulatory action in the area .

The FSB published its discussion paper on 9 November, noting that the extent and nature of interactions with a “broad and diverse” ecosystem of third parties has rapidly evolved.

The paper comes as regulators in the major banking jurisdictions increasingly turn their attentions towards the rising tide of outsourcing, which the paper notes has increased during the covid-19 pandemic.

The UK’s Financial Conduct Authority and Prudential Regulation Authority have both recently closed consultations on reforming outsourcing standards, and the Basel Committee and International Organisation of Securities Commissions both have open consultations on potential reforms.

The US Federal Reserve and European Banking Authority, for their part, are both preparing operational resilience proposals which are expected to touch on outsourcing practices.

“Taken together, the proliferation of guidelines and requirements represent a major compliance exercise,” Freshfields Bruckhaus Deringer special counsel Peter Jaffe predicted in a recent article.

“With the scope for both significant overlap and divergence between approaches developed at the national and international level, and across various sub-sectors of services, it is essential that firms prepare to respond to the fast-pacing, changing area.”

The new FSB paper warns of considerable systemic risk if a large number of financial institutions rely on a smaller group of the same outsourced or third-party service providers to carry out their critical services.

In this situation a “major disruption, outage or failure” at a third party could have potentially adverse consequences for financial stability and risk the safety and soundness of multiple financial institutions.

The FSB says the new “heterogeneity” of services these third parties provide, combined with a rapidly changing ecosystem and increasingly cross-border activities, all warrant enhanced dialogue between supervisory authorities.

It suggests regulators could use inventories and registers to identify and monitor concentration risks on a cross-border basis, along with developing distinct criteria and methodologies to understand the nature of services and how essential they are.

Banks rely on third parties for services ranging from accounting, external audit or human resources to the development of new financial products.

It said financial regulators to increase their dialogue with their  counterparts regulating other industries within their jurisdictions – giving the example of recent increased cooperation between Brazil’s central bank and telecommunications regulator Anatel, which are jointly analysing potential emerging risks to the financial system arising from telecom providers.

The paper also says that it is increasingly difficult for financial institutions to negotiate and exercise contractual agreements that include rights for regulatory authorities to access, audit and obtain information from third parties.

In scenarios where relevant data or a third party’s premises are located across multiple jurisdictions, conflicting legal and regulatory approaches and logistical issues “may cause delays or difficulties to the ability of supervisory authorities to access relevant information, impeding the effective exercise of their supervisory functions.”

The FSB also notes that most regulators do not specify in detail how financial institutions should negotiate and exercise these contractual rights, despite the fact they expect written agreements allowing them to ensure the third parties are providing their services in line with regulatory requirements.

Regulators also face difficulties ensuring that banks have appropriate resources and skills to effectively address outsourcing and third-party risks, especially those which involve “complex and constantly evolving” technologies.

The FSB suggests that recruiting, retaining and training employees to effectively manage the growing range of third-party service providers are important steps to effectively protect against risk.

The FSB’s Supervisory and Regulatory Cooperation (SRC) standing committee conducted a survey among member jurisdictions on the existing regulatory and supervisory landscape relating to outsourcing and third party risk management in March, which provided the basis for the paper.

The consultation is open until 8 January 2021.

Get unlimited access to all Global Banking Regulation Review content