资源描述
Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships Discussion paper 9 November 2020 The Financial Stability Board (FSB) coordinates at the international level the work of national financial authorities and international standard-setting bodies in order to develop and promote the implementation of effective regulatory, supervisory and other financial sector policies. Its mandate is set out in the FSB Charter, which governs the policymaking and related activities of the FSB. These activities, including any decisions reached in their context, shall not be binding or give rise to any legal rights or obligations. Contact the Financial Stability Board Sign up for e-mail alerts: fsb/emailalert Follow the FSB on Twitter: FinStbBoard E-mail the FSB at: fsbfsb Copyright 2020 Financial Stability Board. Please refer to the terms and conditions iii Regulatory and supervisory issues relating to outsourcing and third-party relationships Background In December 2019, the Financial Stability Board (FSB) published a report on Third-party dependencies in cloud services that explored potential issues for supervisory authorities and financial stability stemming from the scale of services provided via the cloud and the small number of globally dominant players providing such services. Many issues highlighted in the December 2019 FSB report are not just relevant to cloud services but to outsourcing and third-party relationships in general. The report also concluded that further discussion among supervisory and regulatory authorities on current approaches to the management of outsourcing and third-party risks and of relevant regulatory and supervisory approaches would be constructive. In January-March 2020, the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC) conducted a survey among its member jurisdictions on the existing regulatory and supervisory landscape relating to outsourcing and third- party risk management, including cross-border supervisory challenges and potential financial stability issues (SRC survey). This Discussion Paper was developed on the basis of this survey. It presents an overview of the current and evolving regulatory and supervisory landscape on outsourcing and third-party risk management in FSB-SRC member jurisdictions. It is intended to facilitate and inform discussions among authorities (including supervisory and resolution authorities), financial institutions and third parties on how to address the issues identified in the SRC survey and the December 2019 FSB report. The FSB is inviting comments on this Discussion Paper and the questions set out below. Responses should be sent to fsbfsb by 8 January 2021 with the subject line “Outsourcing and third-party relationships”. Responses will be published on the FSBs website unless respondents expressly request otherwise. 1. What do you consider the key challenges in identifying, managing and mitigating the risks relating to outsourcing and third-party relationships, including risks in sub-contractors and the broader supply chain? 2. What are possible ways to address these challenges and mitigate related risks? Are there any concerns with potential approaches that might increase risks, complexity or costs? 3. What are possible ways in which financial institutions, third-party service providers and supervisory authorities could collaborate to address these challenges on a cross-border basis? 4. What lessons have been learned from the COVID-19 pandemic regarding managing and mitigating risks relating to outsourcing and third-party relationships, including risks arising in sub-contractors and the broader supply chain? iv Table of Contents Executive Summary . 1 Introduction . 3 1. Overview of existing regulatory and supervisory landscape on outsourcing and third-party relationships . 4 2. Supervisory approaches for managing outsourcing and third-party risks . 8 3. Regulatory and supervisory challenges .11 3.1. Practical challenges .11 3.2. Cross-border challenges .13 3.3. Potential systemic risks .14 4. Conclusion.15 Annex: Regulatory and supervisory approaches to outsourcing and third-party relationships based on SRC survey responses .16 v 1 Executive Summary Financial institutions (FIs) have relied on outsourcing and other third-party relationships for decades. However, in recent years, the extent and nature of FIs interactions with a broad and diverse ecosystem of third parties has evolved, particularly in the area of technology. The financial sectors recent response to the COVID-19 pandemic highlights the benefits as well as the challenges of managing the risks of FIs interactions with third parties, and may have accelerated the trend towards greater reliance on certain third-party technologies. Against this background, this Discussion Paper builds on the FSBs report published in December 2019 on Third-party dependencies in cloud services and aims to facilitate a broader discussion on current regulatory and supervisory approaches to the management of outsourcing and third- party risks. The Discussion Paper does not propose any specific principles or standards but rather seeks to promote greater global dialogue among FIs, supervisory authorities and third parties. The Discussion Paper draws on a survey conducted by the FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC), which asked a series of questions regarding the existing regulatory and supervisory landscape relating to outsourcing and third-party risk management in its member jurisdictions. The survey covered various aspects of the current regulation and supervision of FIs outsourcing and third-party relationships, including: definitions of outsourcing and third-party relationships; intra-group outsourcing; governance and risk management; data security, information and cyber security; supply chain management; access, audit and information rights; and concentration risk considerations. The regulation and supervision of FIs outsourcing and third-party relationships varies across jurisdictions but shares common objectives and principles. For instance, all respondents subscribe to the principle that outsourcing and third-party relationships cannot relieve a FI, its board or senior management from their ultimate accountability for any activities, functions, products or services which they outsource or delegate to a third party. The evolving landscape of FIs third-party relationships has prompted several supervisory authorities to update or consider updating their regulatory and supervisory framework on outsourcing, third-party risk management and related areas, such as business continuity planning, cybersecurity, data protection, operational resilience and risk management. All responding supervisory authorities have also set out requirements and/or expectations on how FIs should manage their outsourcing and third-party relationships. Many have implemented detailed requirements for outsourcing. In some cases, supervisory authorities have implemented additional requirements for third-party relationships deemed critical or important, such as to the safety and soundness of individual FIs or the provision of critical or important functions or critical shared services relevant to financial stability. In addition, in some jurisdictions, supervisory authorities have legal powers giving them some level of access to third parties data, personnel, premises and systems for the purposes of gathering information relevant to the exercise of their regulatory and supervisory functions. These powers are set out in legislation or regulation, and apply in addition to and independently of any contractual clauses granting access, audit and information rights to FIs and supervisory authorities. They may include the ability to request information directly from third parties relevant to the 2 authorities objectives; carry out on-site inspections; and/or supervise the provision of certain third-party services as if they were being performed by the FIs. Meanwhile, a number of issues and challenges relating to regulatory and supervisory approaches to outsourcing and third-party risk management were also identified. For instance, FIs have to ensure that their contractual agreements with third parties grant to them, as well as to supervisory and resolution authorities, appropriate rights to access, audit and obtain information from third parties. These rights can be challenging to negotiate and exercise, particularly in a multi-jurisdictional context. The management of sub-contractors and supply chains is another challenge that was particularly highlighted in the context of FIs response to the COVID-19 pandemic. For instance, some FIs experienced delays and logistical difficulties in obtaining remote working equipment from third parties due to disruptions to their global supply chains. Even where contractual arrangements contain provisions and safeguards on the management of the third partys sub-contractors and supply chain, these arrangements often do not bind those sub-contractors directly and can make it difficult for FIs and supervisory authorities to effectively identify and address risks across the supply chain. Another key issue whose importance was highlighted during the COVID-19 pandemic is the importance of implementing appropriate and effective business continuity plans and exit/wind-down plans, to ensure that FIs can recover from an outage or failure at a service provider and, if necessary, exit these arrangements in a way that minimises potential disruption. Furthermore, there is a common concern among responding authorities about the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to FIs. These risks may become higher as the number of FIs receiving critical services from a given third party increases. Potential systemic risk could arise if, for instance, a sufficiently large number of FIs (or a single systemic FI) became dependent on one or a small number of outsourced or third-party service providers for the provision of critical services that were impossible or very difficult to substitute effectively and in an appropriate timeframe. Where there is no appropriate mitigant in place, a major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple FIs. While mapping and understanding the system-wide effects of third-party dependencies is not a new issue, it remains an evolving area for supervisory authorities due to the heterogeneity of services provided and the changing ecosystem. Given the cross-border nature of this dependency, supervisory authorities and third parties could particularly benefit from enhanced dialogue on this issue. 3 Introduction Financial institutions (FIs) 1 have relied on outsourcing and other third-party relationships for decades. 2 However, in recent years, the extent and nature of FIs interactions with a broad and diverse ecosystem of third parties has changed, particularly in the area of technology. The FSBs report published in December 2019 on Third-party dependencies in cloud services explored potential issues for supervisory authorities and financial stability stemming from the scale of services provided via the cloud and the small number of globally dominant players providing such services. 3 It concluded that further discussion on current approaches to the management of outsourcing and third-party risks would be useful. Outsourcing and other third-party relationships can bring multiple benefits to FIs, including: enhanced operational resilience; faster and more tailored financial products and services; cost reduction; greater innovation; and improved internal processes. They can also bring increased benefits to small and medium FIs that often lack the scale of larger FIs, particularly in technology investment. However, outsourcing and third-party relationships can give rise to new or different risks to FIs and potentially to financial stability that need to be adequately managed. Some of the measures that FIs and supervisory authorities have introduced in response to the COVID-19 pandemic have highlighted the opportunities and risks that outsourcing and third- party relationships can create for the financial sector. Some third-party information and communication technology (ICT) providers have been vital facilitators of the mass, global transition to remote working during the pandemic and, by extension, the continuous provision of services to FIs clients from a range of locations. FIs have been able to leverage the scalability and resilience of certain third-party service providers to quickly implement new working patterns with relatively little disruption to the provision of critical services. At the same time, FIs response to the pandemic may have accelerated their reliance on some third parties, possibly exacerbating some authorities concerns about third-party risks, in particular, concentration risk. Moreover, the financial resilience of some third parties might be tested in a severe, prolonged economic downturn. The FSB also stated that disruption to telecoms or third-party service providers could affect FIs in its recent assessment of the financial stability implications associated with COVID-19. 4 The FSB Standing Committee on Supervisory and Regulatory Cooperation (SRC) conducted a survey of the existing regulatory and supervisory landscape relating to outsourcing and third- party risk management in its member jurisdictions. 5 The survey covered various aspects of the 1 For the purpose of this discussion paper, financial institutions include: banks, insurers, financial market infrastructures, trading venues or exchanges, broker-dealers, asset managers, and pension funds among others. 2 FIs rely on third parties for a number of services, ranging from traditional functions, such as accounting, external audit or human resources to the development of innovative financial products. Third-party relationships include any business arrangement between a FI and another entity by contract or otherwise, such as activities that involve outsourced product or services, use of independent consultants, networking arrangements, merchant payment processing, services provided by affiliates and subsidiaries, and joint ventures. 3 FSB (2019) Third-party dependencies in cloud services: Considerations on financial stability implications, 9 December. 4 FSB (2020b) COVID-19 pandemic: Financial stability implications and policy measures taken, 15 April 2020. 5 They are: Argentina, Australia, Brazil (BCB), Canada (OSFI), China (CBIRC), France, Germany, Hong Kong, Italy, Japan (JFSA), Korea (FSC), Mexico (CNBV), the Netherlands, Russia (Bank of Russia), Saudi Arabia (SAMA), Singapore (MAS), South Africa (SARB, FSCA)
展开阅读全文