This discussion paper considers regulatory and supervisory issues relating to outsourcing and third-party relationships. It will facilitate a discussion on current regulatory and supervisory approaches to the management of outsourcing and third-party risks.

Financial institutions have relied on outsourcing and other third-party relationships for decades. However, in recent years, the extent and nature of interactions with a broad and diverse ecosystem of third parties has evolved, particularly in the area of technology. The financial sector’s recent response to COVID-19 highlights the benefits as well as the challenges of managing the risks of financial institutions’ interactions with third parties. The pandemic may have also accelerated the trend towards greater reliance on certain third-party technologies.

The discussion paper identifies a number of issues and challenges. For instance, financial institutions have to ensure that their contractual agreements with third parties grant to them, as well as to supervisory and resolution authorities, appropriate rights to access, audit and obtain information from third parties. These rights can be challenging to negotiate and exercise, particularly in a multi-jurisdictional context. The management of sub-contractors and supply chains is another challenge that was highlighted in the context of financial institutions’ response to COVID-19.

There is a common concern about the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to financial institutions. These risks may become higher as the number of financial institutions receiving critical services from a given third party increases. Where there is no appropriate mitigant in place, a major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple financial institutions. Given the cross-border nature of this dependency, supervisory authorities and third parties could particularly benefit from enhanced dialogue on this issue.

Responses to the public consultation should be sent to [email protected] by 8 January 2021 with “Outsourcing and third-party relationships”. Consultation responses will help facilitate a discussion on current regulatory and supervisory approaches to the management of outsourcing and third-party risks. Consultation responses will be published on the FSB’s website unless respondents expressly request otherwise.