This post covers current requests for TPRM Regulatory Input.
Once in a blue moon a regulatory organization will proactively reach out to the broader community for help addressing important issues whose resolution could have a substantially – positive impact for regulated entities and beyond. On November 9th the Basel-based Financial Stability Board (FSB) issued a discussion paper, Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships, that pertains a number of key relationship issues broadly. My heart leapt when I read it.
Here is an international regulatory advisor compiling third party risk issues and regulations from around the world and zeroing in on a series of concerns that Shared Assessments Members and internal SMEs have been discussing for months:
- The definition of “material” outsourcing.
- The difficulty of achieving satisfactory due diligence when third parties employ complex outsourcing chains behind them.
- A number of issues related to concentration risk in cloud environments and beyond.
- The difficulty in assessing cloud service providers in different geographies.
- The urgent need to move toward harmonized regulatory regimes across national boundaries.
- The challenges regulators themselves are facing in a rapidly evolving security environment.
The FSB is an international body that monitors and makes recommendations to its members about coordinated improvements to the global financial system. The Board has members from the central banks of twenty-four countries and additionally includes a number of influential organizations, including the European Central Bank, the European Commission, the International Monetary Fund, the International Association of Insurance Supervisors, and the International Association of Securities Commissioners, among others. The current FSB chair is Randy Quarles, Vice Chairman of the U. S. Federal Reserve Board (FRB).
One of the FSB’s major responsibilities is to undertake strategic reviews of international standard-setting bodies and coordinate their respective policy development work to ensure that work is timely, coordinated, focused on priorities, and addresses gaps. To that end, the FSB is seeking answers to the following questions, albeit on a short fuse (responses are due by January 8th):
- What are the key challenges in identifying, managing and mitigating outsourcing risks, including risks in sub-contractors and the broader supply chain?
- What approaches can best address these challenges and mitigate related risks? Are there concerns about potential approaches that might increase risks, complexity or costs?
- How can financial institutions, third-party service providers and supervisory authorities collaborate to address these challenges on a cross-border basis?
- What lessons have been learned from the COVID-19 pandemic regarding managing and mitigating outsourcing risks, including risks arising in sub-contractors and the broader supply chain?
In its Annex, the discussion paper provides an extremely helpful review of regulatory approaches to mitigating outsourcing risks from FSB members around the globe. This review is the equivalent of a short survey course and provides insights into different definitions of outsourcing and different expectations regarding intra-group (affiliate) outsourcing, governance requirements, data security and cybersecurity requirements, complex supply chain management, access audit and information rights, concentration risk considerations, third party identification and mapping, and third party migration and exit strategies. It’s one of the few compendiums of this type of cross-border regulatory comparisons I’ve seen, and its worthwhile reading on its own.
We’ve been presented with a great opportunity to provide our perspectives on a range of important third party risk management issues. Third party practitioners should seize this chance to review this discussion paper and encourage their organizations to provide feedback to the FSB before January 8, 2021.
The full paper can be downloaded at: https://www.fsb.org/2020/11/regulatory-and-supervisory-issues-relating-to-outsourcing-and-third-party-relationships-discussion-paper/