FSB publishes toolkit for enhancing third-party risk management and oversight

Financial institutions have historically engaged in outsourcing and third-party service relationships, which have evolved and expanded in recent years, presenting both benefits and new risks. The FSB recognizes the potential risks associated with these relationships and has responded by developing the present toolkit aimed at enhancing third-party risk management and oversight for financial institutions and financial authorities.
The toolkit addresses concerns related to outsourcing and third-party service relationships and is designed to be flexible and risk-based. Acknowledging variations across jurisdictions and financial institutions, the toolkit allows for adaptation based on legal frameworks and specific features of the financial services sector in different regions. Simultaneously, it aims to foster comparable and interoperable approaches to mitigate risks uniformly.
Financial institutions increasingly depend on third-party service providers for critical operations, driven by the digitalization of the financial services sector. While such dependencies offer advantages like flexibility, innovation, and improved operational resilience, mismanagement could lead to disruptions, posing risks to financial institutions and potentially affecting financial stability. The toolkit aims to address these challenges and promote coordination among stakeholders.
The toolkit comprises four main chapters:
Chapter 1 establishes a foundation with a list of common terms and definitions to enhance clarity and consistency in communication. Chapter 2 outlines the toolkit’s approach, emphasizing critical services and taking a holistic view of third-party risk management beyond traditional outsourcing. The principle of proportionality allows adaptation for smaller institutions or intra-group third-party service relationships.
Chapter 3 provides tools to help financial institutions identify critical services, conduct due diligence, manage risks, and strengthen business continuity plans throughout the lifecycle of third-party service relationships. This includes effective exit strategies and the identification and management of concentration-related risks.
Chapter 4 focuses on financial authorities‘ approaches and tools for supervising third-party risk management by financial institutions. It addresses the identification and management of systemic third-party dependencies and potential systemic risks. Tools cover incident reporting, criteria for identifying systemic dependencies, and managing potential systemic risks, emphasizing cross-border supervisory cooperation and information sharing.
—
Alongside the above toolkit, which completes the FSB’s work on third party risk management, back un June 2023, the FSB launched a public consultation on the toolkit, which concluded on 22 August 2023 and whose responses have also been published. Feedback areas included definitions, supply chain risks, and supervisory cooperation. The lack of consensus on ’nth-Party Service Providers‘ was noted. Amendments in the final report incorporated feedback on responsibilities, definitions, supply chain risks, business continuity plans, and incident reporting. Respondents‘ reservations about direct incident reporting by third-party providers were recognized in the final report.