FSB publishes toolkit for enhancing third-party risk management and oversight

05 September 2024

The Financial Stability Board (FSB) recently published a toolkit for financial authorities and financial institutions for their third-party risk management and oversight. The toolkit was developed in response to concerns over the extent and nature of financial institutions’ interactions with a broad and diverse ecosystem of third-party service providers, which could have implications for financial stability.

The primary emphasis of the toolkit is on critical third-party services, given the potential impact of their disruption on financial institutions’ critical operations and financial stability. It also looks holistically at financial institutions’ third-party risk management in light of changing industry practices and recent regulatory and supervisory approaches to operational resilience.

The toolkit, which incorporates feedback from a public consultation conducted over the summer, aims to (i) reduce fragmentation in regulatory and supervisory approaches to third-party risk management across jurisdictions and different areas of the financial services sector; (ii) strengthen financial institutions’ ability to manage third-party risks and financial authorities’ ability to monitor and strengthen the resilience of the financial system; and (iii) facilitate coordination among relevant stakeholders (i.e. financial authorities, financial institutions and third-party service providers).

The toolkit promotes comparability and interoperability of regulatory and supervisory approaches across sectors and jurisdictions. It comprises:

  • a list of common terms and definitions to improve clarity and consistency regarding third-party risk management across financial institutions.
  • tools to help financial institutions identify critical services and manage potential risks throughout the lifecycle of a third-party service relationship.
  • tools for supervising how financial institutions manage third-party risks, and for identifying, monitoring, and managing systemic third-party dependencies and potential systemic risks.

The tools cover areas such as incident reporting, including the possibility of enhancing the existing cyber reporting framework to include reporting by service providers where an incident could give rise to potential risks to financial stability; non-exhaustive criteria to help financial authorities identify systemic third-party dependencies and assess potential systemic risks; and tools to identify and manage potential systemic risks, including sector-wide exercises and incident response coordination frameworks. The principle of proportionality is applicable throughout, allowing the tools to be adapted to smaller, less complex institutions or intra-group third-party service relationships.

The FSB has also set out ways to explore greater convergence of regulatory and supervisory frameworks around systemic third-party dependencies; options for greater cross-border information-sharing; and cross-border resilience testing and exercises.



Leave a Reply

Your email address will not be published. Required fields are marked *