Skip to content

New Basel Committee guidance: Taming the tangled web of third-party threats.

The Basel Committee for Banking Supervision (BCBS) has released its Principles for the sound management of third-party risk[1] for public consultation. While the guidance was developed with larger banks in mind, the Committee notes that smaller banks might actually have a higher reliance on third parties.

Even if you aren’t a bank but you are struggling with managing your third parties, you could probably replace the word ‘bank’ with ‘organisation’ and still apply many of the principles. As digitisation continues to evolve, effective third party risk management is an integral component of operational resilience.

In this blog we will cover:

  • The background and key definitions
  • The principles of the standard
  • Some of the key callouts

To find out more about how to build an effective vendor risk management program for your organisation, download Protecht’s free Vendor Risk Management eBook:

Read eBook

 

The background

The document is intended to supersede the Outsourcing in financial services paper, issued almost 20 years ago. One driver for the update is that while outsourcing is a subset, there has been an increase in dependency on all types of third parties. This aligns with some regional regulators who’ve already made a similar shift, such as the US Federal Reserve’s Interagency Guidance on Third Party Relationships[2] and the integration of material service providers in the Australian Prudential Regulation Authority’s CPS 230 operational risk management standard[3].

It's also aligned with some of BSBS’ other guidance, such as Principles for Operational Resilience and Operational Risk Management[4]. Increasingly these disciplines need to be integrated, both to ensure a comprehensive approach, but also to drive efficiencies by having integrated and repeatable processes.

The principles

There are 12 principles in the guidance, three of which are aimed at supervisors. Let’s focus on the nine that apply directly to banks:

Principle 1: The board of directors has ultimate responsibility for the oversight of all Third Party Service Provider (TPSP) arrangements and should approve a clear strategy for TPSP arrangements within the bank’s risk appetite and tolerance for disruption

Principle 2: The board of directors should ensure that senior management implements the policies and processes of the third-party risk management framework (TPRMF) in line with the bank’s third-party strategy, including reporting of TPSP performance and risks related to TPSP arrangements, and mitigating actions

Principle 3: Banks should perform a comprehensive risk assessment under the TPRMF to evaluate and manage identified and potential risks both before entering into and throughout a TPSP arrangement

Principle 4: Banks should conduct appropriate due diligence on a prospective TPSP prior to entering into an arrangement

Principle 5: TPSP arrangements should be governed by legally binding written contracts that clearly describe rights and obligations, responsibilities and expectations of all parties in the arrangement

Principle 6: Banks should dedicate sufficient resources to support a smooth transition of a new TPSP arrangement in order to prioritise the resolution of any issues identified during due diligence or interpretation of contractual provisions

Principle 7: Banks should, on an ongoing basis, assess and monitor the performance and changes in the risks and criticality of TPSP arrangements and report accordingly to board and senior management. Banks should respond to issues as appropriate

Principle 8: Banks should maintain robust business continuity management to ensure their ability to operate in case of a TPSP service disruption

Principle 9: Banks should maintain exit plans for planned termination and exit strategies for unplanned termination of TPSP arrangements

These are all good principles – though they can be challenging to consistently put into practice. The guidance states that it is technology-agnostic, but without appropriate tools it will hard to provide assurance that the principles are being met.

The details

The full guidance expands on the above principles, with the following notable callouts:

Concentration risk

In addition to assessing risk of each individual arrangement on an individual basis, you should consider concentration risks:

  • At the organisation level, where one provider supports a range of critical services, such that failure of the provider would cause significant disruption or impact
  • At a systemic level. The guide acknowledges banks may not know the full extent of reliance by the market on a service provider, but should take reasonable endeavours or understand who those parties are.

When assessing an arrangement, banks should consider whether it results in unacceptable concentration risk.

Supply chain and nth parties

Banks should consider not just their direct third parties, but also their nth parties: those which support the ultimate delivery of the critical services offered by the bank. In practice, this can be a challenge. A common first step is to monitor your own TPSP’s management of their third parties. The guidance suggests that contracts should include the right to obtain information about fourth parties.

The guidance also highlights that concentration risk and supply chain are related. It’s not just concentration of your direct third parties you need to be worried about, but also concentration further down in the supply chain.

Proportionality

Definitions include whether services, and therefore the third parties that support them, are critical. This is further supported by the concept of proportionality, which is inherent in a principles-based document that can be applied globally. Organisations will need to develop their third party risk management program to match the complexity and scale of their business model and the risks that their third parties might pose to them.

Intragroup arrangements

Intragroup arrangements should be treated the same as other arrangements – or to use the guidance’s own words, to not treat intragroup arrangements as if they are less risky than other arrangements. One shorthand is to consider if part of the group was sold off or acquired – would existing arrangements remain sufficient? While some efficiencies can be gained when services are provided within the group, these formalities should still be in place.

Centralisation

Banks are expected to maintain an up-to-date register of third party arrangements and nth parties as appropriate. They are also expected to map dependencies and interconnections related to arrangements, providing a strong link to operational resilience guidance. This is impractical if these records are not centralised across the organisation.

While not articulated in the guide, centralisation of these records improves the ability to assess the banks ability to remain within the risk appetite related to third parties as defined by the board.

Onboarding and resourcing

Having a good onboarding process isn’t news, but the guide does place emphasis on having sufficient resources to facilitate it. Not just people in terms of numbers, but their competency. In addition, this includes ensuring the TPSP has sufficient understanding of the bank’s needs.

Business continuity planning

It goes without saying that BCPs should be in place for critical TPSPs. This can include internal exit strategies, contingencies or compensating controls, and assurance over the TPSP’s own BCP arrangements. These should support the banks own tolerance for disruption. Ideally, joint BCP testing should be conducted where appropriate.

Conclusions and next steps for your organisation

The principles and guidance are currently in draft form, but provides a solid foundation for any organisation to build on.

While some organisations may already be applying these principles broadly, they should consider the scope of their third party risk management programs: if they only consider traditional outsourcing and not other critical service providers, there may be some risk exposures that are not as well understood. If the existing scope is narrow, it may also ignore concentration risks which are becoming more prevalent in our interconnected world.

An effective vendor risk management program offers numerous benefits to organisations, which can be grouped into three categories:

  • Improved risk management and resilience (including avoiding supply chain disruption)
  • Efficiency and cost savings
  • Enhanced visibility (including regulatory compliance)

To find out more about how to build an effective vendor risk management program for your organisation, download Protecht’s free Vendor Risk Management eBook:

Read eBook

References

[1] Basel Committee on Banking Supervision, July 2024: https://www.bis.org/bcbs/publ/d577.pdf

[2] Federal Reserve, June 2023: https://www.federalreserve.gov/supervisionreg/srletters/SR2304a1.pdf

[3] APRA, July 2023: https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard%20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf

[4] Basel Committee on Banking Supervision, March 2021: https://www.bis.org/bcbs/publ/d516.htm

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.