Skip to main content
Version date: 4 December 2023 - onwards

2.2. Holistic focus on third-party risk management

Financial regulation has traditionally focused on financial institutions' outsourcing relationships. However, in recent years, the types of activities or functions that financial institutions would typically perform in-house have changed. As a result, financial institutions have become increasingly reliant on third-party service providers for services that they had not previously undertaken. Additionally, financial authorities' increasing focus on operational resilience has led to requirements and expectations on financial institutions to effectively manage the risks in all their third-party service relationships, not just outsourcing, given the criticality of some non-outsourcing, third-party services to the continued operations of financial institutions [The examples of broader third-party services that do not fall within the definition of traditional outsourcing include data brokers who collate market data or data from social media or in-app device activity and machine learning libraries developed by third parties. Broader third-party service relationships include such arrangements as payment service providers accessing banking functions on behalf of the customers, joint business arrangements such as joint operation of shared data centres, pooled audit of commonly critical third-parties, strategic alliances and industry group for sharing knowledge such as cyber intelligence. Some of those broader third-party service relationships may also be critical to the financial institutions' business operations and financial stability.]. The deterioration, disruption or failure of critical services or the service providers that provide them may pose risks to financial institutions and, in some instances, to financial stability (see Chapter 4).