4.1. Financial authorities' supervision of financial institutions' third-party risk management
Most jurisdictions already cover outsourcing in their regulations and supervision. In addition, several financial authorities have recently modernised their frameworks to encompass third-party service relationships more holistically in line with the approach in this toolkit.
Financial institutions must ensure, usually through contractual means, that their third-party service relationships allow them to meet their regulatory responsibilities. This includes financial institutions (including their designated agents) having appropriate access, audit, and information rights relating to the relevant service(s). To the extent required in the regulatory framework, such rights are provided for financial authorities (including their designated agents). This may be ensured in contracts between financial institutions and their service providers or, in certain jurisdictions, through direct requirements or expectations on financial sector critical service providers. Financial institutions may occasionally find themselves in a weaker negotiation position relative to certain third-party service providers. Where this is the case, clear regulatory and supervisory expectations by authorities about what contracts for critical services should include, where appropriate, can help partially level the playing field.
Financial authorities may also obtain assurance about the resilience of service providers and the services they provide to financial institutions through:
- Regular supervisory engagement with financial institutions, including ad-hoc information requests, individual and horizontal reviews of financial institutions, and reviews of the assurance and information that financial institutions receive from service providers, including (if appropriate) the results of independent audits or collaborative assurance exercises, such as pooled audits.