Outsourcing and Third Party Risk Management in FMIs

In April 2022, the Bank of England (BoE) published a series of Consultation Papers (CPs) laying out its proposals for outsourcing and third party risk management in financial market infrastructures (FMIs) — specifically in central counterparties (CCPs) (PDF 1.7MB), central securities depositories (CSDs) (PDF 1.8MB) and recognised payment system operators (RPSOs) & specified service providers (SSPs) (PDF 1.8MB).

The CPs are a further instance of increasing regulatory and supervisory expectations on FMIs in the UK.

They cover much of the same ground as the outsourcing and third party risk management supervisory statement (PDF 1.7MB) that was issued for PRA-regulated firms in March 2021 and came into effect in March 2022. And they expand and complement existing operational resilience requirements for FMIs, which also came into effect from March 2022.

FMIs should consider the proposals in the CPs to determine additional actions they may need to take around third party relationships and how these might impact their business models.

FMIs have become increasingly reliant on third party technology as a means of entering new markets, lowering operating costs and keeping pace with the digital economy. This includes cloud outsourcing which can provide the underlying infrastructure supporting many other solutions.

Despite the potential benefits, the complexity of third party relationships gives regulators cause for concern in a number of areas:

• Third party provision can make it difficult for FMI senior management to monitor relevant risks. This can be amplified when the third parties engage in sub-outsourcing — outsourcing elements of their contracted services to other third parties.
• There are risks around vendor lock-in — when FMIs' or FMI participants' have limited ability to exit arrangements without substantial cost or disruption.
• Moreover, if a large number of FMIs become dependent on a small number of dominant and non-substitutable third-parties, this could give rise to systemic concentration risks. The BoE, PRA and FCA's forthcoming joint Discussion Paper on Critical Third Parties will consider which third parties may be a source of systemic risk to UK financial stability.

There is also growing regulatory interest around participant outsourcing arrangements — where FMI participants outsource their connectivity to FMIs to the cloud. This can create indirect dependencies on critical service providers (CSPs), with which an FMI may have a separate relationship and, by extension, concentration risk on a single provider at both the FMI and systemic levels.

The majority of the proposals in the three CPs focus on how FMIs can address outsourcing and third party risks. The scope includes third parties involved in both outsourced and non-outsourced arrangements.

Each CP includes:

• Expectations for the pre-outsourcing phase relating to criticality assessments, risk assessments, notification requirements and due diligence processes.
• The requirement for a formalised contractual agreement to be in place for all outsourcing arrangements, irrespective of criticality, and including intragroup arrangements.
• Additional requirements for critical outsourcing arrangements such as written agreements relating to:
  • data security
  • access, audit, and information rights
  • sub-outsourcing
  • business continuity and exit strategies
• A requirement that an FMI remains responsible if a third party on whom it relies to provide an important business service fails to remain within impact tolerances or causes the FMI itself to fail to do so.

The CPs also invite industry feedback on systemic concentration risks and how these could be better assessed and managed both domestically and internationally.

The proposals supplement the requirements issued for the same FMIs back in March 2021, when the BoE published its final policy on the Operational Resilience of FMIs. This set out expectations for firms and FMIs to:

• Identify their important business services by considering how disruption to the business services they provide can have impacts beyond their own commercial interests.
• Set a tolerance for disruption for each important business services (an `impact tolerance').
• Ensure that they can continue to deliver their important business services and are able to remain within their impact tolerances during extreme but plausible scenarios.
  

The BoE proposes to define third parties as organisations that have entered into relationships with an FMI to provide products, services, processes, activities or business functions. This is consistent with the definition used by the G7 and other international supervisory authorities.

Other supervisory authorities around the world are also updating their expectations on outsourcing and third party risk management as financial services providers become increasingly dependent on interconnected third parties. The BoE's work therefore takes account of:

• The Financial Stability Board's Effective Practices for Cyber Incident Response and Recovery (PDF 451KB) and Discussion Paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third party Relationships (PDF 448KB).
• The G-7's Fundamental Elements for Third Party Cyber Risk Management in the Financial Sector (PDF 29KB), and
• The International Organisation of Securities Commissions' Principles on Outsourcing (PDF 444KB).

The consultations close on 14 July 2022, with final policy expected before the end of the year.