As a result of digitalisation and the increasing use of technology in the financial sector, banks are increasingly dependent on third-party providers to carry out their activities. Legislators around the world have now taken steps to address the risks that may arise from banks’ reliance on third-party providers to conduct their business. These risks took on a more tangible dimension following last Friday's widespread IT problems. For example, the EU has adopted the Digital and Operational Resilience Act (DORA) on 17 January 2023 (which will come into force on 17 January 2025). The UK introduced a critical third-party (CTP) regime through the Financial Services and Markets Act 2023. While the objective of the legislators is similar, the approach to these risks is not.

In this context, the Basel Committee on Banking Supervision (“BCBS”) issued a Consultative Document on Principles for the Sound Management of Third-Party Risk on 9 July 2024 (the “Consultative Document”) (available here). The BCBS recognises that the traditional concept of outsourcing in the financial sector needs to evolve as a result of the increasing reliance on third-party providers. As a result, the Consultative Document supersedes the 2005 Joint Forum paper on Outsourcing in Financial Services (available here) and complements the 2023 Financial Stability Board report on enhancing third-party risk management and oversight (available here).

The Consultative Document sets out twelve high-level principles. These principles are intended to provide banks and supervisors with a common framework for managing third-party risks. These twelve principles can be divided into two categories: principles 1 to 9 provide guidance to banks on how to manage third-party risks effectively, and principles 10 to 12 provide guidance to supervisors. These principles focus in particular on the concept of “third-party life cycle” and address supply chain and concentration risks.  
The principles set out by the BCBS are technology agnostic to be applicable to a wider range of technologies (artificial intelligence, machine learning, blockchain, …) and flexible to accommodate  banks’ different approaches to risk management. These principles are primarily intended for "large internationally active banks and their prudential supervisors", according to the BCBS. However, smaller banks and supervisors can also draw on these principles as they are designed to be applied on a proportionate basis depending on the size, complexity and risk profile of the banks.

With this Consultative Document, the BCBS promotes international cooperation and consistency to reduce regulatory fragmentation and strengthen the operational resilience of the global banking system.

Feedback on the Consultative Document is expected by 9 October 2024. Our team will be happy to help you navigate through the Consultative Document.