Basel Committee sets principles for third-party risk management
The Basel Committee on Banking Supervision has issued new principles for the sound management of third-party risk. These guidelines aim to enhance banks' operational resilience and mitigate severe disruptive events.
Navigating third-party vulnerabilities
A third-party service provider (TPSP) is an entity performing services directly for a bank.
Banks engage TPSPs for specialised expertise, cost reduction, and improved scalability, efficiency, and operational resilience.
However, these arrangements can reduce direct control and introduce or increase risks.
Key risks include disruption to critical TPSP services, supply chain failures from nth parties, and concentration risk from reliance on a single or limited number of TPSPs.
Such dependencies can also create systemic risk at the banking or financial sector level.
Therefore, banks require robust risk management for TPSP arrangements to withstand, adapt to, and recover from operational disruption and mitigate severe events.
A life cycle for robust oversight
The BCBS principles, superseding the 2005 Joint Forum paper, build on recent operational resilience guidance.
They adopt a life cycle approach for TPSP arrangements, promoting international consistency.
Principles 1 and 2 address governance, risk management, and strategy.
Principles 3 to 9 guide banks through effective TPSP risk management, covering assessment, due diligence, contracting, onboarding, monitoring, and termination.
Principles 10 to 12 provide guidance for prudential supervisors on evaluating TPSP risk management, identifying systemic concentration risks, and promoting cross-border coordination.
The principles target large internationally active banks and their supervisors, with proportionate application.