The Basel Committee on Banking Supervision today published a consultative document proposing Principles for the sound management of third-party risk in the banking sector.
Ongoing digitalisation has led to rapid adoption of innovative approaches in the banking sector. As a result, banks have become increasingly reliant on third parties for services that they had not previously undertaken. This increased reliance on third parties beyond the scope of traditional outsourcing, coupled with the expansion of supply chains and rising concentration risks, has necessitated an update to the 2005 Joint Forum paper Outsourcing in financial services, specifically for the banking sector.
The consultative document consists of 12 high-level principles offering guidance to banks and supervisors on effectively managing and supervising risks from third-party arrangements. The Principles introduce the concept of a third-party life cycle and emphasise overarching concepts such as criticality and proportionality. Furthermore, they delve into the topics of supply chain risk and concentration risk and highlight the importance of supervisory coordination and dialogue across sectors and borders.
The Principles complement and expand on the Financial Stability Board's 2023 report Enhancing third-party risk management and oversight - a toolkit for financial institutions and financial authorities. While primarily directed at large internationally active banks and their prudential supervisors, these Principles also offer benefits to smaller banks and authorities in all jurisdictions. They establish a common baseline for banks and supervisors for the risk management of third parties, while providing the necessary flexibility to accommodate evolving practices and regulatory frameworks across jurisdictions.
To remain adaptable and applicable to a wide range of technologies, the Principles maintain a technology-neutral stance. As a result, they can be applied to recent trends like artificial intelligence, machine learning and blockchain technology, even though these trends are not explicitly referenced.
The Committee welcomes comments on the proposed Principles for the sound management of third-party risk, which should be submitted here by 9 October 2024. All submissions will be published on the BIS website unless a respondent specifically requests confidential treatment.