On October 9, the IIF submitted a response to the Basel Committee on Banking Supervision (BCBS) issued a consultative document proposing “Principles for the sound management of third-party risk in the banking sector”. The consultation includes 12 draft Principles – nine addressed to banks and three to banking supervisors – which are intended to address the increasing reliance of banks on third-party service providers due to the ongoing digitalization and rapid growth in financial technology.

The final BCBS Principles would supersede the 2005 Joint Forum paper on “Outsourcing in Financial Services” and should be viewed in conjunction with existing BCBS principles and guidance.

As set out in the comment letter, IIF members support the Basel Committee taking a principles-based approach to TPRM. However, we believe it is important that the Committee reflect in the final Principles that TPRM approaches are an integrated part of banks’ broader risk management frameworks. Banks monitor a wide spectrum of risk drivers when managing third-party relationships, including but not limited to data and security, regulatory compliance, operational, financial, and reputational risks. While the potential disruption to critical operations due to a third-party outage or failure could be significant, it represents just one aspect of the multifaceted risk landscape that banks evaluate as part of their approaches to TPRM. The current draft Principles could benefit from a more holistic approach, and we suggest that in the final Principles the BCBS recognize that TPRM methodologies are designed to capture a diverse set of risks, including but not only those aligned to operational resilience.

As part of this effort to maintain a clear distinction between TPRM and operational resilience, there are areas where the IIF recommends the Principles should reasonably take a narrower focus on resilience considerations in the context of third-party relationships. This appears to be the Committee’s intention in parts of the draft Principles, although this is not reflected consistently and is missing in foundational areas such as the definitions. As such, IIF members recommend that the BCBS consider:

1. Incorporating a holistic approach to TPRM and avoiding conflation with operational resilience concepts.
2. Adequately reflecting operational resilience concepts and considerations in TPRM, without rescoping TPRM as operational resilience (which is an outcome of risk management).
3. Ensuring that expectations for banks and supervisors are practicable and reflect actual relationships and interactions between banks, TPSPs, and TPSP supply chains.
4. Simplifying and improving consistency throughout the Principles in relation to key definitions, and application of a proportionate, risk-based approach.

The IIF will engage with the BCBS as it finalizes the Principles and will keep members informed of further developments.