Key Takeaways from the Basel Committee’s 12 Principles for Managing Third-Party Risks

On July 9, 2024, the Basel Committee on Banking Supervision (BCBS) released their proposed consultative document, Principles for the Sound Management of Third-Party Risk, intended for large, internationally active banks and their prudential supervisors, as well as smaller banks and authorities in all member countries. The principles create a common baseline for managing third-party risks, while allowing flexibility to accommodate evolving practices and regulatory frameworks.

The Committee is accepting comments on the proposed Principles, which should be submitted through their website by October 9, 2024. In this blog, we’ve summarized some of the key takeaways and highlighted the 12 proposed principles. 

Overview of the Basel Committee’s 12 Principles for Managing Third-Party Risks 

The rapid digitization of the banking sector presents an opportunity for innovative approaches and technologies to improve customer experience and operational efficiency. This shift has led to banks increasingly relying on third-party service providers (TPSPs) to expand their product and service offerings.

Recognizing the importance of managing these relationships, the BCBS emphasized the need for banks to proactively handle their interactions with TPSPs, supply chains, and associated concentration risk. This proactive approach is crucial for maintaining the stability and reliability of the banking system and enhancing banks' resilience to operational disruptions and severe events. As a result, banks need to evolve their traditional practices related to outsourcing and risk management to effectively manage a broader spectrum of third-party arrangements.

The proposed BCBS principles offer a proactive approach to strengthening operational risk management and resilience through effective third-party risk management (TPRM) practices. These principles are adaptable and meant to accommodate diverse bank risk management practices based on the size, complexity, and risk profile of the bank. They’re also constructed to remain technology-neutral, adaptable, and applicable to a wide range of technologies. This flexibility allows integration with emerging technologies, such as artificial intelligence (AI), machine learning, and blockchain, despite no explicit mention of these trends in the document. 

Key Concepts of the Basel Committee’s Principles for Managing Third-Party Risks 

Not all third-party arrangements pose the same level of risk. Therefore, they don’t all require the same level or type of oversight and risk management. The following key concepts are integral to all stages of the lifecycle and apply to all the principles:

• Following the TPRM lifecycle: Effective TPRM typically involves several stages known as the third-party risk management lifecycle. These stages in the Basel Committee’s proposal are risk assessments, due diligence, contracting, onboarding, ongoing monitoring, and termination.
• Determining criticality: It's essential to identify TPSP-provided critical services, as they typically warrant a greater level of risk management consideration. Bank processes should enable services and TPSP arrangements which are designated as critical to receive more comprehensive oversight and more rigorous risk management. It’s important to note that the BCBS utilizes the following definitions: 
  
  • Critical TPSP arrangement: A TPSP arrangement which supports or impacts one or more critical services provided to a bank.
  • Critical service: A service provided to a bank where the failure or disruption of which could significantly impair a bank’s viability, critical operations, or ability to meet legal and regulatory compliance obligations. 
  • Critical TPSP: A TPSP that provides a critical service to a bank.
• Identifying concentration risk: Concentration risk in third-party arrangements can occur at the individual bank level or systemically. Individual banks are responsible for monitoring and managing their own concentration risk, while supervisors oversee systemic concentrations. Banks should understand the systemic importance of a third party and consider implications before entering into an arrangement using available information from the public domain or directly from the third party.
• Applying proportionality: Proportionality, or taking a risk-based approach to TPRM, considers how a bank’s approach may differ based on factors such as business model, complexity, and cross-border presence. It's important to note that a service or arrangement for one bank may not pose the same level of risk as it would for another. However, applying proportionality doesn’t mean that third-party arrangements should be exempt from appropriate risk management.
• Considering intergroup arrangements: Banks should treat intergroup arrangements with the same level of risk as other arrangements and tailor risk management processes accordingly. Key considerations include due diligence, formal written agreements, risk management similar to external third parties, customized business continuity plans, and appropriate exit strategies.
• Assessing nth parties and supply chains: Banks often rely on third-party service providers within their supply chains to deliver specialized services and innovations. These supply chains can be complex and lengthy, which increases the risks for banks. Therefore, banks need to have effective risk management processes in place to identify and mitigate these supply chain risks based on the importance of the services being provided. Banks should assess, conduct due diligence, and monitor third parties to ensure they can manage their own third-party dependencies and meet the contractual obligations toward the bank. This information should then be included in risk assessments to evaluate the concentration risk at the bank level.
• Adopting new and advanced technologies: The rapid adoption of new technologies has increased banks' reliance on TPSPs, which can magnify existing risks and introduce new ones. Due to a lack of staff experience, it may be challenging for banks to identify or evaluate risks associated with new technologies provided through TPSP arrangements.
• Conducting audits and assurance: Banks can use various audits and sources of assurance, such as independent audits, pooled audits, and TPSP self-audits. They can also consider industry-recognized certifications like ISO. These certifications and standards provide a baseline level of assurance but may not cover all aspects of service resilience. Therefore, they shouldn’t replace other forms of assurance.

The BCBS’ 12 Principles for Managing Third-Party Risk 

Note: Text taken directly from the Principles for the Sound Management of Third-Party Risk are noted below in italics.

Principle 1: The board of directors has ultimate responsibility for the oversight of all TPSP arrangements and should approve a clear strategy for TPSP arrangements within the bank’s risk appetite and tolerance for disruption.

• Governance: The board of directors is ultimately responsible for overseeing all TPSP arrangements and holding senior management accountable for the implementation of a third-party risk management framework (TPRMF). Senior management should communicate the bank’s third-party strategy and policy to all relevant stakeholders and establish clear roles and responsibilities to manage TPSP arrangements throughout their lifecycle. The bank should integrate the third-party lifecycle and services under TPSP arrangements into the three lines of defense. Additionally, the board remains ultimately responsible for overseeing risk management associated with TPSP arrangements and ensuring legal and regulatory compliance.
  

Principle 2: The board of directors should ensure that senior management implements the policies and processes of the third-party risk management framework (TPRMF) in line with the bank’s third-party strategy, including reporting of TPSP performance and risks related to TPSP arrangements, and mitigating actions.

• Risk management: Banks need a robust TPRMF integrated with their operational risk management framework (ORMF) to manage third-party service provider arrangements effectively. The framework should consider factors such as the nature, size, complexity, and risk profile of the third-party service provider portfolio. It should outline criteria, processes, and frequency for identifying and assessing risks and implementing controls at every stage of the third-party lifecycle, supported by competent personnel across all three lines of defense. External support can be engaged if necessary to supplement the expertise of in-house staff.
• Strategy: The board of directors needs to approve a strategy for working with third-party service providers that aligns with the bank's overall business strategy and risk appetite. It should cover whether and to what extent the bank should use third-party service providers, which services should be outsourced, standards for assessing risks and costs, and under what conditions the bank should stop using third-party service providers. Banks should have sufficient internal knowledge, expertise, and training programs to manage and monitor the risks of working with third-party service providers.
  

Principle 3: Banks should perform a comprehensive risk assessment under the TPRMF to evaluate and manage identified and potential risks both before entering into and throughout a TPSP arrangement.

• Risk assessment: The risk assessment stage of the lifecycle involves banks identifying and assessing the criticality of potential services and associated risks before entering into an arrangement with a TPSP. This process is iterative and considers factors such as financial, operational, and strategic importance, as well as the impact on operations and known and potential risks. The assessment helps banks make informed decisions about engaging with a TPSP.

Principle 4: Banks should conduct appropriate due diligence on a prospective TPSP prior to entering into an arrangement.

• Due diligence: Banks are required to conduct thorough due diligence before entering into partnerships with third-party service providers. This involves assessing whether the collaboration aligns with the banks' strategic objectives and scrutinizing the third-party service provider’s capability to handle associated risks. Additionally, banks should meticulously evaluate and choose third-party service providers by examining their capacity and potential risks, as well as weighing the benefits and costs associated with the arrangement.
  
  By assessing the alignment of the partnership with their strategic goals and evaluating the third-party service provider’s risk management capabilities, banks can make informed decisions about entering into collaborations. It’s crucial for banks to conduct comprehensive due diligence and carefully select third parties to ensure they’re well-equipped to manage potential risks and that the partnership brings about mutually beneficial outcomes while managing associated costs effectively.
  

Principle 5: TPSP arrangements should be governed by legally binding written contracts that clearly describe rights and obligations, responsibilities and expectations of all parties in the arrangement.

• Contracting: The contracts with TPSPs should cover key performance benchmarks, access to essential information, rights and responsibilities of both parties, costs, ownership of assets, security obligations, data processing locations, and confidentiality. These contracts are important to ensure compliance with legal and regulatory requirements and to effectively manage the relationship with TPSPs. Additionally, the contracts should address business continuity and disaster recovery obligations, as well as the risk of mixing the bank’s information with other clients of the TPSP. By covering these essential aspects, the contracts help to establish clear expectations, protect sensitive information, and ensure both parties fulfill their obligations in providing and receiving services.
  

Principle 6: Banks should dedicate sufficient resources to support a smooth transition of a new TPSP arrangement in order to prioritize the resolution of any issues identified during due diligence or interpretation of contractual provisions.

• Onboarding: Banks need to maintain adequate staffing and expertise to meet the needs of third-party arrangements. When onboarding a new third-party service provider, banks are responsible for ensuring the third party understands the bank's policies and processes and complies with regulations. Banks should update their third-party service provider registry and map interdependencies each time they onboard a new third party.

Principle 7: Banks should, on an ongoing basis, assess and monitor the performance and changes in the risks and criticality of TPSP arrangements and report accordingly to board and senior management. Banks should respond to issues as appropriate.

• Ongoing monitoring: The ongoing monitoring stage is crucial for banks to confirm the quality and sustainability of a TPSP's controls, report performance status and issues, and ensure compliance with contractual obligations and regulatory expectations. Monitoring should be aligned with the bank’s governance, risk management, and strategy, and include regular review and assessment of TPSP arrangements. It should also involve performance-related metrics, maintaining updated registers and mapping of interdependencies, and monitoring TPSP performance and operational implementation. Additionally, banks should review critical TPSPs’ business continuity and disaster recovery plans and ensure periodic testing is performed.
• Reporting: The outcomes of risk assessments and monitoring should be reported to senior management and boards, according to the bank’s policies and procedures. This should include reports on the performance of TPSPs, changes in the TPSP portfolio and its risk profile, breach of thresholds, and items requiring prompt attention. Banks must monitor, report, and respond to incidents from TPSPs, comply with reporting obligations, and integrate incident remediation and reporting into broader risk management processes. For critical services, banks should use multiple forms of assurance and critically assess standardized assurances like ISO certificates.
• Response: In case of a disruption, banks must monitor TPSPs to ensure service restoration, identify risks, and communicate expectations. When a TPSP is no longer viable, banks should terminate the arrangement with minimal disruption. When renewing a TPSP arrangement, banks should perform due diligence using information from onboarding and ongoing monitoring. If not renewing, banks should ensure operational continuity and manage termination with minimal disruption.

Principle 8: Banks should maintain robust business continuity management to ensure their ability to operate in case of a TPSP service disruption.

• Business continuity management: It’s essential for banks to have well-developed, regularly reviewed, and updated business continuity and disaster recovery (BC/DR) plans with third-party service provider arrangements. It's recommended to test these plans periodically using different recovery strategies and to document lessons learned for future improvements. Banks should also ensure third parties develop and review BC/DR plans with measurable recovery time objectives (RTOs) and recovery point objectives (RPOs) that align with the bank's tolerance for disruption. Additionally, considering joint design and testing of BC/DR plans with third-party service providers or utilizing independent parties can be beneficial. It's crucial to address any actions needed to ensure the continuity of critical services in cases where alternative third parties aren’t available.

Principle 9: Banks should maintain exit plans for planned termination and exit strategies for unplanned termination of TPSP arrangements.

• Termination: Banks need to have appropriate exit plans for terminating arrangements with TPSPs, whether planned or unplanned. The exit plans should consider factors such as transitional periods, preservation of rights, budget allocation, and coordination of responsibilities. For critical TPSP arrangements, exit plans should also cover processes for transferring assets and aligning internal and external stakeholders. Additionally, banks should maintain proportionate exit strategies for unplanned terminations, including processes for asset transfer, updating of escalation groups, and budget approval for additional costs.

Principle 10: Supervisors should consider third-party risk management as an integral part of ongoing assessment of banks.

• Role of supervisors: Supervisors understand the significance of banks' reliance on third-party service providers and the potential impact on their ability to meet regulatory requirements if not managed effectively. Therefore, supervisors should carefully assess banks' third-party risk management frameworks and their alignment with ORMFs to bolster operational resilience. It’s important for supervisory evaluations to encompass the entire third-party lifecycle, with particular emphasis on how banks integrate third-party arrangements within their broader risk management processes, including incident management, cybersecurity controls, and business continuity management. Additionally, due to the technical nature of some third-party arrangements, supervisors should periodically evaluate the knowledge and skills of supervisory staff.

Principle 11: Supervisors should analyze the available information to identify potential systemic risks posed by the concentration of one or multiple TPSPs in the banking sector.

• Identification of systemic risk: The consideration of the concentration of services provided by TPSPs and the lack of substitutability of TPSPs are important factors in identifying systemic risks. To effectively assess and monitor such risks across the banking sector, it’s crucial for supervisors to have access to information from banks reflecting their arrangements with TPSPs, including those involving shared responsibilities. This information may encompass registers of TPSP arrangements, maps of interconnections and interdependencies, recovery and resolution plans, as well as reports on incidents involving TPSPs. In analyzing systemic concentration risk, supervisors may use common supervisory tools such as scenario analysis, data analytics, and other data-driven models to evaluate banks' aggregate TPSP risk management capabilities.

Principle 12: Supervisors should promote coordination and dialogue across sectors and borders to monitor systemic risks posed by critical TPSPs that provide services to banks.

• Supervisor collaboration and coordination: Bank regulators are expected to foster greater collaboration and communication among themselves, as well as with regulators from other industries and relevant stakeholders, to enhance oversight of systemic risk. This collaboration could encompass a range of initiatives aimed at strengthening the resilience of essential infrastructure. Collaboration may involve the development of suitable cross-border coordination and cooperation mechanisms. Direct partnerships with critical third-party service providers serving banks in multiple jurisdictions could also be cultivated through bilateral or multilateral platforms to enhance information-sharing and collective capabilities. There’s an emphasis on exploring strategies to improve the cross-border resilience of critical, internationally active service providers through activities like information-sharing, tabletop exercises, coordinated responses and recovery drills, and joint inspections.

Even though the BCBS’ proposed Principles for Managing Third-Party Risk have not been finalized, it’s important for banks to thoroughly review the consultative document. This will help identify potential gaps and weaknesses within their existing third-party risk management frameworks and operational risk management frameworks. Doing so will ensure the bank is ready to proactively address any issues when the principles are finalized. It will also help ensure more comprehensive third-party risk management within the organization.