On Wednesday the Bank of England published its policy on outsourcing and third-party risk management for Financial Market Infrastructures (FMIs), following a consultation period on the topic in 2022.
The Bank’s outsourcing and third-party risk management policy for FMIs aims to:
- Facilitate greater resilience and adoption of the cloud and other new technologies as set out in the Bank of England’s response to the Future of Finance (FoF) report
- Set out the Bank’s requirements and expectations in relation to outsourcing and third-party risk management in FMIs
- Complement the Bank’s Supervisory Statements on FMI operational resilience
The policy has been issued in the form of Supervisory Statements (SSs) for central counterparties (CCPs), central securities depositaries (CSDs) and recognised payment system operators (RPSOs) & specified service providers (SSPs) and they set out the Bank of England’s requirements and expectations relating to FMIs’ outsourcing and third-party risk management.
The Bank also issued an outsourcing and third-party risk management part to be added to the Code of Practice applying to relevant RPSOs and SSPs.
Regulatory concerns around TPRM in FMIs
FMIs have become increasingly reliant on third-party technology as a means of entering new markets, lowering operating costs and keeping pace with the digital economy. This includes cloud outsourcing which can provide the underlying infrastructure supporting many other solutions.
Despite the potential benefits, the complexity of third-party relationships gives regulators cause for concern in a number of areas:
- Third-party provision can make it difficult for FMI senior management to monitor relevant risks. This can be amplified when the third parties engage in sub-outsourcing (outsourcing elements of their contracted services to other third parties)
- There are risks around vendor lock-in when FMIs or FMI participants have limited ability to exit arrangements without substantial cost or disruption
- If a large number of FMIs become dependent on a small number of dominant and non-substitutable third-parties, this could give rise to systemic concentration risks. The BoE, PRA and FCA's forthcoming joint Discussion Paper on Critical Third Parties will consider which third parties may be a source of systemic risk to UK financial stability.
There is also growing regulatory interest in participant outsourcing arrangements — where FMI participants outsource their connectivity to FMIs to the cloud. This can create indirect dependencies on critical service providers (CSPs), with which an FMI may have a separate relationship and, by extension, concentration risk on a single provider at both the FMI and systemic levels.
Implementation and next steps
- FMIs will be expected to comply with the expectations in the relevant supervisory statement by 9 February 2024
- Outsourcing arrangements entered into on or after 8 February 2023 should meet the expectations in the relevant supervisory statement and/or Code of Practice by 9 February 2024
- FMIs should seek to review and update legacy outsourcing agreements entered into before 8 February 2023 at the first appropriate contractual renewal or revision point to meet the expectations in the relevant supervisory statement as soon as possible on or after 9 February 2023
Does your firm need guidance on complying with the new Outsourcing and TPRM policy?
Please click here to enquire about our free Outsourcing and TPRM high-impact review.
