Outsourcing

Financial Services Providers (FSPs), including those with new business models, often leverage outsourcing to a greater degree than they had in the past. They may rely more heavily on third parties for outsourcing core activities they previously had not (or were not allowed to) outsource. As FSPs increasingly depend on external partners for a myriad of functions ranging from cloud services to customer support, the intricate web of relationships formed poses multifaceted challenges and considerations.

Effective governance and risk management structures and strategies of the outsourcing FSPs play an important role in managing those risks at individual levels. It is also crucial for the supervisory authorities to assess how these risks are also managed at the systemic level. While outsourcing arrangements, including those for cloud computing services, enable the emergence of new types of FSPs and innovative products and services, the outsourcing relationships are becoming more complicated compared to past.

FSPs outsource certain services to benefit from lower costs, increased flexibility and greater efficiency, while also optimizing their own resources and expertise. However, outsourcing introduces risks that FSPs should carefully assess to ensure business continuity, maintain operational resilience and minimize disruptions and losses. Supervisory authorities should commit to developing robust operational resilience frameworks. FSPs need to address vulnerabilities arising from their growing dependence on their service providers, considering the increasing complexity of supply-chains and potential concentration risks.

#ab9881

Onboarding service providers

Risk Management Considerations

Oversight and supervision by supervisory authorities

Conclusion

As FSPs increasingly engage in outsourcing relationships to enhance flexibility, reduce costs, and improve efficiency, they should navigate a complex web of relationships with external partners. This growing reliance on third parties, particularly for core activities, introduces various challenges and risks. Effective governance and risk management structures are essential for FSPs to manage these risks at both individual and systemic levels.

Supervisory authorities should examine FSPs’ risk management practices related to outsourcing. These authorities play a crucial role in ensuring that FSPs maintain strong operational resilience frameworks to address the risks and vulnerabilities associated with outsourcing. They are usually responsible for identifying risks to financial stability within their jurisdictions and should assess potential risks arising from outsourcing relationships in the financial sector.

Outsourcing relationships in the financial sector can lead to significant levels of system-level concentration and interconnectedness, potentially causing systemic risks. For example, the failure or severe disruption of a critical third-party service provider could significantly impact financial stability in a jurisdiction. Therefore, supervisory authorities should oversee and monitor the system-level concentration and interconnectedness in the sector to ensure the mitigation of these risks.

HELP

Feedback or Suggestions?

fintechcoordinationgroup [at] worldbank.org

Onboarding service providers

Risk Management Considerations

Oversight and supervision by supervisory authorities

Conclusion

Amin, Rami, Natalija Gelvanovska-Garcia, Sandra Sargent. 2021. "Connecting developing countries to the cloud: Critical debates in data infrastructure." World Bank. Blog.

Australian Prudential Regulatory Authority (APRA). 2018. "Outsourcing involving cloud computing services." Information Paper.

BaFin. 2022. "Outsourcing: maps provide guidance."

BaFin. 2023. "Regulatory pressure can drive forward the digitalization of the financial sector."

Bank of England, Prudential Regulatory Authority (PRA). 2021. "Outsourcing and third party risk management." Supervisory Statement.

Bank of England (BoE). 2022. "DP3/22 -- Operational resilience: Critical third parties to the UK financial sector."

Bank for International Settlements (BIS). 2024. "III. Artificial intelligence and the economy: implications for central banks." BIS Annual Economic Report.

Basel Committee on Banking Supervision (BCBS). 2005. "The Joint Forum: Outsourcing in Financial Services"

Basel Committee on Banking Supervision (BCBS). 2021. "Principles for Operational Resilience"

Basel Committee on Banking Supervision (BCBS). 2024a. "Principles for the sound management of third-party risk." Consultative Document.

Basel Committee on Banking Supervision (BCBS). 2024b. "Digitalisation of finance."

Baur-Yazbeck, Silvia. 2018. "3 myths about data localization." CGAP. Blog.

Committee on Payments and Market Infrastructures (CPMI) and Board of the International Organization of Securities and Commissions (IOSCO). 2014. "Principles for financial market infrastructures: Assessment methodology for the oversight expectations applicable to critical service providers."

Committee on Payments and Market Infrastructures (CPMI) and Technical Committee of the International Organization of Securities and Commissions (IOSCO). 2012. "Principles for financial market infrastractures."

Crisanto, Juan Carlos, Johannes Ehrentraud, Marcos Fabian, and Amelie Monteil. 2022. "Bigtech interdependencies -- a key policy blind spot." Financial Stability Institute. FSI Insights on policy implementation No: 44.

Dias, Denise. 2020. "Cloud computing: Issues for Supervisors". Toronto Centre

Dias, Denise, Juan Carlos Izaguirre, Mehmet Kerse, and Stefan Staschen. 2023. "Digital Financial Services for Financial Inclusion: Tools for Supervisors." CGAP. Technical Guide.

European Banking Authority (EBA). 2019. "Final Report on EBA Guidelines on outsourcing arrangements."

European Central Bank (ECB). 2024a. "Guide on outsourcing cloud services to cloud service providers." Draft.

European Central Bank (ECB). 2024b. "Outsourcing register: Annual horizontal analysis." Deck.

EU (European Union). 2022. "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on Digital Operational Resilience for the Financial Sector and Amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011."

Financial Conduct Authority (FCA). 2024. "CP23/30: Operational resilience: Critical third parties to the UK financial sector."

Financial Stability Board (FSB). 2019. "Third-party dependencies in cloud services: Considerations on financial stability implications."

Financial Stability Board (FSB). 2023. "Final report on enhancing third-party risk management and oversight -- a toolkit for financial institutions and financial authorities"

Kerse, Mehmet, Laura Brix Newbury, and Stefan Staschen. 2024. "Financial inclusion and disruptive innovation: Regulatory implications." CGAP. Working Paper.

Koh, Ting Yang, Jermy Prenio. 2023. "Managing cloud risk -- some considerations for the oversight of critical cloud service providers in the financial sector." Financial Stability Institute. FSI Insights on policy implementation No: 53.

Monetary Authority of Singapore (MAS). 2023a. "Guidelines on Outsourcing (Banks)."

Monetary Authority of Singapore (MAS). 2023b. "Guidelines on Outsourcing (Financial Institutions other than Banks)."

Monetary Authority of Singapore (MAS). 2023c. Template for Outsourcing Register.

Reserve Bank of India (RBI). 2023. "Master Direction on Outsourcing of Information Technology Services."

Saudi Arabian Monetary Authority (SAMA). 2019. "Rules on Outsourcing."

State Bank of Pakistan (SBP). 2023. "Framework on Outsourcing to Cloud Service Providers"

United Kingdom (UK). 2023. "Financial Services and Markets Act 2023."