The supervisory authorities usually require FSPs to perform thorough initial due diligence before entering into an outsourcing agreement with a third-party service provider. This assessment is crucial for understanding the associated risks and cost of the arrangement, along with the service provider’s competence in delivering the relevant service. This process would inform the FSP’s ongoing monitoring of service providers. However, the extent of initial assessment should be proportional to the materiality of the services being outsourced. The initial assessment should cover an evaluation and review of all relevant information about service providers. This includes, but is not limited to :
Analyzing risk management frameworks and capabilities, including the ability to identify, manage and document technology, cyber security and other operational risks, and human resources and financial risks associated with the relevant outsourcing arrangement.
Reviewing internal controls, monitoring and reporting systems, and how it ensures an independent and professional audit function.
Examining business continuity plans and disaster recovery arrangements, including how the service provider identifies scenarios on potential service disruption.
Determining the ability to comply with applicable laws and regulations, along with a track record of compliance, where feasible. Also, the FSP needs to ensure that the service provider does not hinder the FSP’s compliance with the existing regulatory and legal requirements.
FSPs may gauge past experience and performance in delivering similar services to firms in the financial sector and other industries.
Reviewing the capacity of the service provider to implement and support the outsourcing arrangement throughout the duration of intended contract.
Assessing the level of vendor lock-in risk and substitutability of the service provider including the ease and impact of transitioning to another service provider.
Analyzing the financial strength and resources of the service provider, which may directly impact service delivery quality and performance.
Understanding reliance on sub-contractors, including (i) identification and monitoring the risks that dependencies on sub-contractors might pose to the service provider’s operations and (ii) management and oversight of these parties, where relevant.
Considering political, economic, financial and regulatory conditions in the jurisdiction where the service provider operates.
Reviewing corporate governance practices, recent or pending relevant complaints, investigations, or litigation including (if relevant) at the service provider’s subcontractors.
Assessing how the service provider verifies compliance with its information security framework and monitor the effectiveness of the security controls in place.
Evaluating the service provider’s knowledge of the FSP’s activities and the broader financial sector1.
1. Note that the list is not intended to be exhaustive. For more on the initial due diligence assessments of service providers, see FSB (2023) and CPMI-IOSCO (2014).
While due diligence primarily occurs before entering into a contract, FSPs should regularly update their assessments as part of ongoing monitoring. More+
These updates should also be proportionate to the materiality of the service, which may evolve over time. A risk-based approach should guide decisions on how frequently due diligence assessments are updated. This process may vary based on the level of risks associated with the service and its potential impact on the FSP, for example, in case of a service disruption or security breaches. An FSP should also consider findings from initial due diligence assessments to determine how often and to what extend audits of the service provider should be conducted. The risk associated with a specific service provider could impact the overall risk assessment of an FSP’s existing third-party arrangements1.
FSPs should carry out similar due diligence when renewing outsourcing contracts. This may include onsite visits to the service provider, obtaining independent third-party reviews, and gathering market feedback to enhance the FSP’s assessment. The supervisory authority may require FSPs to document due diligence performed during the assessment process and always maintain these records ready for review by supervisors.
1. For more on how an FSP can conduct due diligence assessment of service providers, visit BCBS (2005) and BCBS (2024a), which is a consultative document and whose principles are intended to supersede those in the BCBS (2005).
