Determining the materiality of an outsourced service
The level of materiality of a service can vary between FSPs; what is material for one FSP may not be material for another. An effective risk-based framework for monitoring and mitigation risks associated with outsourcing relationships requires determining the materiality of services from the outset and at regular intervals. The supervisory authority should primarily hold the FSP responsible for assessing the materiality of the planned and existing outsourced services. Guidelines for identifying the level of materiality of services should be incorporated into the FSP’s existing policies and risk management framework1.
Depending on the regulatory framework in a jurisdiction, FSPs may consider the following, among other areas, when identifying material outsourcing services and their materiality level.
- The potential impact of the outsourced services on the FSP’s financial metrics such as earnings, solvency, liquidity, capital, and risk profile
- The impact on the FSP’s reputation, brand value, and ability to meet its business objectives, strategies and plans if the service provider fails to deliver or experiences a confidentiality or security breach (e.g., compromise of customer data)
- The type and nature of data shared with the service provider, especially if it requires enhanced security measures due to its importance for the FSP’s critical operations and functions, or whether these data are sensitive
- The impact of disruption to the relevant service or service provider on the privacy, integrity or availability of the data shared with the service provider
- The level of substitutability of the outsourced service provider
- The cost of the outsourced services relative to the FSP’s total operating expenses
- The potential cost of outsourcing failure in relation to total operating expenses, especially if it may necessitate the FSP bringing the service in-house or find another provider
- The impact on the FSP’s counterparties and the broader financial sector if the service provider fails to deliver the service
- The ability to maintain proper internal controls and comply with regulatory requirements if the service provider encounters operational issues
In many countries, the regulations or guidelines for outsourcing relationships provide rules and guidance to FSPs on how they can identify the materiality of an outsourced service. The supervisory authority should ensure that FSPs understand that the materiality of these services may change over time. Services initially considered non-material may become material during the agreement period, and vice versa. More+
While FSPs should assess the materiality of a service before engaging with a third-party provider, they should undertake periodic reviews of their outsourcing arrangements according to their risk management framework. New outsourcing risks may arise during the contract period, potentially changing the materiality level of services. For instance, an initially non-material outsourcing arrangement may become material due to incremental services outsourced to the same service provider, increased service volume, or changes in the nature of the service.
In some cases, outsourcing risks may also increase if the service provider sub-contracts the service partially or fully or makes material changes to its sub-contracting arrangements. Such situations require FSPs to revisit the materiality assessment. Furthermore, changes to the service provider such as important changes in the ownership structure or mergers, may impact service delivery and necessitate another materiality reassessment. Such assessments would also impact the level of attention of internal and external audits regarding the certain outsourced services and service providers.
1. We define “material service” as a service provided to an FSP, the failure or disruption of which could significantly impair a FSP’s viability, its critical operations, or its ability to fulfill key legal and regulatory obligations. Various supervisory authorities may use different terms to refer to these services, such as “significant services” or “important services” (see BCBS 2024a).
