Supervisory authorities are usually responsible for the identification of risks to financial stability within their jurisdictions. In line with this responsibility, they also need to assess potential risks arising from outsourcing relationships in the financial sector. These relationships may create significant level of system-level concentration and interconnectedness in the sector, which may lead to systemic risks. A failure or severe disruption of a critical third-party service provider may have important impact on financial stability in a jurisdiction.1 The impact depends on several factors including:
- the criticality of the relevant service provider and its services to financial sector
- the systemic significance of the FSPs that rely on the relevant service provider and its services
- the degree of substitutability of these services
- the recoverability of its services to FSPs2
The level of criticality of service providers is impacted by the level of concentration of the relevant services to FSPs. The reliance on one or a few leading service providers in the sector can increase systemic risks, making the financial sector more vulnerable if these service providers or their services to FSPs experience disruptions or failures. One example is the recent reliance on just a few providers of Artificial Intelligence (AI) models. This market concentration is driven by the centrality of data and the substantial costs associated with developing and implementing data-intensive models. Heavy up-front investment is required to build data storage facilities, hire and train staff, gather and clean data and develop or refine algorithms. However, once the infrastructure is established, the cost of adding each extra unit of data becomes negligible. This centrality leads to so-called data gravity: companies that already have an edge in collecting, storing and analyzing data can provide better-trained AI tools. The use of these tools generates even more data over time. The consequence of data gravity is that only a few companies provide cutting-edge Large Language Models (LLMs). If any of these providers or their models were to fail or suffer a cyberattack, it would pose significant risks to FSPs relying on them (BIS 2024).
A higher concentration of services does not automatically lead to systemic risks. Supervisory authorities should carefully assess market concentration to determine the actual level of systemic risk. These assessments should also consider the total number and size of FSPs served in the sector and the extent to which they involve systemically important FSPs. Supervisory authorities should also consider the sub-contracting relationships of service providers offering critical services. However, not all sub-contracting relationships require close scrutiny; the focus should be on the significant ones. Additionally, it is important to consider whether a single service provider delivers multiple types of critical services to FSPs. Furthermore, relationships between a service provider and an FSP can sometimes lead to interdependency issues. For example, bigtechs partner with FSPs to offer various financial products and services through banking-as-a-service (BaaS) arrangements. These partnerships enable bigtechs to integrate different payment methods (e.g., Alipay, PayPal, Google Pay, Mercado Pago) or a variety of credit offerings (e.g., buy-now-pay-later partnerships with AliExpress or Klarna) into their e-commerce platforms. On the other hand, as part of their digitization strategy, FSPs have come to heavily rely on cloud computing and data analytics services from bigtechs. This two-way relationship has the potential to give rise to system-level concentration and interconnectedness in the financial sector (Crisanto et al. 2022 and Kerse et al. 2024).
As previously discussed, FSPs need to identify the materiality of service they outsource to a third-party before establishing a relationship. The assessment of material services by individual FSPs is an important input for supervisory authorities for the oversight of system-level concentration and interconnectedness in the sector. However, it is important to note that not all material services from the perspective of an individual FSP would create such concentration and interconnectedness, which could pose systemic risks. Supervisory authorities should focus on the system-level concentration and interconnectivity in the sector that could have potential impact on financial stability from any disruptions to the relevant services and service provider. Germany’s supervisory authority BaFin, for example, requires FSPs to notify it on new outsourcing arrangements, including those involving cloud services, through its own “electronic reporting and publishing platform” (BaFin 2023). BaFin experts also create a graphic representation of the data in the form of outsourcing maps, which shows the market-level concentration in the sector (BaFin 2022). This visualization helps identify risks, including those emerging from subcontractors further down the chain. BaFin highlights that it is sometimes only at these lower sub-contracting levels that it becomes apparent that the same service provider is contracted by numerous FSPs and provide services to a variety of companies.
In many markets, it has become more challenging for supervisors to assess and monitor systemic risks posed by third-parties that become critical providers of services to multiple FSPs and nonfinancial companies, such as platforms. This challenge arises when supervisors focus solely on the FSPs that outsource these services. One example lies in the increased use of CSPs. Currently, most third-party cloud computing is not subject to financial regulation beyond requirements for outsourcing FSPs in areas such as business continuity, data security, and exit strategies.3 However, FSPs may struggle to identify, manage, and mitigate these issues. Moreover, the existing regulatory framework may not require FSPs to inform or seek approval from supervisory authorities to engage in material outsourcing activities. Consequently, the authority may not be able to assess an FSP’s ability to manage the risks associated with early-stage outsourcing of material cloud services (Kerse at al. 2024). In many jurisdictions the reliance on a few large global CSPs raises concerns about market concentration and potential implications for financial stability. These large global CSPs often employ standard service agreements that may not guarantee supervisory access and audit rights, partly due to concerns about customer data privacy. It is evident that no single FSP can adequately manage the risks associated with the concentration of critical services a third party offers to multiple FSPs.4
Supervisory authorities are now considering whether the traditional burden on FSPs to manage outsourcing risks should change where outsourced services pose a threat to financial stability. For instance, the EU recently introduced the Digital Operational Resilience Act (DORA) to manage the risks arising from critical third-parties. Similarly, in the UK, new regulations are being proposed to enable supervisory authorities to directly oversee third-parties that provide critical services to FSPs. These regulations will require critical third-parties to ensure that any critical services they provide to firms and financial market infrastructures (FMIs) meet the minimum resilience standards at all times. UK authorities consider that a set of standards similar to those in Annex F of the CPMI-IOSCO (2012), but tailored to critical third-party providers across financial sector, could be a key tool for managing the systemic risks that they pose (BoE 2022). The UK proposal therefore includes potential minimum resilience standards in several key areas, including:
- identification of critical services and mapping of necessary resources to deliver these services
- risk management including identification and prevention of risks to the financial and operational resilience of critical third parties
- resilience testing
- engagement with supervisory authorities
- development of a financial sector continuity playbook that outlines the specific measures that a critical third party would take to mitigate the potential systemic impact of their failure, or severe disruption to any critical services to FSPs and FMIs
- post-incident communication plans to mitigate the risk of an operational incident originating in or affecting a critical third party becoming a systemic event due to, for instance bank runs, liquidity shortages, market volatility, and fraud
- learning and evolving from severe disruption experiences
1. This paper considers a third-party service provider as critical if any failure in or disruption to the services it provides to FSPs could threaten the stability or confidence in the country’s financial system. Different authorities may have distinction definitions and specific criteria for determining critical service providers.
2. For other criteria and tools for identifying critical third party service providers and services and managing potential systemic risks from these dependencies, see FSB (2023).
3. In certain jurisdictions, some non-financial regulations do also apply to CSPs. For instance, under the EU’s General Data Protection Regulation (GDPR) and GDPR-like data protection regimes in other countries, CSPs are considered as data processors. As a result, CSPs must adhere to data protection laws and regulations, including those with restrictions on cross-border transfers.
4. See Dias et al. 2023 for the potential supervisory implications of the cloud computing.
Country Examples
DIGITAL OPERATIONAL RESILIENCE ACT OF THE EUROPEAN UNION
Digital Operational Resilience Act (DORA) has recently been issued in the EU, which entered into force on 16 January 2023 and will apply as of 17 January 2025 (EU 2022). The Act aims at strengthening the IT security of FSPs and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to many different types of FSPs and ICT third-party service providers.
The Act also establishes an oversight framework that applies to all critical ICT third-party service providers, including CSPs, that provide ICT services to FSPs. This framework should be considered complementary to the supervision of FSPs’ outsourcing relationships by individual country supervisory authorities. DORA emphasizes that this framework allows for continous monitoring of the activities of critical ICT third-party service providers, considering the potential systemic risk from increased outsourcing practices and the ICT third-party concentration. It also acknowledges that national mechanisms are insufficient for providing supervisors with adequate tools to quantify, qualify and redress the consequences of ICT risks occurring at critical ICT third-party service providers.
It is also higlighted that the Oversight Framework should not replace or substitute any part of the requirement for FSPs to manage the risks associated with using ICT third-party service providers. This includes their obligation to maintain an ongoing monitoring of contractual arrangements with critical ICT third-party service providers. Similarly, the Oversight Framework should not affect the full responsibility of FSPs for complying with and fulfill all legal obligations set forth in DORA and relevan financial regulations.
To enhance supervisory awareness of ICT third-party dependencies, and to further support the work under the Oversight Framework, the framework emphasizes that all FSPs should be required to maintain a register of information with all contractual arrangements about the use of ICT services provided by ICT third-party service providers. Supervisors should be able to request the full register, or to ask for specific sections, and thus to obtain essential information for acquiring a broader understanding of the ICT dependencies of FSPs.
The European Supervisory Authorities (ESAs), namely European Banking Authority, European Securities and Markets Authority, and European Insurance and Occupational Pensions Authority, are responsible to designate the ICT third-party service providers that are critical for FSPs, based on the criteria set out in Article 31 of DORA. Also, the ESAs must designate a Lead Overseer for each critical ICT third-party service provider. This Lead Overseer will be the ESA responsible for the FSPs that collectively hold the largest share of total assets out of the value of total assets of all FSP using the services of the relevant critical ICT third-party service provider, as evidenced by the sum of the individual balance sheets of those FSPs.
UNITED KINGDOM AND CRITICAL THIRD-PARTIES
Recently, UK financial regulators – the Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), and Bank of England (BoE) - emphasized that UK FSPs are increasingly relying on third-party services to support their operations. While this trend offers multiple benefits, it also introduces systemic risks to the stability of the UK financial stability, market integrity, and consumer protection.
In response to this growing reliance, the UK’s Financial Services and Markets Act 2023 has granted the financial regulators and the Treasury new powers concerning critical third parties. These new powers aim to enable the regulators to intervene proactively so as to raise the resilience of the services that critical third-parties provide to FSPs and financial market infrastructure entities (FMIs).
A consultation paper has recently been jointly published by the UK’s financial regulators (FCA, 2024). This document outlines the proposed requirements for critical third parties, including cloud computing firms, that offer services to the UK financial sector. A primary aim of the proposed requirements is to manage potential risks to the stability of, or confidence in, the UK financial system. Such risks may arise due to a failure in, or disruption to, the services provided by a critical third-party provider to one or more FSPs and/or FMIs.
The proposal aims to enable the regulators to monitor and manage these risks effectively and proportionately, advancing their respective objectives. Also, these proposed requirements will allow regulators to directly oversee the services provided by critical third parties to institutions under their jurisdictions. Importantly, they will also complement rather than replace the individual responsibilities of FSPs, their boards, and senior management in meeting their existing regulatory obligations related to operational resilience and third-party risk management. Through these measures, UK regulators seek to ensure the resilience of critical third-party services, thereby reducing the risk of systemic disruption. The Financial Services and Markets Act, 2023 granted the UK Treasury the right to designate a third party that provides services to multiple FSPs as a “critical third party” under specific conditions.
The proposed requirements would apply to services provided to FSPs and FMIs regulated by the financial regulators, regardless of where these services are performed. Therefore, the proposals are agnostic as to the location of a critical third party. There is no requirement for a critical third party to set up a UK establishment (e.g., a subsidiary) if one does not already exist. This approach recognizes that critical third parties may provide services from multiple jurisdictions, which can help enhance the efficiency and resilience of these services. Similarly, FSPs and FMIs that receive services from critical third parties may operate in multiple jurisdictions. This approach could also reduce compliance costs for critical third-parties, FSPs and FMIs compared to an approach that required critical third-parties to localize entities, infrastructure, personnel, or services in the UK.
