Risk assessment and monitoring of outsourcing relationships

Concentration Risks

FSPs should monitor and manage their internal concentration risks resulting from outsourcing arrangements. These risks may arise due to several factors, including:

• outsourcing to a dominant service provider that is not easily substitutable
• having multiple outsourcing arrangements with the same service provider depending on the materiality level of each arrangement
• contracting with multiple service providers with a dependency on the same critical subcontractor (e.g., a cloud computing service provider)
• concentration of services from one or multiple service providers in a specific geographical location

In addition to these factors, the ECB, for example, also highlights that while assessing the concentration risk associated with third-party cloud computing services, an FSP needs to account for the possibility that its service providers may also be reliant on the same cloud service provider (CSP) that the FSP itself uses (ECB 2024a).

The concentration of outsourcing arrangements at the FSP level help supervisory authorities in identifying the concentration of these arrangements at service providers. Importantly, it will enable them to assess the system-level concentration and interconnectedness in the financial sector and to identify and manage risks to the stability of the financial system.

In some countries, FSPs are required to maintain a centralized registry of their outsourcing arrangements. For example, MAS requires banks and other financial institutions to maintain a register of material outsourcing arrangements according to the template designed by MAS (MAS 2023a, MAS 2023b, and MAS 2023c). The register needs to be readily accessible for review by the board and senior management of the bank. Since 2022, the ECB has also been collecting outsourcing registers annually from all bank it supervises (ECB 2024b). This is based on the requirements of the EBA (2019), which emphasize the importance of and need for robust risk management frameworks to assess, manage and mitigate outsourcing risks.

The registry helps FSPs identify and manage risks, including concentration risk stemming from outsourcing arrangements. However, it also supports the supervisory authority in assessing market-level concentrations and putting in place mitigation measures for addressing these risks. The supervisory authority can require FSPs to keep a register of all outsourcing arrangements. However, the extent of documentation required for the registry may vary between material services and other outsourcing arrangements. For non-material outsourcing arrangements, the documentation requirements may be lighter to avoid undue burden on FSPs, especially since many non-material outsourcing arrangements may have low-risk impacts.

Vendor Lock-in Risk

Vendor lock-in risk is an important risk in outsourcing relationships for FSPs. FSB (2019) defines vendor lock-in as a situation whereby a company is unable to easily change its service providers either due to the terms of a contract, a lack of feasible alternative providers or technical features.

The assessment of the level of lock-in risk is particularly important in the outsourcing of cloud computing services. This risk can increase due to several factors including (i) the asymmetry of power between the FSP and the CSP¹, (ii) the effectiveness of the CSP’s risk management and governance, (iii) the financial implications of transitioning to a new CSP including the cost of data migration, (iv) the type of cloud services provided and the nature of the data involved, and (v) the applicable legal and regulatory framework. Furthermore, portability of data and applications is not technically easy and can introduce operational and cybersecurity risks (Dias 2020). As a result, in the event of a disruption at a CSP, the FSP may have limited ability to exit the outsourcing arrangement and transition to another CSP or bring the cloud services back in-house. Switching cloud services can be challenging, and developing options to exit in a short period of time may not always be feasible without incurring undue costs or risks to the FSP. FSPs may struggle to develop the capability to exit cloud computing service relationships without undue risks in unexpected, stressed circumstances. To manage concentration and vendor lock-in risks, some FSPs have adopted a multi-cloud strategy, which involves distributing their workload across multiple CSPs or employing a hybrid model that combines outsourcing to CSPs providing public cloud services with other arrangements, such as private cloud or on-premise data centers (BCBS 2024b).

To mitigate the risk of vendor lock-in regarding the cloud outsourcing, FSPs could be encouraged to adopt international and open standards. This approach involves adhering to widely recognized cloud computing standards set by organizations such as ISO, NIST, or ETSI. By doing so, adopters of cloud can help promote interoperability and portability of their cloud solutions across different providers, helping prevent reliance on a single vendor. Moreover, open standards foster a competitive multi-vendor environment, by defining consistent interfaces, data formats, and security protocols that enable application and data portability between standards-compliant clouds. This provides flexibility in cloud deployments, reduces switching costs, and allows for the implementation of multi-cloud strategies.

Privacy & Data Security Risk

Public confidence in FSPs is crucial for the stability and reputation of the financial sector. Therefore, it is important for an FSP to ensure that its service provider's security policies, procedures, and controls are capable of protecting the privacy and security of customer data.This should include ensuring compliance with applicable data protection and security frameworks, as well as adherence to international best practices.

Data protection frameworks provide legal certainty for customers and providers about their roles, responsibilities, and required security standards for personal data, including when using cloud services. These frameworks also help mitigate privacy and data protection risks as they establish clear obligations for service providers to maintain data confidentiality, limit third-party access to that data, and ensure that data processing is only done according to the instructions of the data controller. Similarly, requiring compliance with cybersecurity frameworks and best practices sets a clear baseline for service providers to meet state-of-art data security standards.

As part of its risk management activities, an FSP should regularly review and monitor the security practices and control processes of the service provider. This may include commissioning audits or obtaining periodic expert reports on privacy, security adequacy and compliance of the service provider. The FSP should only disclose data to the service provider on a need-to-know basis and require the service provider to report any breaches of data privacy. This requirement should be included in the contract between the FSP and the service provider.

A few jurisdictions have introduced data localization requirements that restrict the flow of transnational data, primarily due to concerns about data protection and privacy. While these measures may intend to protect national interests and appear attractive to facilitate greater control, policymakers and regulators should also consider the potential drawbacks of broad application. These include hindered data portability and interoperability, as well as limitations on business continuity and critical networked services like disaster recovery (Amin et al. 2021). Paradoxically, such restrictions may compromise data security rather than enhance it. These policies, for example, can limit access to efficient, innovative, and secure large-scale public cloud services that typically operate across multiple countries. Data localization requirements and inconsistences in data protection laws across countries could impede or make it difficult for globally active FSPs to use CSPs in different jurisdictions to leverage the best capability of different CSPs, or to use a single CSP with data centers in various jurisdictions as a tool to increase operational resilience by easily porting data and applications (Dias 2020). Furthermore, data localization regulations can prevent both internal and local FSPs from entering the market. They may also lead to significant additional costs if they rely heavily on cloud services, thereby limiting their potential to offer innovative products and services that would benefit excluded and underserved individuals (Kerse et al. 2024 and Baur-Yazbeck 2018).

Data localization measures often align with protectionist agendas, potentially hampering international trade and limiting the benefits of a free and open internet for businesses and individuals. They can increase costs for businesses, reduce competition, and lead to higher prices and fewer service options for users. Furthermore, stringent data localization rules may discourage investment from, for example, major CSPs, particularly in smaller markets, as they prevent demand aggregation necessary for large-scale data center operations. Thus, while aimed at attracting investment and protecting data, these measures can ultimately hinder economic growth, innovation, and the very security they seek to ensure.