SUPERVISION OF INDIVIDUAL FSPs

Oversight of outsourcing relationships and service providers by supervisory authorities primarily rely on FSPs to manage the risks arising from outsourced services. Regulations typically hold board and senior management of FSPs accountable for any outsourced services. The regulatory and supervisory framework often shape how FSPs should oversee and manage outsourcing relationships. The focus of supervision is on evaluating the adequacy of FSPs’ outsourcing and the related contractual frameworks. Also, in many jurisdictions, FSPs are required to notify or obtain authorization from supervisory authorities before engaging material outsourced services, including cloud-computing services, which would be useful for supervisory oversight. For example, Saudi Arabian Monetary Authority (SAMA) requires FSPs to obtain approval before entering into material outsourcing arrangements (SAMA 2019). When a notification regime is in place, the notification may happen either before (ex-ante) or after (ex-post) the outsourcing agreement is made. For instance, Australian Prudential Regulatory Authority (APRA) requires FSPs to notify it after entering into a material outsourcing agreement. The intent is to ensure APRA remains apprised of changes to the FSP’s risk profile through an understanding of the solution selected and the associated impact on the FSP. However, FSPs are required to consult with APRA prior to entering into an outsourcing arrangement involving a material business activity where offshoring is involved. Also, when the proposed use of cloud computing services presents heightened or extreme inherent risks, APRA encourages consultation prior to entering into any outsourcing arrangement, regardless of whether offshoring is involved.¹ With this, APRA aims ensure that the FSP understands and has the capability to manage these risks (APRA 2018).

Supervisory authorities often require FSPs to establish outsourcing frameworks that clearly outline the risk management and governance of outsourced services. These frameworks should specify the roles and responsibilities within the FSP in terms of managing the outsourcing relationships. They also need to outline which activities can be outsourced, the conditions for outsourcing, the specific risks that to be assessed and managed. FSPs should consider various types of risks arising from outsourcing relationships, such as compliance risk, cybersecurity risk, vendor lock-in risk, and concentration risk. FSPs are often expected maintain an inventory (i.e., registry) of outsourced services and relevant service providers, which need to be kept ready for the supervision.

Regulations often require FSPs to sign an agreement with service providers outlining the rights, obligations, and responsibilities of both parties. Many regulators specify the minimum provisions that need to be included in these agreements, including confidentiality and security requirements to ensure the protection of the data of the FSP and its customers. Also, many regulations mandate that these contracts guarantee FSPs the right to inspect and audit their service providers. In some jurisdictions, outsourcing agreements must also grant supervisory authorities the right to inspect and supervise the service provider. These provisions are important in ensuring effective supervisory oversight. For example, the APRA outsourcing standards on cloud computing require APRA-regulated entities to include an APRA-access clause in their outsourcing contracts. Such clause must grant APRA access to documentation and information and the right to conduct onsite visits of the service providers. The APRA access clause is considered as an important prudential tool, as it aims to remove legal impediments that could inhibit APRA’s ability to fulfil its duties as a prudential regulator, including during the resolution of an APRA-regulated entity (APRA 2018).

Many supervisory authorities expect FSPs to have an assurance process regarding the operational resilience of service providers. FSPs can achieve this assurance using various tools, including internal audits as well as the leveraging of audit reports initiated by the service provider, conducted by an independent third party. Also, FSP’s internal audit team may assess the controls and audits initiated by the service provider for adequacy of assurance. At the international level, the BCBS (2021) require banks to confirm their third parties have at least an equivalent level of operational resilience to safeguard the bank’s critical operations in both normal circumstances and in the event of disruption. However, certain FSPs, particularly smaller ones, may not have the capacity and lack the resources to perform this assurance process. Another challenge for obtaining adequate level of assurance over outsourced services (e.g., cloud computing services) is balancing the needs of multiple FSPs with the practicalities of not overburdening the service provider (APRA 2018). To address these issues, some regulations encourage industry solutions if there are synergies across assurance work by firms including FSPs on third parties, such as through certifications. Similarly, recognizing the challenges of auditing large third-party technology providers, some authorities now accept pooled audits (i.e., audits done collaboratively with other FSPs that are also clients of the service providers) or independent audits performed on the third party by either its internal audit function or an external auditor (Koh and Prenio 2023). All these tools offer important insights for supervisors to enhance risk-based oversight and supervision of FSPs’ management of outsourcing arrangements and the relevant service providers.