GFMA Outsourcing Supervisory Issues
On Jan. 12, GFMA issued response to FSB consultation on outsourcing.
- GFMA issued response to FSB consultation on outsourcing, third-party relationships.
- Followed Nov. 2020, FSB proposed rules on regulating outsourcing, see #90348.
- Highlighted key matters raised in response to questions posed in discussion paper.
- Key Matters
- Rules on third-party relationships should adopt risk-based, outcome-focused approach.
- Regulators should avoid imposing prescriptive obligations on financial institutions.
- Global consistency on scope and definitions of commonly used key terms is required.
- Re taxonomy of key terms, need to differentiate between third party-services of different nature as institution / supervisory oversight should be proportionate to risks.
- Global consistency of standards and treatment across jurisdictions is also required.
- Need to coordinate timing of consultation, release of new rules across jurisdictions.
- A key concern of GFMA members is if the use of cloud as part of an outsourcing arrangement and third-party services would become an automatic indication of risk.
- Supervisor should take proportionate approach to intra-group outsourcing compliance.
- Cautioned against the implementation of data localization measures, instead regulators should consider establishing information sharing regimes to address relevant concerns.
- Important to differentiate between sector-wide concentration risks and instances where group is dependent on single service provider for provision of outsourced tasks.
- Suggested that use of pooled audits, third-party certifications and shared assessments may assist in enhancing the efficiency of due diligence down the value chain.
- Direct oversight by regulators of critical third parties may address concentration risk.
- Support further cross-border collaboration between regulators, financial institutions and service providers, in order to limit the risk of inconsistent regulatory requirements.
- Lessons from Covid
- Pandemic demonstrates importance for institutions to adopt a risk-based approach and focus on operational resilience in managing outsourcing and third-party risk exposures.
- Need to plan for longer term recovery as well as addressing short-term impact events.
- Control functions need to be more dynamic to cope with exceptional circumstances.
||PR, 1/12/2021; Rsp 1/8/2021; COVID-19
||Compliance; Financial; Legal; Operations; Outsourcing; Privacy; Reporting; Risk; Technology
||Fund Mgt; Securities
|Reg. Last Update
Last substantive update on 01/12/2021