GFMA Outsourcing Supervisory Issues


On Jan. 12, GFMA issued response to FSB consultation on outsourcing.


  • GFMA issued response to FSB consultation on outsourcing, third-party relationships.
  • Followed Nov. 2020, FSB proposed rules on regulating outsourcing, see #90348.
  • Highlighted key matters raised in response to questions posed in discussion paper.
  • Key Matters
  • Rules on third-party relationships should adopt risk-based, outcome-focused approach.
  • Regulators should avoid imposing prescriptive obligations on financial institutions.
  • Global consistency on scope and definitions of commonly used key terms is required.
  • Re taxonomy of key terms, need to differentiate between third party-services of different nature as institution / supervisory oversight should be proportionate to risks.
  • Global consistency of standards and treatment across jurisdictions is also required.
  • Need to coordinate timing of consultation, release of new rules across jurisdictions.
  • A key concern of GFMA members is if the use of cloud as part of an outsourcing arrangement and third-party services would become an automatic indication of risk.
  • Supervisor should take proportionate approach to intra-group outsourcing compliance.
  • Cautioned against the implementation of data localization measures, instead regulators should consider establishing information sharing regimes to address relevant concerns.
  • Important to differentiate between sector-wide concentration risks and instances where group is dependent on single service provider for provision of outsourced tasks.
  • Suggested that use of pooled audits, third-party certifications and shared assessments may assist in enhancing the efficiency of due diligence down the value chain.
  • Direct oversight by regulators of critical third parties may address concentration risk.
  • Support further cross-border collaboration between regulators, financial institutions and service providers, in order to limit the risk of inconsistent regulatory requirements.
  • Lessons from Covid
  • Pandemic demonstrates importance for institutions to adopt a risk-based approach and focus on operational resilience in managing outsourcing and third-party risk exposures.
  • Need to plan for longer term recovery as well as addressing short-term impact events.
  • Control functions need to be more dynamic to cope with exceptional circumstances.

Regulators GFMA
Entity Types B/D; IA
Reference PR, 1/12/2021; Rsp 1/8/2021; COVID-19
Functions Compliance; Financial; Legal; Operations; Outsourcing; Privacy; Reporting; Risk; Technology
Countries Global Regulator
Products Fund Mgt; Securities
Regions Global
Rule Type Guidance
Rule Date 1/12/2021
Effective Date 1/12/2021
Rule Id 95235
Linked to Rule :90348
Reg. Last Update 1/12/2021
Report Section International

Last substantive update on 01/12/2021