健全第三方风险管理-执行摘要

Sound management of third-party risk – Executive Summary Background A third-party service provider (TPSP) is an entity or individual that performs services, activities, functions,processes or tasks directly for a bank. Banks enter into formal arrangements with TPSPs for various reasons, including enabling accessto specialised expertise, reducing costs and improving scalability, efficiency and operational resilience. While such arrangements allow banks to focus on their core activities, they can also reduce banks’direct control over their operations and assets (including data) and may introduce new or increase existingrisks. These risks include: risks to critical services– risks arising from disruption to a TPSP service that is critical to a bank’sviability, critical operations or ability to meet key legal and regulatory compliance obligations ••supply chain risks– risks arising from disruption to a service provider that is part of a TPSP’ssupply chain (nth party) and is essential to the ultimate delivery of a critical service to a bank•concentration risk– risk arising from a dependency of a bank on one or more services providedby a single TPSP or a limited number of TPSPs; such dependency may also occur at the bankingor financial sector level, leading to systemic risk Banks therefore need to have appropriate risk management of their TPSP arrangements toenhance their ability to withstand, adapt to and recover from operational disruption, and be able tomitigate the impact of potentially severe disruptive events. The Basel Committee on Banking Supervision (BCBS) Principles In this context, the BCBS issued thePrinciples for the sound management of third-party risk. The principles, which supersede the 2005 Joint Forum paperOutsourcing in financial servicesinrespect of the banking sector, build on more recent BCBS publications, such as thePrinciples foroperational resilienceand the revisedPrinciples for the sound management of operational risk. The principles relating to the sound management of third-party risk follow the life cycle of a TPSParrangement as illustrated in the following chart. The stages of the life cycle do not necessarily reflect alinear progression. Rather, the output of each stage should serve as factors to consider in the subsequentand prior stages. The principles seek to accommodate a diverse range of bank risk management practices andapproachesand aim to promote international engagement,as well as greater collaboration andconsistency, with a view to reducing regulatory fragmentation. These principles are outlined in the following table. Principles 1 and 2 provide guidance on TPSParrangements in relation to governance, risk management and strategy, which are integral to each stageof the TPSP life cycle. Principles 3–9 provide guidance on the effective management of TPSP risks atdifferent stages of the life cycle: risk assessment, due diligence, contracting, onboarding, ongoingmonitoring and termination. Principles 10–12 provide guidance for prudential supervisors. Large internationally active banks and their prudential supervisors in BCBS member jurisdictionsare the target of the principles. They are intended to be applied on a proportionate basis depending onthe size, complexity, business model and risk profile of the bank, as well as the risks and criticality of theTPSP arrangements. This Executive Summary and related tutorials are also available inFSI Connect, the online learning tool ofthe Bank for International Settlements.