Policy Response Looms as Service Provider Concentration Heightens Risk Across Global Financial System
The concentration of banks’ reliance on third-party service providers has become a source of systemic risk in global finance. National and international policymakers have started to discuss the implications and regulatory options. But these are early days on a long road toward building strong defenses against the mounting risks of third-party concentration.
The Reality of Third-Party Concentration
Many outsourced services in banking are concentrated in just a few key service providers, and there would be substantial industry implications if one of those providers went down. Examples of services dominated by a small number of providers include:
- Cloud computing services;
- Mortgage origination platforms;
- Mortgage servicing platforms;
- Portfolio management tools;
- Core banking systems;
- Consumer loan processing systems;
- Loan disclosure production vendors;
- Mobile banking app providers;
- Consumer reporting agencies; and
- FinTech infrastructure vendors.
Today, bank regulatory and examination guidance focuses primarily on how individual financial institutions should manage their third-party risk, including concentration risks within a bank that is relying on a single provider for multiple services. And ironically, the routine bank examination process may actually increase concentration, if inadvertently, by encouraging banks to use established vendors to ensure reliability, security, and compliance.
Meanwhile, regulators have taken relatively little action to address the systemic risk of concentration across banks—with two exceptions. The first exception is supervision of financial market utilities (FMUs) that provide infrastructure for transferring, clearing, and settling payments and securities transactions between financial institutions.
Examples include one company that dominates over-the-counter interest rate derivative swaps and another that controls credit default swaps.1 The Bank for International Settlements (BIS) has instituted a set of principles for such FMUs covering overall resilience, cyber resilience, recovery, disclosures, and other areas. And these principals might provide a foretaste of requirements to come for other third-party service providers.2
The second exception involves technology service providers (TSPs) regulated by the federal banking regulators. The Board of Governors of the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have authority to supervise third parties that provide services to their regulated financial institutions.3 For TSPs that provide services to financial institutions supervised by more than one of these regulators, the three agencies coordinate supervisory activities through the Federal Financial Institutions Examination Council (FFIEC).4
TSPs supervised through these programs are those that are mission-critical, or vital to the continued success of a core business activity, for a large number of financial institutions. Supervision of entities offering key services, such as electronic funds transfer, payment processing, computing and posting account debits and credits, and preparing and mailing statements, notices, and checks, has been the agencies’ priority. Many of these mission-critical TSPs are designated as Multiregional Data Processing Servicers (MDPs) to reflect their broad geographic scope.
Currently, however, many significant third-party providers are not covered by the FFIEC TSP supervision program. Only 8 FMUs and 15 MDPs have been designated by the Financial Stability Oversight Council (FSOC) and the FFIEC, respectively.5
The Regulation of Concentration Risk
While there has been little action, questions have been swirling around third-party service providers like those in the segments listed at the top of this article. Should regulators be considering concentration more broadly than the FMUs and MDPs? Should the concept of systemically important financial market utilities be extended to cover other dominant service providers?
These questions are amplified by such technology, business, and societal challenges as the meteoric rise of cloud computing and storage, expansion of Software as a Service (SaaS), unprecedented cybersecurity threats, the rapid shedding of non-core business functions to third parties, and, most recently, the fallout from the COVID-19 pandemic. It’s not hard to see where these developments could intersect. For instance, as millions of people suddenly shifted to working from home, “in the cloud,” amid pandemic-mitigation orders to shelter in place, financial institutions had to cope with massive increases in needs for secure remote access connections, distributed computing, and teleworking. Simultaneously, cyber criminals escalated attacks with scam emails, hacked videoconferences, and other exploits preying on teleworkers as fearful weak links in stretched corporate networks.
Foretelling the risks ahead, the Financial Stability Board (FSB) proclaimed last year that, “If high reliance were to emerge, along with a high degree of concentration among service providers, then an operational failure, cyber incident, or insolvency could disrupt the activities of multiple financial institutions.”6
Cloud Services May Set the Regulatory Stage
While many types of third-party service providers pose risks that can cascade across the banking industry—as a 2017 data breach at one major credit bureau clearly demonstrated—cloud services have attracted particular attention from policymakers. Cloud service providers may, in fact, set the regulatory stage for third-party service provider regulation more generally.
As the FSB said in a report on FinTech and Market Structure in Financial Services, “While increased reliance on third-party providers specializing in cloud services may reduce operational risk at the individual firm level, it could also pose new risks and challenges for the financial system as a whole.”7
The FSB has called for a global dialogue among supervisory and regulatory authorities in areas including:
- existing regulatory standards and supervisory practices for outsourcing arrangements, and whether there is a need to further assess the systemic dimension of risks
- the need for standards-setting bodies to update current frameworks
- possibilities for better coordination, cooperation, and information sharing among national authorities when considering cloud services used by financial services companies8
Meanwhile, in the U.S., Congresswomen Katie Porter and Nydia Velazquez urged the U.S. FSOC late last year to designate leading cloud-based storage systems as systemically important financial market utilities, subject to supervision and regulation by the Federal Reserve.9 “Too often we are trying to solve yesterday’s problems tomorrow, instead of making policy that prevents tomorrow’s problems from happening in the first place,” Porter said. “As our financial system increasingly relies on cloud computing and other forms of technology, we need to ensure the proper 21st century safeguards are in place to prevent another financial crisis.”
Roadblocks to Supervision
There are significant roadblocks to implementing broader supervision of third parties, however. One issue is identification of mission-critical TSP organizations. Federal agencies rely on timely and accurate reporting from depository institutions to identify key service providers, and there is limited enforcement of the reporting timelines in the Bank Service Company Act.10 As a result, the agencies may lack an accurate and complete inventory of TSPs. In addition, the agencies may have limited information about the types of technologies used by third parties to provide services to banking institutions. This lack of information can impede effective risk prioritization and supervision.
Another key issue is adequacy of staffing and technological expertise. It is unclear whether the federal banking regulators have enough staff with detailed technical knowledge to appropriately supervise third parties using a broad range of technologies to provide numerous types of diverse services to depository institutions. Attracting and maintaining appropriate staffing to supervise all important third parties will require significant investment in human capital.
The Bottom Line
The risk posed to the global banking system by concentration among third-party service providers has arrived on policymakers’ radar screen. It may be only a matter of time—in a race against the worst-case scenario—before some of these major service providers are subjected to new financial regulatory scrutiny. In the interim, financial institutions should examine their third-party risk management processes to ensure the adequacy of business continuity plans, the appropriateness of contractual provisions, especially those related to information and cybersecurity,11 and the availability of alternative providers for critical services.
1 “What If a Clearinghouse Fails?,” Brookings Institution
2 “Principles for Financial Market Infrastructures,” BIS
3 12 USC 1464(d)(7), 1867(c)(1)
4 “Supervision of Technology Service Providers,” Federal Financial Institutions Examination Council
5 MDPS count is as of 2017, the last publicly available data.
6 “FinTech and Market Structure in Financial Services,” Financial Stability Board
7 “FinTech and Market Structure in Financial Services,” Financial Stability Board
8 “Third-Party Dependencies in Cloud Services,” Financial Stability Board
9 “Velazquez, Porter Urge FSOC to Oversee Tech Giants,” Press Release
10 “The Board Can Enhance Its Cybersecurity Supervision Approach in the Areas of Third-Party Oversight, Resource Management, and Information Sharing,” Office of the Inspector General of the Board of Governors of the Federal Reserve System
11 “Technology Service Providers for Banks,” Congressional Research Service