Board directors of banks must take ultimate responsibility for outsourced services and document how they manage the risk of outages and disruptions to customer services, the global Basel Committee of banking regulators has proposed.
Banks increasingly use third-party tech companies, such as Microsoft, Amazon and Google, for cloud computing to run key services, raising concerns among regulators about the impact on the financial sector if a provider used by many banks went down.
“Ongoing digitalisation has led to rapid adoption of innovative approaches in the banking sector,” the Basel Committee said in a statement.
“As a result, banks have become increasingly reliant on third parties for services that they had not previously undertaken.”
The committee, made up of regulators from the G20 and other countries, proposed 12 principles for banks and their regulators to apply, noting that the bank’s board of directors has ultimate responsibility for oversight of third-party arrangements.
“As with all business processes, documentation evidencing key decisions (e.g. third-party strategy, board minutes reflecting decision to enter into a critical… arrangement) should be maintained in banks’ records,” Basel said in its consultation paper.
Third-party services have come under increased scrutiny as hackers continually try to breach banks’ cyber defences and undermine operational resilience, leading to suspension of customer services for hours or even days.
The European Union has approved a Digital Operational Resilience Act (DORA) to improve resilience in the financial sector from January next year, with Britain doing likewise.
Basel said banks should undertake “appropriate due diligence” of risks before they sign contracts with third parties and monitor how the service is performing.
Banks should also maintain “robust business continuity” management so they can operate during a disruption, Basel said.