The Bank of England has just released a suite of landmark policy and supervisory statements on third party risk management in banking and investment services, notably aimed at recognised payment system operators, specified service providers, and all Financial Market Infrastructures (FMIs). Alongside, HM Treasury has published the G7 Fundamental Elements for third party cyber risk management in the financial sector—setting a new compliance bar for outsourced operations and third party supply chains.
Third party risk management in banking is now at the centre of the regulatory agenda for UK banking and investment firms. The Bank’s updated code and Supervisory Statements clarify accountability, governance, due diligence, and resilience requirements. Firms remain unequivocally responsible for regulatory compliance, regardless of third party involvement.
Key Points:
- The Bank’s new Supervisory Statement demands documented frameworks covering end-to-end third party risk management, with proportionality principles, risk mapping, board accountability and strengthened record keeping. It is import to repeat risk assessments after major incidents or contract changes. The new rules also explicitly highlight the shared responsibility model (especially for cloud outsourcing).
- Critical outsourcing agreements now require robust written contracts, comprehensive audit, access rights, and contingency arrangements for business continuity and exit. Firms needs to tightly control sub-outsourcing , with oversight and contractual clarity throughout the service chain.
- The G7 Elements introduce international standards for cyber risk in third party relationships and ICT supply chains. Systemic risk and service continuity are primary regulatory concerns. Banks must update their frameworks in line with these guidelines by February 2024.
Immediate Actions for Banking and Investment Firms:
- Review all current third party and outsourcing agreements—identify gaps versus the Bank and G7 frameworks.
- Update policy, board governance, and risk management procedures to meet documented and ongoing compliance.
- Map critical business services and impact tolerances. Reassess cyber risk and operational resilience for all ICT supply chain partners.
- Ensure contingency and exit plans are practical and tested.
- Schedule board reviews of third party risk frameworks ahead of the next regulatory deadline.
Leaman Crellin recommends that its clients in the banking and investment sector do not delay their compliance enhancements. Our boutique regulatory consultancy provides expert-led, tailored reviews of outsourcing arrangements, cyber risk frameworks, and board governance for regulated firms.
Contact our regulatory team to book a free initial consultation and plan a compliance review.
