In July, the Basel Committee on Banking Supervision (BCBS) published a consultative document on Principles for the sound management of third-party risk. The document notes that ongoing digitization has increased banks’ reliance on third-parties, resulting in a need to evolve the concept of outsourcing and third-party risk management to strengthen the resilience of the global banking system. BCBS highlights twelve principles across three categories: (i) governance, risk management, and strategy; (ii) the life cycle of third-party service provider arrangements (risk assessment, due diligence, contracting, onboarding and ongoing monitoring, termination); and (iii) the role of supervisors.
We welcome BCBS’s efforts to strengthen third-party risk management in the banking sector and to promote alignment and coordination on an international scale. We appreciate the Committee’s focus on remaining technology-agnostic, promoting international engagement, and reducing regulatory fragmentation. Technologies such as cloud computing enable digital transformation and rapid innovation. As financial institutions continue to adopt these technologies, principles-based, proportionate, and outcomes-focused regulatory frameworks can help foster innovation, security, and resilience. The work of international bodies such as BCBS is critical to ensuring effective risk management in an evolving technology landscape.
AWS is committed to working with the financial services community to enhance operational resiliency and security. The primary themes we focus on in our submission to BCBS are:
1. Ensuring a Proportionate and Risk-Based Approach: We commend the Committee’s efforts to ensure the concepts of criticality and proportionality apply to the Principles they have laid out. These concepts are essential to ensuring that third-party risk management frameworks adequately control risk, without imposing an undue burden upon regulated entities. We recommend considering where there may be further scope for the requirements set out in the document to be applied proportionately.
2. Advocating for Regulatory Alignment: One of the primary objectives of the Principles is to establish greater consistency internationally. Leveraging existing certification standards, third-party attestations and reports can enhance the consistency of critical third-party due diligence, while also being more efficient and effective for individual financial institutions. Establishing mechanisms for cross-sectoral and cross-border coordination and dialogue is critical to facilitate a better understanding of third-party service operations in the financial sector, including regulator-to-regulator coordination, to avoid potential regulatory fragmentation.
3. Focusing on Operational Resilience: Robust architecture and locational diversity by Cloud Service Providers enhances resilience. To avoid single points of failure, AWS minimizes interconnectedness within our global infrastructure: (i) Regions are independent and isolated from each other, meaning that a disruption in one Region does not result in contagion in other Regions; (ii) Availability Zones within each Region are physically separated and independent from each other, built with highly redundant networking to withstand disruptions. Financial institutions should focus their efforts on establishing robust operational resilience plans to handle potential disruptions in critical operations and cloud services providers should similarly focus on resilience of their global infrastructure.
What’s Next?
AWS is committed to supporting international dialogues to uphold the resilience of the global financial system while enabling digital transformation through harmonized and fair regulatory frameworks. We look forward to continuing to work with our customers and the BCBS as the toolkit is finalized.