A&O Shearman | FinReg | BCBS principles for the sound management of third-party risk
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
Filters
Recent Posts
UK FCA near-final rules on new targeted support for pensions and retail investments
HMT consultation response on new targeted support for pensions and retail investments
BoE consults on exempting post-trade risk reduction transactions from the clearing obligation

  • BCBS principles for the sound management of third-party risk
    10 December 2025
    The Basel Committee on Banking Supervision (BCBS) has published its principles for the sound management of third‑party risk, replacing the 2005 Joint Forum outsourcing paper and establishing a common baseline for banks and supervisors. This follows the July 2024 consultation. The framework applies proportionately covering the full lifecycle of third‑party service provider (TPSP) arrangements and emphasises: (i) rigorous governance by the board and senior management; (ii) maintenance of a comprehensive third‑party risk management (TPRM) framework aligned with operational risk and resilience standards; and (iii) heightened expectations for critical services. Key areas covered include governance and strategy, risk assessment and due diligence, contracting, onboarding and monitoring, termination and the role of supervisors.

    As a general overview, the expectation is that banks should maintain up‑to‑date registers and mapping of all TPSP arrangements and key parties in the supply chain, assess and manage bank‑level concentration risk, and treat intragroup providers with the same risk discipline as external TPSPs. Prior to engagement, banks should perform robust risk assessment and due diligence; contracts should be legally binding and include rights of access and audit for banks and supervisors, clear SLA metrics, data location and security obligations, incident notification requirements, obligations on key parties in the supply chain, and provisions supporting business continuity and disaster recovery plans. Responsibilities throughout the lifecycle of a TPSP arrangement include structured onboarding, continuous performance and risk monitoring (including incidents and material changes), periodic reporting to the board, and regular business continuity assurance and testing, with contingency measures where substitutability is limited.

    In terms of the role of supervisors, supervisors should evaluate TPRM as part of ongoing assessment and risk monitoring, and promote cross-sector and cross-border coordination to monitor potential systemic risks that may be presented by critical TPSPs.

    Return to main website.
    Topic: Operational Resilience