The Financial Stability Board (FSB) is an international body within the Bank for International Settlements (BIS). The FSB monitors developments in the global financial system and makes recommendations for advancing financial stability from an international perspective. Due to his position, Israel’s Supervisor of Banks is an observer (together with the Capital Market Supervisor) in the FSB’s European Working Group.
The following are the main points of the Supervisor’s remarks:
Thank you for the warm introduction and excellent presentation. It is a great honor to be here and a distinguished opportunity to share some of our insights with you.
Like many other jurisdictions, the BSD (which stands for the Banking Supervision Department at the Bank of Israel) set out supervisory requirements regarding "outsourcing" and contractual agreements with third-party service providers. These requirements come in the form of directives that provide detailed guidance on the risk management of such agreements, and emphasize the responsibility of the supervised entity's management and board of directors to ensure that activities or services provided by third parties meet all other regulatory and legal requirements.
The BSD's supervisory approach to outsourcing is in line with international standards and best practices. We adopted the Principle-Based Approach, according to which the requirements for outsourcing are consistent with other regulatory requirements in different areas, such as business continuity, information security, risk management and corporate governance.
This approach is in line with the concept that financial institutions should be the first line of defense when it comes to managing risks associated with third-party providers. Nonetheless, the BSD monitors these risks to make sure the financial institutions have adequate risk management practices and procedures that are in line with the BSD's principles.
This approach is also in line with our approach to innovation. This means that we believe a regulator should not restrain the use of technological solutions, including those provided by third parties, as long as they have sound managing practices of the risks associated with them.
Accordingly, we focus on removing or lowering regulatory barriers to enable technological transformation, supporting the infrastructure upon which the technological transformation can be built upon, and imposing regulations only when the activity becomes significant and not prior to that.
Our outsourcing directive identifies and focuses on six areas: the first one is the overall responsibility of the senior management and Board of Directors for outsourcing; the second one deals with due diligence, and ways to make sure that the service provider has adequate skills, resources, financial and operational capabilities as well as insurance coverage; the third one covers the area of business continuity including the formulation of a recovery stress scenario for each of the outsourcing agreements; the fourth one ensures that the financial institution monitors and controls consumer protection aspects (e.g., transparency, fairness); the fifth one provides a list of activities not to be outsourced; the sixth and last one deals with accountability.
We consider cloud computing agreements as a special case of "outsourcing," and therefore, any cloud service is considered and treated as outsourcing of essential operations to a third party. Currently, we are working to modernize and update our cloud computing directive by incorporating it with the more comprehensive "outsourcing" directive.
Data security, information and cyber security threats are a growing concern for the safety of our supervised entities, and for the stability of the financial system as a whole.
In the past two years, and especially during the Covid-19 pandemic, we identified more threats and incidents. These threats targeted supervised entities as well as third-party service providers, and required us to better regulate and supervise the risks arising from them.
In order to mitigate these risks, we formulated a number of designated directives to guide our supervised entities in different areas of operation including cyber risk, encryption of information, monitoring activity, strengthening of backup capabilities and guidance on using external consultants and training of employees.
The BSD has no legal power to directly supervise third-party service providers. This means that we have no mandate for gathering information or to perform on- or off-site examinations.
There are two fundamental questions in this regard: Should we have the authority to directly supervise third-party service providers? And if so, what should be the scope of the legal powers granted to us?
Even if we were to obtain the powers necessary to directly supervise third-party service providers, these are usually not valid when dealing with service providers that operate overseas.
In addition to this, country risks may also be associated with overseas service providers, for example, the nature of the regulatory regime and legal system. These two may affect the ability to access customer's data by the BSD or other relevant authorities in Israel (such as the Tax authority or law enforcement authorities).
A potential failure of one or more of the third-party service providers, or a disruption to their ability to provide services is always a concern, but when several local financial entities are depending on the same service providers for the provision of critical services, such potential failure poses a systemic risk and is what we call a "concentration risk". In Israel, where the 5 large banking groups account for 98% of the system, this could be a major concern.
In conclusion, I believe that in today’s reality, focusing on outsourcing and other related areas is inevitable. This, because banks and other financial institutions increase their use of technology, reliance and dependency on third-party providers, and because of the increase in complexity and inter-dependencies.
Despite the six areas that the BSD directive focuses on, we still have challenges to overcome. The most important one, in my opinion, is ensuring the stability of third-party service providers, whether by getting sufficient powers to supervise them or by some other means.
Thank you for the opportunity to share this with you.