An (out)source of systemic risk?

This morning the Financial Stability Board (FSB) published a discussion paper, which seeks to facilitate a broad discussion on current regulatory and supervisory approaches to the management of outsourcing and third-party risks.

The paper doesn't propose any specific principles or standards, but is interesting in identifying a number of potential risks arising from the use of outsourcing by financial institutions. Clearly it is not a new phenomenon for financial institutions to outsource aspects of their operations - they have been doing so for decades - but one of the concerns raised by the FSB is that outsourcing can lead to systemic risk in circumstances where multiple financial institutions rely on the same service provider.

It's not difficult to envisage, for example, systemic dependence for certain technological solutions on a small number of providers, or even one or two quasi-utility providers: think of cloud services as an obvious example. 

There are tricky questions as to whether the systemic risk arising from such a concentration is best managed by the financial institutions involved or by their regulators. If the former, how should associated concerns around anti-competitive collaborations and other behaviours be addressed? If the latter, from where should these powers come and how should they be framed?  It also raises the broader question of whether systemically important outsourced service providers should themselves be regulated and supervised.

The management of the risks of outsourcing are well known to financial institutions, given that they remain responsible for the services they provide regardless of whether operationally those services are supported or provided by third parties. Associated systemic risk is clearly now an additional risk to be weighed and managed, but is it realistic to expect an institution to manage effectively a risk that by its nature arises and exists beyond the walls of the institution itself.