HKMA Third-Party Concentration Risk Management for Banks: Oversight of Critical Service Providers

The Hong Kong Monetary Authority (HKMA) has sharpened its supervisory focus on how authorised institutions manage concentration risk arising from third-party service providers, particularly those deemed critical to banking operations. This shift follows a series of global and regional operational disruptions, including a major cloud service outage in 2024 that temporarily affected multiple Hong Kong banks, and the HKMA’s own thematic review of outsourcing and third-party risk management published in Q1 2025. The regulator’s message is clear: banks can no longer treat third-party concentration as a niche operational concern. It is now a board-level risk management issue with direct implications for capital adequacy, business continuity, and regulatory compliance. For compliance officers and senior management at licensed banks, virtual banks, and proposed financial institutions, understanding the HKMA’s evolving expectations on concentration risk is not optional. The Supervisory Policy Manual (SPM) module SA-2, “Outsourcing of Material Business Activities,” and the more recent circular on “Management of Third-Party Concentration Risk” (HKMA, March 2025) provide the regulatory framework. This article breaks down the core requirements, the specific obligations for critical service providers, and the practical steps institutions must take to align with the HKMA’s current supervisory stance.

The Regulatory Foundation: SA-2 and the March 2025 Circular

The Shift from Outsourcing to Third-Party Concentration

The HKMA’s regulatory architecture for third-party risk has historically centred on the outsourcing of material business activities under SPM SA-2. This module, last updated in 2022, requires authorised institutions to conduct due diligence on service providers, establish contractual safeguards, and ensure the HKMA retains inspection rights. However, the March 2025 circular marks a significant expansion. The regulator now explicitly addresses concentration risk — the risk that an institution becomes overly dependent on a single third party or a small group of providers for critical functions.

The circular defines concentration risk in two dimensions: horizontal (across multiple institutions relying on the same provider) and vertical (within a single institution’s reliance on one provider for multiple services). The HKMA’s 2024 thematic review found that 68% of surveyed banks had not formally assessed horizontal concentration risk, and 41% lacked a documented concentration risk appetite statement. These figures, drawn from the HKMA’s own supervisory data, drove the March 2025 policy intervention.

Key Requirements Under the 2025 Circular

The circular imposes several specific obligations. First, authorised institutions must establish a concentration risk framework as part of their overall third-party risk management policy. This framework must include a concentration risk appetite statement approved by the board of directors. The statement should define acceptable thresholds for reliance on individual third parties, both in terms of revenue exposure and operational dependency.

Second, institutions must conduct an annual concentration risk assessment for all critical service providers. The HKMA defines a critical service provider as any third party whose failure or disruption would cause material financial loss, regulatory breach, or significant operational harm. This includes cloud service providers, core banking system vendors, payment processing platforms, and cybersecurity firms. The assessment must cover both direct and indirect concentration — for example, if a bank uses two cloud providers but both rely on the same underlying data centre, that constitutes indirect concentration.

Third, the circular requires institutions to develop and maintain exit plans for each critical service provider. These plans must demonstrate that the institution can migrate to an alternative provider or bring the service in-house within a reasonable timeframe. The HKMA expects these plans to be tested through simulation exercises at least every two years.

Critical Service Providers: Enhanced Due Diligence and Ongoing Monitoring

Step 1: Identification and Classification

The first step in complying with the HKMA’s concentration risk requirements is identifying which third parties qualify as critical service providers. The March 2025 circular provides a non-exhaustive list of indicators, but the ultimate determination rests with each institution’s board and senior management. The HKMA’s expectation is that institutions adopt a conservative approach — if a provider’s failure would materially affect the institution’s ability to meet its regulatory obligations or serve its customers, that provider should be classified as critical.

The classification process must be documented and subject to annual review. The HKMA has stated that it will examine classification decisions during its on-site examinations. Institutions that classify too few providers as critical risk regulatory action. Conversely, over-classification without commensurate controls is also a concern, as it may indicate a lack of risk differentiation.

Step 2: Enhanced Due Diligence (EDD)

For each critical service provider, the institution must conduct enhanced due diligence that goes beyond the standard vendor assessment. The EDD must cover the following areas:

• Financial resilience: The provider’s audited financial statements, credit ratings, and any indicators of financial distress. The HKMA expects institutions to monitor the provider’s debt levels, cash flow, and profitability on a quarterly basis.
• Operational resilience: The provider’s business continuity and disaster recovery plans, including their own third-party dependencies. The institution must assess whether the provider’s recovery time objectives (RTOs) and recovery point objectives (RPOs) align with the institution’s own requirements.
• Cybersecurity posture: The provider’s information security management system, including certifications such as ISO 27001, and any history of security incidents. The HKMA’s 2024 thematic review noted that 23% of surveyed banks had not obtained the provider’s latest security audit report.
• Regulatory compliance: The provider’s compliance with applicable laws in its jurisdiction of incorporation and any jurisdictions where it processes the institution’s data. This is particularly relevant for cloud providers with global data centres.

Step 3: Ongoing Monitoring and Reporting

Once a provider is classified as critical, the institution must implement ongoing monitoring mechanisms. The March 2025 circular requires institutions to receive periodic reports from critical service providers on their operational performance, security incidents, and financial health. These reports must be reviewed by the institution’s risk management function at least quarterly.

The institution must also establish key risk indicators (KRIs) for each critical provider. Examples include the number of service outages, the duration of incidents, and the provider’s employee turnover rate. If any KRI breaches a pre-defined threshold, the institution must escalate the matter to its board or a designated risk committee within 48 hours.

The HKMA itself will conduct periodic thematic reviews of concentration risk across the banking sector. The first such review under the new framework is scheduled for Q4 2026. Institutions should expect the HKMA to request data on their top five critical service providers, including concentration exposure and exit plan status.

Board and Senior Management Responsibilities

The Board’s Role in Concentration Risk Governance

The HKMA’s March 2025 circular explicitly assigns responsibility for concentration risk to the board of directors. The board must approve the concentration risk appetite statement, review the annual concentration risk assessment, and ensure that adequate resources are allocated to third-party risk management. The HKMA’s expectation is that the board receives a report on concentration risk at least semi-annually.

Board members must also ensure that the institution’s concentration risk framework is integrated with its overall risk management framework. This means that concentration risk should be considered in the institution’s ICAAP (Internal Capital Adequacy Assessment Process) and stress testing scenarios. The HKMA has indicated that it will assess concentration risk as part of its Supervisory Review and Evaluation Process (SREP) from 2026 onwards.

Senior Management Accountability

Senior management, including the Chief Risk Officer (CRO) and the Head of Operational Risk, are responsible for implementing the board-approved framework. Specific duties include:

• Establishing a dedicated third-party risk management team, or ensuring the existing team has sufficient expertise in concentration risk.
• Developing the concentration risk appetite statement for board approval.
• Conducting the annual concentration risk assessment and presenting findings to the board.
• Ensuring that exit plans are developed, maintained, and tested.
• Reporting any material concentration risk breaches to the HKMA within the timelines specified in the circular.

The HKMA has the power to impose supervisory measures if it determines that an institution’s concentration risk management is inadequate. These measures can include increased capital requirements, restrictions on new outsourcing arrangements, or directions to reduce exposure to specific providers. The March 2025 circular references the HKMA’s powers under section 63(2) of the Banking Ordinance (Cap. 155) to issue directions in the interests of depositors or the public.

Practical Compliance Steps for 2025-2026

Step 1: Conduct a Gap Analysis

Every authorised institution should begin by conducting a gap analysis against the March 2025 circular’s requirements. The analysis should compare the institution’s current third-party risk management framework with the specific obligations on concentration risk appetite, annual assessment, exit plans, and ongoing monitoring. The HKMA has not prescribed a specific template, but institutions should document their findings and develop a remediation plan with clear timelines.

Step 2: Update the Third-Party Risk Management Policy

The institution’s existing outsourcing and third-party risk management policy must be updated to include the concentration risk framework. The policy should define concentration risk, set out the process for identifying critical service providers, and establish the reporting lines for escalation. The board must formally approve the updated policy.

Step 3: Engage with Critical Service Providers

Institutions should proactively engage with their critical service providers to request the enhanced information required under the circular. This may require amending existing contracts to include provisions on reporting, audit rights, and exit support. The HKMA expects institutions to have contractual clauses that allow the institution to terminate the arrangement if the provider fails to meet concentration risk standards.

Step 4: Test Exit Plans

Exit plans are not static documents. The circular requires simulation exercises at least every two years. The first round of testing should be completed by the end of 2026. Institutions should document the test results, including any identified gaps, and update the exit plans accordingly.

Closing: Five Actionable Takeaways

1. Treat the March 2025 circular as a binding supervisory expectation — the HKMA will incorporate concentration risk into its SREP assessments from 2026, and non-compliance may result in capital add-ons or operational restrictions.
2. Classify critical service providers conservatively — if a provider’s failure would materially affect your institution’s operations or regulatory compliance, it is critical, and the full EDD and monitoring framework applies.
3. Board approval is mandatory for the concentration risk appetite statement and the annual assessment — delegate this to a risk committee only with the board’s explicit authorisation.
4. Exit plans must be tested, not just written — schedule simulation exercises for each critical provider by Q4 2026, and document the results for HKMA inspection.
5. Engage legal counsel to review contracts with critical providers — ensure the agreements include audit rights, reporting obligations, and termination clauses that align with the HKMA’s expectations.

This does not constitute legal advice. Consult a solicitor for your specific case.