Regulators are set to take a more muscular approach to technology providers as operational resilience frameworks mature
In a nutshell:
The operational resilience framework is maturing, as regulators continue to develop new rules to enhance financial institutions' capacity to withstand severe disruptions. With ever more complex supply chains, focus is turning to the use of technology providers. Under the proposed UK and EU regimes, regulators will have oversight of critical third-party ICT providers. Recent guidance in Hong Kong and Singapore highlights the need for third-party risk management controls. However, at least in Hong Kong, focus has been more on access to data held by technology providers, rather than oversight of the providers themselves. In Australia, new standards are being proposed for service provider management.
We predict that 2023 will see the boundaries of regulatory oversight being pushed further.
New oversight of critical third parties in the UK
The UK has been a "first mover" in taking steps to introduce a regulatory framework for operational resilience. Firms and Financial Market Infrastructure participants are required to identify their key services, set impact tolerances and document the support to those services, develop communication plans and, by April 2025, take action to remain within impact tolerances through severe but plausible disruption scenarios. Prior to this, the UK regulators were already willing to take enforcement action against firms that had failed to take reasonable steps to avoid severe operational disruption using broader regulatory powers.
With the new framework now in place, the Bank of England, Prudential Regulation Authority and Financial Conduct Authority have turned their attention to third-party providers. A July 2022 Discussion Paper set out how the regulators may use the new designation regime for third-party providers in respect of the material services they provide to the financial services sector. This new designation regime is set out in the Financial Services Markets Bill, which is currently making its way through Parliament. The new regime permits HM Treasury to designate providers to the financial services sector as critical third parties (CTPs) which will be subject to oversight (but not direct regulation) in respect of the material services they provide to the sector by the UK financial regulators (see our bulletin here).
The European approach under DORA
The EU is also considering how best to mitigate risks arising from the reliance of financial institutions on CTPs in its Digital Operational Resilience Act (DORA), which is now in the process of being finalised into a directive. Under the new regime, critical third-party ICT providers, such as cloud providers, are to be subject to an oversight framework (see our bulletin here).
Australia ramps up its scrutiny of more complex supply chains
In Australia, operational resilience has been an area of increasing focus for the Australian Prudential Regulation Authority (APRA). On 28 July 2022, APRA began a consultation on draft prudential standard CPS 230, which proposes to introduce a range of new requirements on APRA-regulated entities for managing operational risk and enhancing existing requirements for business continuity and service provider management.
APRA’s discussion paper identified three key trends:
In November 2021, the Australian Securities and Investments Commission (ASIC) released ASIC Report 708, which set out ASIC’s expectations for market operators and participants following its review of the market outage and other operational incidents that affected the Australian Securities Exchange (ASX) in the week of 16 November 2020. ASIC stated that it expected market operators and participants to consider how to facilitate trading via alternative venues during a market outage.
ASIC’s updated Market Integrity Rules for technological and operational resilience (CP 314) are also expected to come into effect on 10 March 2023.
Hong Kong – Key operational resilience milestone approaches
The Hong Kong Monetary Authority (HKMA) recently set out its supervisory approach towards operational resilience, operational risk management policies and business continuity plans. Adopting a phased approach to implementation, 31 May 2023 is the first deadline for authorised institutions to have developed their operational resilience framework and determined the timeline by which they will have implemented the operational resilience framework, and become operationally resilient (see our bulletin here).
The HKMA has also recently issued guidance on cloud computing, noting its growing use and specific risks. The Securities and Futures Commission has issued guidance on the use of electronic data storage providers (EDSPs), although ensuring timely access to 'regulatory records' was a key area of focus, rather than oversight of the EDSPs themselves (see our bulletin here).
Singapore – Increased focus on critical business services
The Monetary Authority of Singapore (MAS) has recently updated its Guidelines on Business Continuity Management (BCM), which set out the need for financial institutions to take an end-to-end service-centric view in ensuring the continuous delivery of critical business services to their customers. In particular, there is a greater focus on the need for dependency mapping. The deadline for establishing a BCM audit plan is June 2023, with the first audit to be conducted by June 2024.The MAS has also recently released an information paper on operational risk management, specifically on the management of third-party arrangements. This follows thematic inspections conducted by MAS. While most banks had proper frameworks and processes to manage outsourcing arrangements, more could be done to identify the risks related to non-outsourcing agreements, and to develop proper control measures and response plans in relation to these non-outsourcing agreements.