Regulators on both sides of the pond have long grappled with the issue of how to safeguard financial services from the risks of engaging external vendors, specifically CTPs (critical third parties). The Bank of England and the UK Financial Conduct Authority (FCA) have recently shared their concerns in a discussion paper on operational resilience.
The paper outlines how entrusting third parties with sensitive data can provide multiple benefits to organizations, adding to their own technology infrastructures and enabling digital transformation. This leads to efficiency gains, reduced costs, scalability, faster innovation, better customer outcomes, and improved operational resilience. However, the Bank cautions how outsourcing entails multiple risks. Recovering or substituting a third party’s services following a disruption could have a systemic impact, or in extreme cases, threaten the whole UK financial system.
As the detail below explains, establishing which providers are defined as CTPs is a key part of their consultation. There can be no doubt that this will include big cloud providers where regulators globally have been expressing concern related to concentration risk if one of them were to be out of commission for any length of time for whatever reason.
The Bank and FCA propose the following measures:
• A framework for identifying potential CTPs, which would inform the supervisory authorities’ recommendations for formal designation by HM Treasury.
• Minimum resilience standards, which would apply to the services that designated CTPs provide to firms and financial market infrastructure firms (FMIs).
• A framework for testing the resilience of material services that CTPs provide to firms and FMIs using a range of tools including, but not limited to, scenario testing, participation in sector-wide exercises, cyber resilience testing, and skilled persons reviews of CTPs.
The paper emphasizes that these measures would complement, not replace, firms’ existing responsibilities to manage risks from contracts with third parties.
“This is all part of a more general shift around the world towards bringing the key technology providers within the formal regulated perimeter. Financial firms must know their vendor better than ever and treat each as an extension of themselves. The UK’s approach is one that will be replicated globally. It will be fascinating to see what providers are deemed CTPs, but the same disciplines are going to be applied to all key vendors as this develops”.
Alex Viall, Director of Regulatory Intelligence at Global Relay.
The discussion paper follows the introduction of the Financial Services and Markets Bill to parliament on July 20, 2022. The Bill aims to keep the UK’s financial services sector competitive post-Brexit, with some commentators dubbing it a second “Big Bang” akin to the deregulation of the 1980s.
The Bank and FCA are currently inviting comments on the discussion paper. With many policies being uncertain until Britain has a new Prime Minister, we will have to await the outcome of this discussion. It is also unlikely the proposed Bill will pass until 2023 if approved.
It has never been a more prescient time for businesses in the financial and capital markets to assess their vendor risk management and ensure that electronic recordkeeping meets regulators’ requirements. Often the easiest way to do this is to have one vendor handle all stages of the process, through capture, storage, retention, and extraction of data.