Operational Resilience has been high on the radar for the UK’s Financial Services Regulators for a number of years. Conscious of the increasing use of third-party technology suppliers – as well as regulatory developments in the EU - the FCA and the Bank of England have been working with HM Treasury on a Policy Statement designed to mitigate the potential risks posed by these activities.
The Discussion Paper published by the BoE sets out three main ‘building blocks’ to try to get the balance between the benefits that Critical Third Parties (CTPs) offer – including digital transformation, innovation, and better resilience than a firm’s own technology infrastructure – and the potential hazards. The FCA notes that the interconnected nature of technology use in financial services brings huge systemic risks that cannot be managed by firms alone, and which pose a danger to the supervisory authorities’ objectives.
Equivalent regulation within the EU has already been provisionally agreed; the Digital Operational Resilience Act (DORA) is designed to set a minimum – and improved – set of standards to mitigate information and communications technology risks within the financial sector. The proposed legislation introduces an oversight framework for CTPs. This very robust framework will be implemented across all EU member states; equivalency within the UK will be vital for firms working with EU firms or seeking to do business in the EU.
The Discussion Paper offers a timely reminder that the supervisory authorities hold firms accountable for their operational resilience – and this does not change if the firm relies on third party support.
The potential measures include:
A framework for supervisory authorities to identify CTPs and put them forward for official designation by HMT.
A set of ‘minimum resilience standards’ for designated CTPs, covering the services they provide to firms. The standards would align with the operational resilience framework for firms and would include a requirement to develop and test ‘financial sector continuity playbooks’ to demonstrate and develop their ability to respond and recover from disruption that affects multiple firms simultaneously.
Introduction of a range of tools for testing the resilience of material services that CTPs provide to firms, including e.g., scenario testing, participation in sector-wide exercises, cyber resilience testing, and skilled person’s reviews of CTPs.
The Paper also sets out the proposed enforcement powers, which could include investigative powers, the right to request information, power to issue directions that require specific actions such as set recommendations and implementing restrictions on services. The regulator would also have the ability to make breaches public, impose limitations on the provision of services, prohibit the CTP from providing future services to a particular firm, and prohibit firms from receiving services from certain CTPs.
The risks that the new rules are looking to mitigate include the risks to individual firms with growing dependency on third parties for services, meaning that if those services are disrupted, the resulting impact on the business of the firm, the risk of consumer harm, and the risk to the regulators’ objectives are disproportionately high. There is also a potential risk in the “concentration in the provision of these services” from:
Direct contractual arrangements between firms and FMIs, and third parties; and/or
Indirectly through third parties’ supply chains and other forms of interconnectedness.
Although new legislation is some way from implementation, the Paper hints at specific areas of concern. In particular, the supervisory authorities are likely – based on the content of the Paper - to increase scrutiny not only on direct relationships, but also within supply chains. The Discussion Paper – along with the EU’s DORA – shows the direction of travel, and firms can use this as a roadmap to plan for the future.
The consultation closes on 23 December 2022.
We offer a number of online training courses that support operational resilience in your firm through preparing staff to understand and work within the FCA and other regulators’ rules and expectations.
Our Complaints Handling course provides all the skills needed to engage with the complainant, and to investigate, resolve and respond to complaints.
We also offer courses Data Protection and Information Security which delivers the background to applicable legislation and how to avoid security breaches. Our Understanding Data Protection Regulation courses have two options – one for front-line staff, and one for senior staff.
Our training is accessible online, so staff can complete the learning and assessment at their convenience, ideal for those who want to complete the course in their own time, and to come back to it to refresh later on. Each course is accessible at the delegate’s convenience and provides a certificate upon successful completion, allowing firms to track and record each user’s progress.
For large groups, we can offer a simplified enrolment service and pricing, simply email Robert.firstname.lastname@example.org.