JWG’s 2020 research has found that the financial services market exhibits an ever-growing blind spot from technology risk which lurks off balance sheet. High profile outages like Google and Microsoft have underlined the issue for both the regulator and regulated this month.
This point has not been lost on regulators who in the middle of a pandemic have introduced new obligations this year to ensure that the financial system itself can withstand IT disruptions and threats.
This article summarizes forthcoming regulatory obligations for the Cloud, the strategic questions they pose for the Cloud Service Providers (CSP)s and what JWG analysts are doing to help – including our new 2021 survey on the industry’s Cloud Compliance Strategy.
What new Cloud regulation means to a financial institution
In a nutshell: in 2021, a Firm’s senior management faces critical questions about their Cloud Compliance strategy and that their suppliers will be under pressure to answer tougher questions about the transparency of their services, the substitutability of them and how CSPs meet new practices and standards which regulators are issuing across the globe.
The question of ‘what does good infrastructure look like?’ is far from settled in the minds of the regulator and the answer can change quickly. This month alone we have seen US regulators tackle Facebook, Europe revamp internet rules and the UK propose a new digital watchdog. Big penalties are clearly on the cards in the medium term.
This means that new strategies will be required in 2021 to hit the ever-moving bar which this patchwork of rules will set in over the first half of this decade.
2021’s Shifting Cloud regulatory landscape
Europe’s proposed Digital Operations Resilience Act (DORA) has proposed that competent authorities (e.g., ESMA, EBA) have unrestricted access to IT providers so that they can supervise them directly. The proposals which will be debated in 2021 also propose to give the supervisors the ability to issue GDPR-like fines of 1% of the average daily worldwide turnover.
DORA is, however, just part of a patchwork of rules for firms operating in the UK and Europe. Europe and the UK have recently upgraded policies for 3rd party risk management and outsourcing. Both are headed down the path of establishing outsourcing registers, which will provide transparency to the regulator on what activity is being performed by whom. Importantly, it will also give the regulator a view of the dependencies between service providers to firms and where there is concentration risk in the system.
The three UK financial services regulators have also proposed strict new standards for ‘operational resilience.’ These standards require senior management to set risk tolerance for Cloud activity, establish clear governance, put in place scenario testing, and establish new contractual rights. The consultation process, delayed due to COVID, is also discussing the need for rigorous and documented self-assessment with certificates and reports from ‘third party certification’ agents. All of this activity would, of course, fall under the senior manager regime which with draconian fines or banishment from the industry for failure to manage their responsibility.
As illustrated in the chart above, there is a clear divergence between the UK, EU and North American approaches. Interestingly, even the principles-based UK regulators have taken a much more prescriptive approach than the US or Canadian regulators. All global institutions will need to work out which regime’s obligations are the most onerous and look to ensure they meet a de minimis standard across the globe.
It could well be just a matter of time before risk frameworks and approaches are forced to align, however. The FSB discussion paper on Regulatory and Supervisory Issues Relating to Outsourcing and Third-Party Relationships has concluded
“there is a common concern among responding authorities about the possibility of systemic risk arising from concentration in the provision of some outsourced and third-party services to FIs. … Where there is no appropriate mitigant in place, a major disruption, outage or failure at one of these third parties could create a single point of failure with potential adverse consequences for financial stability and/or the safety and soundness of multiple FIs.”
Your Cloud Compliance Strategy
Regulators and firms have accelerated their shift into the cloud due to COVID. This has helped to accelerate the emergence of new supervisory regimes for a firm’s oversight of the way IT is managed with higher standards, more transparency and tough penalty regimes.
Expectations for senior management of Investment Firms (firms) of all shapes and sizes are increasing as regulators are demanding proof that their Cloud strategy is thought out, plans are clear, controls in place, risks are measured, and the staff is trained.
Key Cloud Strategy questions
- What are my firm’s business goals for the use of Cloud?
- What data do we need to support those goals and who will need access?
- Where can workloads be performed, where can data be stored securely?
- What are our target costs?
- What risks do we need to manage?
In 2021, senior management will need to begin the process of answering these questions in language that aligns with new regulatory expectations.
A Cloud Compliance Strategy will need to shift address how decisions are made about what workloads are appropriately placed in which physical or virtual data center. This could mean new roles, committees, risk matrices and red tape.
lans will need to be established to consider new feedback loops from the regulators, courts and the markets about the safety and soundness of CSP provision, and the acceptable risk tolerance. New definitions of ‘what good looks like’ will emerge as technical standards, Q&A and market guidance is formulated.
Staff will need to be brought up to speed on the risks they are expected to manage and given tools to do the job. This will mean there is a thirst for benchmarks and 3rd party opinion on how fit for purpose the operating models are.
However, whatever you decide for 2021, your Cloud compliance strategy will not be a single-bank outsourcing problem. Regulators are starting to awaken to the systemic risks from technology as described in the next section.
The Financial Services’ Cloud Compliance Obligations
As Thomson Reuters Regulatory intelligence has pointed out “We’re moving toward a world where the largest or most significantly regulated industry is running on unregulated infrastructure.”
Technological infrastructure and data have become systemic risks because firms are now risk information processors, producers and distributors. The data firms use to measure risk has itself become a critical asset. Firms’ and regulators’ use of Cloud to process, measure and distribute data will only rise, accruing more systemic risk.
Firms’ ability to manage data effectively, accurately and securely is intrinsic to its value and is linked to other actors. Essentially firms need to assure the integrity of the data and technology they use, otherwise their risk data will be meaningless and thus pose a systemic risk itself.
In all-data businesses like financial services, technical infrastructure is as critical as your inventory. Risk is inherent in the infrastructure itself and there are two increased levels of risk in the system right now. One is all the technology — like Cloud — that can solve business problems in exciting ways by introducing new infrastructure very quickly. The other is the regulators moving their controls to more digitally enabled and data-centric models.
All of this means there is a lot more at stake when a firm and its regulators are thinking about what infrastructure data sits on. When you look holistically at new technologies banks use, you realise there is a difference between regulating connected infrastructure and regulating the idiosyncratic risk of a financial institution.
The disconnect JWG have spotted is that data and infrastructure pose a new kind of risk and it is systemic and unaccounted for on the balance sheet. It is something we ought to look at and ought to measure in a standardised way across the globe.
We believe the ‘G’ in Environmental, Social and Governance (ESG) can be used to quantify third party supplier risks and create the incentives for firms to invest in technology that aligns with their corporate objectives.
Your Cloud Compliance Strategy Survey
JWG’s independent regulatory research team is pleased to now be launching the next stage of its RegTech Digital Integrity research program with a survey for financial institutions on their Cloud Compliance Strategy here.
This 21-question survey for investment firms explores current Cloud strategies, the challenge of new regulatory obligations from the US, Canada, Europe, UK and International policies, the capabilities required and medium-term priorities.
This survey builds on our highly successful RegTech 2.0 physical conference which hosted an all-star panel with speakers from top firms, regulators and technology providers debating the systemic risks in FS technology infrastructure. A follow-up roundtable in July Shining light on FS IT and data risk blind spots virtual panel , helped inform our July research report on Risk Control for a Digitized Financial Sector.