New UK and EU regulations are forcing banks to demand new controls from their suppliers. Not only do they now need a comprehensive view of how each supplier fits in, but they also need to know how to swap them out.
Senior managers across the bank should be working to establish plans now for these onerous new regimes. This article shines a spotlight on the massive collaborative effort required for regulators, regulated and suppliers make sense of new compliance needs for FS infrastructure.
JWG has published a ground-breaking paper ‘Managing Digital Infrastructure Risk’ based on 18 months of research which registrants can download free of charge here.
Operational Resilience in the UK and EU
The UK and EU are leading the charge to setting new standards in order to make firms accountable. In the UK, a Regulatory Discussion Paper on Operational Resilience was published in 2018 and it set the industry on the path to new controls that consider a wider range of non-financial risks throughout the supply chain in addition to operational risk specific to each institution.
In March 2021, a policy statement was released by the PRA looking at impact tolerances and outlining a range of obligations (see table 1) which include mapping, scenario testing and self-assessment questionnaires that address both operational resilience and cyber capabilities. It doesn’t, however set out specific metrics in which the PRA will be expecting firms to report against.
In contrast, the introduction of the Digital Operational Resilience Act (DORA) in the EU, which broadens the regulatory focus to include operational sustainability, is scheduled for 2023. This all-encompassing requirement imagines a situation in which a company manages system turbulence caused by unexpected events. Operational risks are areas that must be at the centre of a company’s operational resilience policy because they pose threats to operational resilience.
It goes above and beyond the scope of the UK to include technical standards on portability.
According to DORA’s Article 25, section 9, these standards will outline how businesses must “identify alternative solutions and develop transition plans enabling them to remove the contracted functions and the relevant data from the ICT third-party service provider and securely and integrally transfer them to alternative providers or reincorporate them in-house.”
Just as critically, it also demands the maintenance of a register for contractual arrangements with ICT third-party service providers.
We will soon have final DORA texts which have made the need for a “multi-vendor” strategy optional, but stress that concentration risk assessments will be necessary for all outsourcing agreements that support the performance of critical functions. This will not only be difficult, but it will also make it challenging to defend some operational model decisions to supervisors.
Deep contract transparency
Regulators will also be looking at how firms manage third parties through new reporting from firms. New UK and EU TPRM requirements demand firms’ disclosure of their outsourcing agreements, while the US policy is still in the early stages of development.
The European Central Bank’s Centralised Submission database, better known as CASPER, hosts up to 51 fields of contract-level information providing supply chain transparency for the first time.
UK regulatory plans suggest that the UK will follow suit later this year. A policy statement describing HM Treasury’s intentions to establish a crucial third-party regime allowing regulators to develop and enforce new resilience criteria was published in June 2022.
Material impacts and the path forward
The owners of the regulatory risk, i.e., the firms, will be the ones the supply chain will be looking to.
Collaboration will be essential since, regardless of size, one supplier will not be able to eliminate all regulatory risk for a company. Not only between the provider, the regulated, and the regulator, but also between the various internal functions within a company, including technology, data, risk, and compliance.
Ultimately, these functions will need to agree new requirements which could have a material impact on the supply chain:
- New contacts
- More planning
- Detailed exit strategies
- New certification
- New reporting
Both comprehensive standards and guidance on regulatory control requirements will be necessary to ensure compliance.
JWG will create a task force to solicit comments on this paper from regulators, regulated financial institutions, and suppliers to shape future plans. Please contact firstname.lastname@example.org if you would like to be involved.
The paper, along with a companion IT guide to Operational Resilience is available free of charge to JWG registrants.
If you do not have a JWG account register here.
Want to learn more? Please register for 2 November dinner in London or this panel at our virtual annual conference on 10 November.
Please contact Corrina Stokes if you would like more information.