New policy efforts in by Australian, US, UK, EU and International rule setters will widen the scope of regulatory oversight for financial institutions to include ‘how’ the business runs.
As we have seen with US Federal reserve consultation released this week, boards are on the hook for a holistic approach to ensuring their digital infrastructure is safe and secure.
JWG has found that the entire back office needs to be aligned on resilience (i.e., OpRes), supply chain risk mitigation (e.g., OpRisk, TPRM, Cyber) and technology governance (e.g., AI, Cyber, Cloud).
This article shines a spotlight on the the key shifts in regulatory focus and what this means to the firms’ regulators, board and their suppliers.
We have also published a ground-breaking paper ‘Managing Digital Infrastructure Risk’ based on 18 months of research which registrants can download free of charge below and discuss at our 7th annual conference which is taking place virtually on the 9th & 10th November.
A new regulatory focus
Over the past two decades regulators have rethought the nature of FS controls. Investor protection, AML, market transparency and balance sheet management have been subject to prescriptive obligations and reporting to supervisors.
Bloated rule books, Q&As and standards now address the fundamental question of ‘Who, trades, what?’ and regulations will continue to evolve to keep up with financial innovation in the digital age.
Yes, there have been previous attempts to consider these risks (e.g., BCP, Outsourcing) but the difference now is that the guidance has gotten very, very specific and new internal governance requirements spelt out in detail.
This means that some boards will be considering their joined up digital risk and answering questions that they may not have previously considered:
- Does this new digital strategy make the firm overly reliant on one cloud provider?
- How quickly can we plug in new applications without losing history / availability in the market?
- Is our choice of vendor, and the vendors they rely upon, Cyber-secure?
These questions may seem more mundane than the next killer product, but they are certain to occupy a growing share of the agenda over the next 24 months.
What the ‘how’ will mean
This fundamentally digital agenda is disrupting traditional compliance as:
- Global baseline obligations and their deltas by geography need to be understood along with their strategic implications (e.g., digital sovereignty obligations in China, EU)
- Regional/ local policies get more detailed and involve more functions (e.g., OpRisk, AI, Data privacy, OpRes)
- Businesses will need support to face-off to multiple digital regulators is required to cover how the approach for new sheriffs of TPRM, Cyber, Resilience, AI, Quantum, etc.
Sticking with these outdated methods to manage compliance could leave organisations exposed to larger risks, higher costs, and delayed timing.
Impending deadlines
This week the US Federal Reserve Bank issued a consultation on operational risk management in the Board’s Regulation HH which covers systemically important financial market utilities. It focuses on four areas: (1) review and testing, (2) incident management and notification, (3) business continuity management and planning, and (4) third-party risk management. This means that by year end the US could be ready to issue updated resilience rules that put the board on the hook for new resilience, cyber, operational risk and third party risk management.
Whilst the EU’s Digital Operational Resilience Act (DORA) is firmly in the implementation window for 2025, a new report from the Bank of International Settlements (BIS) points out that critical technology providers may need to be governed internationally. The BIS point out that traditional resilience policies focus on risk, business continuity and third-party management policies in isolation, not a single policy. See JWG’s article here for more context on how we wholeheartedly agree.
A summer discussion paper on CPS 230 from the Australian Prudential Regulation Authority (APRA) has proposed to do just that; subsuming 5 existing guidelines into a new standard. They propose an outcome-based approach to resilience and ensure that the board is not just ‘ultimately responsible’ but actually accountable for operational risk management. It is currently under consultation until 21st October 2022, with a finalised version expected in early 2023, enforcement following in January 2024.
We have updated our tracker in Exhibit 1 below.
Exhibit 1: September 2022 Infrastructure rule tracker update
Source: JWG analysis; RegDelta, 09/22.
A new view of risk
Simply put, technology risk management should move from the back-office to the board room, because while technology has always played an important role, Cloud-based connectivity means, it is quickly becoming core to the business itself.
As supply chains are not traditionally under direct regulatory supervision, this change in the landscape will be a big ask for firms.
It is no longer possible to isolate technology risk and leave it to the techies; instead, a comprehensive approach to technology, be it owned by the firm or outsourced, is required. Boards which can no longer mitigate the effect of losing a significant part of their infrastructure will need to focus on what ‘good looks like’ and hold their suppliers to it.
The new barrage of questions about the ‘how’ demand end-to-end controls over a web of complex obligations. To do this, firms will be required to digitize their approach to compliance. Traditional methods of the master spreadsheet that is on the SharePoint with a collection of policies will soon be challenged by regulators who want to know that global policies align with their specific mandate and jurisdictional requirements. In some jurisdictions, the consequences for having and incomplete answer can be quite dramatic.
In our Managing Digital Infrastructure risk paper (below) we present a view of the new dashboard which shows that compliance, data and risk functions need to work together to establish end to end controls. We look forward to your views on it!
Next steps
JWG will create a task force to solicit comments on this paper from regulators, regulated financial institutions, and suppliers to shape future plans. Please contact pj@jwg-it.eu if you would like to be involved.
The paper, along with a companion IT guide to Operational Resilience is available free of charge to JWG registrants.
If you do not have a JWG account register here.
Want to learn more? Please register for 2 November dinner in London or this panel at our virtual annual conference on 10 November.
Please contact Corrina Stokes if you would like more information.