Both the EU and the UK are taking steps to enhance the rules in the financial services sector to add a new layer of direct regulation for key technology providers to banks and other regulated financial services institutions – especially in relation to operational resilience.
The financial services (FS) sector relies extensively and increasingly on information and communications technology (ICT), including hardware, software, cloud hosting, digital operations, AI, chatbots, blockchain, and outsourcing. This reliance has been further accelerated in response to the COVID-19 pandemic and remote working, and continues to grow as banks and other FS institutions continue to be willing adopters of new technology platforms.
Regulators of FS businesses have acknowledged for years that ICT risks pose a challenge to the operational resilience and stability of financial systems, especially as, in many service and technology sectors, there is ever-greater concentration risk. For example, the UK Treasury (HMT) noted in its 2022 policy statement that, as of 2020, over 65% of UK financial services firms used the same four cloud service providers (CSPs) for cloud infrastructure services. The growing dependency on, and concentration towards, a few third parties for the provision of these services means failure of one “critical” third party could result in cascading negative impacts across the functioning of the entire FS sector.
The regulatory framework affecting the delivery of services to regulated FS institutions (e.g., banks, insurance companies) (“Firms”) by ICT service providers (ICT SPs) has applied indirectly for many years. However, the current EU and UK regulatory proposals will overlay direct regulatory oversight on (and possible intervention and enforcement against) certain ICT SPs.
Existing Indirect Regime
In the UK, the Financial Conduct Authority (FCA) has previously issued guidance to UK-regulated Firms on the use of third-party outsourcing solutions and, since 2016, on the use of cloud computing solutions to implement technology services or operations. However, all previous guidance was directed at regulated Firms, and not at ICT SPs or CSPs themselves (although, of course, in practice, ICT SPs or CSPs had to be aware of the regulatory requirements that their FS clients would have to comply with, especially in terms of flow-downs to the contracts between an FS client and an ICT SP).
The FCA, the Prudential Regulatory Authority, and the Bank of England may also impose indirect obligations on third parties, and require Firms to incorporate resilience requirements in ICT and outsourcing contracts. However, enforcing indirect contractual obligations is difficult in practice and, given that a small number of ICT SPs monopolise the market, negotiating terms or finding alternative providers is also difficult.
Similarly, in the EU, the European Banking Authority issued guidelines on outsourcing arrangements, which sets out specific requirements that external agreements for critical or important functions must meet (the “EBA Guidelines”), including that an ICT SP must grant the Firm and its competent regulators full access and information rights and unrestricted audit rights to enable the Firm to monitor the outsourcing/ICT arrangement and to ensure compliance with all applicable regulatory and contractual requirements.
The Changes ‒ EU
To harmonise digital operational resilience rules for FS organisations in the EU (and replace a currently fragmented regulatory landscape), the European Commission proposed a regulation on digital operational resilience for the FS sector (DORA) in September 2020. Digital operational resilience refers to the ability to withstand all types of ICT-related disruptions and threats, including cyber-attacks. DORA is designed to consolidate and upgrade ICT risk requirements throughout the EU FS sector to ensure that FS system participants are subject to a common set of rules to mitigate ICT risks for their operations. DORA proposes a single set of overriding mandatory rules to set a high common standard across the EU FS system.
DORA will be enforced alongside the existing EBA Guidelines. It is currently understood that the EBA Guidelines will not be repealed but will be revised to reflect the requirements under DORA.
DORA will impose several obligations on Firms including, among others, maintaining internal governance and control frameworks to effectively manage ICT risks and establish and implement an ICT-related incident management process. DORA will also require that contracts with ICT SPs include at least certain listed minimum requirements (the so-called “Article 27 list”).
Importantly, DORA will bring critical ICT SPs directly within the scope of supervision by the European Supervisory Authorities (ESAs). The ESAs will be tasked with designating certain ICT SPs as critical, taking into account the systemic impact of the services, the systemic importance of the beneficiaries of the services, critical or important functions, substitutability, and the number of EU member states involved.
Under the oversight framework, the ESAs will designate a lead overseer that will perform annual, tailored assessments of each critical ICT SP assigned to them. A critical ICT SP will be required to:
- Establish comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks which they may pose to financial entities; and
- Pay fees to the lead overseer that cover the regulator’s costs and are proportionate to the provider’s turnover.
The lead overseers will have wide powers to issue information requests and obtain access to documents, carry out on-site inspections, issue recommendations and instructions, and require remedial actions. Lead overseers may impose GDPR-style penalties (a daily penalty of 1% of the average daily worldwide turnover in the preceding business year can apply for up to six months) on critical ICT SPs for non-compliance.
One positive change that will come from DORA across the EU will be that it can replace EU member state national regulatory initiatives (e.g., on digital operational resilience testing) and supervisory approaches (e.g., addressing ICT third-party dependencies) and provide a single harmonised regulatory approach across the EU.
The Changes ‒ UK
The UK has introduced provisions in the Financial Services and Markets Bill (the “Bill”) that aim to reform the UK’s regulatory framework for financial services and includes, for example, measures that mirror DORA in establishing a regime for the designation of critical third-party service providers (CTPs) in the UK FS sector.
The Bill will grant the UK FS regulators direct oversight over CTPs and allow the regulators to intervene to raise the standards for digital operational resilience of the services provided to the FS sector and reduce the risk of systemic disruption, whilst recognising the benefits of ICT, outsourcing, and other technology platforms.
Like DORA, HMT will designate certain third-party service providers as critical, based on the materiality of the services provided and concentration (by number and type) of Firms to which the third party provides services. In practice, designation will typically follow a recommendation from the regulators.
The Bill will give the FS regulators powers to: (a) establish rules applying to CTPs, including minimum resilience standards and resilience testing in respect of any material services that they provide to UK-regulated Firms; (b) give directions to CTPs, including the power to direct CTPs to take or refrain from taking specific actions; (c) gather information from CTPs, including the appointment of a “skilled person” to investigate potential contraventions of requirements; and (d) undertake enforcement action.
The FS regulators have published a discussion paper (the “Paper”) setting out how they would exercise the powers in practice, and how they would make recommendations to HMT on potential CTPs. The potential measures comprise three main building blocks: (1) a framework for the regulators to identify and recommend potential CTPs for formal designation; (2) minimum resilience standards for designated CTPs in respect of material services they provide to UK-regulated Firms; and (3) a range of tools for testing the resilience of material services that CTPs provide to UK-regulated Firms.
Of course, CTPs will not be required to comply with DORA in relation to their UK operations. But, in practice, many (if not most) UK-regulated Firms and ICT SPs will want to operate both within the UK and the EU, and will therefore need to satisfy both regulatory regimes.
The risk to service providers in the UK may be less than under DORA, given the UK’s desire to encourage investment by Big Tech in the UK and the UK government’s signals of a lighter-touch regulatory approach to the FS sector (e.g., the UK government’s announcement of plans to step away from the EU-derived limit on bankers’ bonuses).
In fact, the Paper notes that CTPs are likely to comprise a very small percentage of the total number of third parties providing services to UK Firms. However, the Paper does identify that certain service providers (such as the major CSPs) could be particularly likely to be considered for designation. In the future, the Paper adds that certain third parties providing data and artificial intelligence or machine learning models could emerge as future potential CTPs, as a result of the increasing use of these data and models in trading systems.
Next Steps to Consider
For service providers, it will be important to review the requirements imposed by regulators’ guidance and to assess the risk of being deemed a CTP in relation to market segments of the FS sector (and thus being exposed to direct regulation for the first time). Service providers should also assess incremental regulatory risk arising from acquisitions that may lead to future designation as a CTP. If either regime is applicable, service providers will need to be aware of the current and future regulatory oversight risks and consider contractual arrangements with Firms that will need to include safeguards relating to minimum resilience standards.
For the Firms, the proposed regimes are complementary to existing risk management and resilience obligations. By requiring service providers to also meet resilience standards, Firms may obtain some assurance that they are meeting their own resilience obligations in respect of their arrangements with third parties. Moreover, the regulators’ powers to impose conditions on service providers’ services may help to strengthen the bargaining power of Firms in contract negotiations.
Harry Anderson, a trainee solicitor in our London office, contributed to the drafting of this Client Alert.