FSR OUTLOOK 2023: Turning point: Third-party providers under growing scrutiny

In a nutshell:​

• Operational resilience frameworks are maturing, and regulators are considering the roles of third-party technology providers
• Policymakers need to create proportionate regimes, which effectively address risk, but are not overly burdensome
• The perimeter of any technology regime will be a key decision.

New oversight of critical third parties in the UK

The UK has been a "first mover" in taking steps to introduce a regulatory framework for operational resilience. Firms and Financial Market Infrastructure participants are required to identify their key services, set impact tolerances and document the support to those services, develop communication plans and, by April 2025, take action to remain within impact tolerances through severe but plausible disruption scenarios. Prior to this, the UK regulators were already willing to take enforcement action against firms that had failed to take reasonable steps to avoid severe operational disruption using broader regulatory powers.

With the new framework now in place, the Bank of England, Prudential Regulation Authority and Financial Conduct Authority have turned their attention to third-party providers. A July 2022 Discussion Paper set out how the regulators may use the new designation regime for third-party providers in respect of the material services they provide to the financial services sector. This new designation regime is set out in the Financial Services Markets Bill, which is currently making its way through Parliament. The new regime permits HM Treasury to designate providers to the financial services sector as critical third parties (CTPs) which will be subject to oversight (but not direct regulation) in respect of the material services they provide to the sector by the UK financial regulators (see our bulletin here).

The European approach under DORA

The EU is also considering how best to mitigate risks arising from the reliance of financial institutions on CTPs in its Digital Operational Resilience Act (DORA), which is now in the process of being finalised into a directive. Under the new regime, critical third-party ICT providers, such as cloud providers, are to be subject to an oversight framework (see our bulletin here).

Australia ramps up its scrutiny of more complex supply chains

In Australia, operational resilience has been an area of increasing focus for the Australian Prudential Regulation Authority (APRA). On 28 July 2022, APRA began a consultation on draft prudential standard CPS 230, which proposes to introduce a range of new requirements on APRA-regulated entities for managing operational risk and enhancing existing requirements for business continuity and service provider management.

APRA’s discussion paper identified three key trends:

1. Control failures: While some recent operational risk events were due to circumstances beyond the control of the industry, many others arose due to ineffective controls.
2. Customers' low tolerance for disruptions.
3. Increasing reliance on service providers: This is giving rise to longer, more complex supply chains and reliance on ‘fourth parties’.

In November 2021, the Australian Securities and Investments Commission (ASIC) released ASIC Report 708, which set out ASIC’s expectations for market operators and participants following its review of the market outage and other operational incidents that affected the Australian Securities Exchange (ASX) in the week of 16 November 2020. ASIC stated that it expected market operators and participants to consider how to facilitate trading via alternative venues during a market outage.

ASIC’s updated Market Integrity Rules for technological and operational resilience (CP 314) are also expected to come into effect on 10 March 2023.

Hong Kong/
Singapore

Hong Kong – Key operational resilience milestone approaches

The Hong Kong Monetary Authority (HKMA) recently set out its supervisory approach towards operational resilience, operational risk management policies and business continuity plans. Adopting a phased approach to implementation, 31 May 2023 is the first deadline for authorised institutions to have developed their operational resilience framework and determined the timeline by which they will have implemented the operational resilience framework, and become operationally resilient (see our bulletin here).

The HKMA has also recently issued guidance on cloud computing, noting its growing use and specific risks. The Securities and Futures Commission has issued guidance on the use of electronic data storage providers (EDSPs), although ensuring timely access to 'regulatory records' was a key area of focus, rather than oversight of the EDSPs themselves (see our bulletin here).

Singapore – Increased focus on critical business services

The Monetary Authority of Singapore (MAS) has recently updated its Guidelines on Business Continuity Management (BCM), which set out the need for financial institutions to take an end-to-end service-centric view in ensuring the continuous delivery of critical business services to their customers. In particular, there is a greater focus on the need for dependency mapping. The deadline for establishing a BCM audit plan is June 2023, with the first audit to be conducted by June 2024.