UK regulators and the European Commission separately launched consultations in December 2019 on the increasingly important theme of ‘operational resilience’ in financial services. Whilst EU regulators have traditionally focused on capital and liquidity risks when thinking about resilience of the financial sector, the shift towards an increasingly technology-reliant financial sector, and the high-profile IT outages and cyber-attacks this creates, has increased the focus on other risks to the stability of financial services firms.
Whilst the PRA and FCA papers from 2019 propose specific rules for firms on operational resilience, the Commission consultation on a ‘Digital Operational Resilience Framework for financial services‘ is less developed and sets out more high-level considerations for a new framework. Despite the high-level nature of the Commission consultation, it nevertheless contains important indicators on the potential EU-level approach to tackling operational resilience risks. Although the scope of the new proposals is not made explicit in the Commission consultation, the indication from the consultation is that the digital operational resilience framework will apply to all firms across the EU financial sector- ranging from payment services and e-money firms, to credit institutions, insurers and fund managers- referred to below as financial services firms.
For most financial services firms the proposals put forward by the Commission do not appear revolutionary on first reading. The attempt to harmonise legislation across the financial services sectors to ensure a minimum standard of information and communications technology (“ICT”) security and risk management would bring more dated EU legislation in line with newer legislation (e.g. the Second Payment Services Directive), which has already introduced requirements in these areas. The desire to harmonise ICT incident reporting and develop an operational resilience framework also present as logical extensions to existing supervisory frameworks. It is the proposal for better oversight of critical ICT third-party providers which seems most controversial, but even this proposal seems most impactful for technology firms at first glance.
However, the questions posed by the Commission in the consultation indicate a potentially significant change in approach to the issue of operational resilience. We have set out below 4 issues arising out of the Commission proposals which may have the most impact on in-scope firms as the final proposals take shape.
- Individual accountability – As part of the discussion on harmonised ICT security and governance requirements across the sector, the Commission’s questions focus in on Board and senior management support for operational resilience. Whilst the UK has an advanced individual accountability regime, to date, individual accountability has not formed part of the EU regulatory and supervisory framework. The focus on Board and senior management involvement in ensuring operational resilience may indicate a shift towards increased expectations on management in tackling these threats.
- Testing frameworks – The consultation proposes the introduction of a coherent testing framework across EU financial sectors and proposes that this type of framework may create a single market for intelligence and test providers. Questions posed by the Commission include whether testers should be certified and whether tests run outside of the EU should be recognised as ‘equivalent’. It seems that the Commission is considering more than a set of guidelines for a testing framework and that firms may find themselves needing to rely on certified EU intelligence and test providers to meet new rules. For firms with non-EU providers of services, or for large groups relying on third-party providers globally, this may pose practical difficulties in meeting any testing requirements.
- EU level testing – The proposal on introducing a coherent testing framework also suggests that the Commission may look to centralise supervision and oversight of testing at the EU level. The consultation asks whether ‘significant’ firms should be identified at the EU level and be subject to more advanced testing (e.g., threat led penetration testing) and proposes criteria for assessing significance. Firms should view these proposals in the context of an increased push for centralised supervision and should note that implementation of this proposal may result in greater numbers of financial institutions coming in-scope of EU supervisory powers.
- Concentration risk – Whilst technology firms will be understandably focused on the proposal for an oversight regime for third party providers, financial services firms should carefully review the proposals being put forward as ‘solutions’ to address concentration risk. Proposals include diversification strategies (e.g. mandatory rotation mechanisms), mandatory multi-provider approaches or limits on exposure to providers. Concerns around these proposals include whether mandatory rotation of providers may actually increase the risks of IT outages and how data portability would work in practice. The potential costs, risks and practical concerns over implementation of these solutions need to be carefully considered and flagged to ensure that the final proposals are workable for the industry.
As mentioned above, the consultation also focuses on better oversight of critical ICT third-party providers. This proposals seems generally positive for financial services firms who will be able to rely on a more formal regulatory regime for oversight of IT providers, rather than relying on contractual arrangements to hold third party providers to account, although there may be unforeseen consequences – e.g. increased cost of services provided to regulated firms. Currently there is a lack of clarity in the scope of the new regime and how enforcement and supervision will operate in practice. Whilst we can expect to see increased scrutiny of third-party IT providers, and the use of such providers by financial services firm, we expect significant push-back against a formal oversight regime and it remains to be seen how far the final proposals will go on this point.
These are only some of the issues raised in the consultation, which poses wide-ranging questions on the EU approach to tackling operational resilience. The issue of operational resilience will continue to be a major theme in financial services over the coming years and both financial services firms and technology providers can expect increased scrutiny of third-party arrangements and the risks these pose to the resilience of financial services firms and to financial stability more broadly. Although the final proposals are not likely to come into effect before the end of the Brexit implementation period, given the current scrutiny on operational resilience in the UK, any divergence is likely to be focused on specific rules, rather than the general approach.
The Commission proposals are currently in early stages, with the consultation open until 16 March 2020. Firms should be reviewing the consultation and should consider responding before this date to help shape the future EU approach to these issues.