The European Commission launched a consultation in December 2019 on the increasingly important theme of ‘operational resilience’ in financial services as part of its EU Digital Finance Strategy.
Over recent years, the financial services industry has come to be increasingly defined by, and reliant upon, new technologies and systems. Alongside the opportunities afforded by the increased use of technology, regulators are increasingly aware of the growing threat of disruption caused by technology outages and cyber-attacks.
The Commission paper on a ‘Digital Operational Resilience Framework for financial services‘ is less developed than similar consultations by UK regulators in 2019 but nevertheless contains important indicators on the potential EU-level approach to tackling these risks. Possible policy approaches that the Commission appears to be considering include bringing technology providers to the financial services sector (or certain of them) under direct regulatory supervision, and introducing constraints on exposures that financial institutions are permitted to have to particular providers. The consultation is open for response until 16 March 2020. Technology providers should consider responding to the consultation to help inform and shape the debate on these important proposals.
Impact on Technology Firms
The Commission paper is built around 4 ‘building blocks’ for operational resilience, including (1) improvements to ICT security and incident management across different pieces of EU financial services legislation, (2) harmonisation of ICT reporting requirements, (3) a new operational resilience testing framework and (4) the controversial proposal of a new oversight regime for critical ICT third-party providers.
Whilst the proposals are mainly of relevance to financial services firms, the proposals around oversight of critical ICT third party providers represent a major shift in approach to the regulation of the provision of IT services to financial services firms in Europe.
Concerns over arrangements which ‘relocate’ operational, ICT, security, governance and even reputational risks to unregulated third party IT providers have led the Commission to propose the introduction of an oversight regime for these parties. Moves toward regulation appear to be a common direction of travel across Europe. For example, similar comments around the need for regulation of the providers of cloud services to financial services firms have also been made by the Treasury Committee in the UK as part of its report on IT failures.
Questions posed by the Commission in the consultation include: (a) whether the oversight regime should apply to just critical providers or other ICT providers, (b) how “criticality” should be assessed, (c) who should supervise ICT providers, and (d) whether issues such as data portability, exist strategies and fair contractual practices should be part of the oversight regime. Oversight may be limited to non-binding guidelines but the paper also asks whether binding tools such as sanctions or enforcement action should be included.
These proposals are at an early stage and ask wide-ranging questions about how the regime may look in the future. However, it seems clear that the traditional approach of flowing down contractual requirements to technology providers may not go far enough to alleviate the regulator’s concerns over resilience risks and some form of oversight – whether by regulators or through non-binding guidance – is increasingly likely.
Alongside the headline comments around oversight, the Commission paper also focusses in on concentration risk. Particularly the risks arising from the availability of ICT third party providers, their substitutability and the portability of data between them. Solutions proposed in the paper include diversification strategies (e.g. mandatory or voluntary rotation mechanisms), mandatory multi-provider approaches or limits on exposure to providers. Again the proposals are high-level and do not go into detail about how these solutions would, or could, work in practice. Concerns around these proposals include whether mandatory rotation of providers may actually increase the risks of IT outages and how data portability would work in practice. The potential risks and practical concerns (e.g. around costs) need to be carefully considered to ensure that the final proposals are workable for both financial services firms and technology providers.
Finally, the Commission are looking again at contractual negotiations with IT providers. As well as suggesting that fair contractual practices should come into scope of any oversight regime, the consultation asks whether standard contractual clauses could be introduced for outsourcing arrangements. The suggestion appears to be that these would be voluntary but if standard clauses were published at an EU level this is likely to result in financial services firms pushing back on tech providers who propose terms which deviate from these standards. It is not yet clear how practical any standard clauses could be given the wide range of services outsourced by financial services firms and whether these would apply to all outsourced arrangements.
The issue of operational resilience will continue to be a major theme in financial services over the coming years and both financial services firms and technology providers can expect increased scrutiny of third-party arrangements and the risks these pose to the resilience of financial services firms and to financial stability more broadly.
As reliance on technology in financial services continues to increase, the trend toward greater scrutiny of technology providers is likely to continue and form an important part of the EU Digital Finance Strategy.