ICAEW Financial Services Faculty talks to Deloitte about the implications of regulating third party service providers.
The UK government confirmed in June that it will extend the regulatory perimeter to include third parties critical to the financial services sector.
UK financial regulators will have direct oversight of third parties that provide increasingly critical infrastructure to financial services firms, such as cloud IT services.
In 2020, over 65% of financial services firms used the same four cloud providers for infrastructure, according to the Bank of England, meaning a failure in one of those firms could become systemic to the financial system.
The UK is going to release a discussion paper, while the EU is about to finalise a law called the Digital Operational Resilience Act (DORA) which includes a third-party oversight framework that will come into force in two years’ time.
Scott Martin and Valeria Gallo, Senior Managers in Deloitte’s EMEA Centre for Regulatory Strategy, and co-authors of a blog on the developments (UK to expand FS regulatory perimeter to capture critical third parties, Suchitra Nair, Valeria Gallo, Scott Martin (deloitte.com) told ICAEW that the forthcoming policy would bring clarity about standards to the market.
“This policy is aimed specifically at bringing critical third-party firms into direct oversight of financial services regulators.” said Gallo. “We don’t know yet what the exact criteria to be deemed critical third-party providers in the UK will be. More details will emerge in the coming months. However, it is widely expected that the largest Cloud providers will be in scope. While the new regime will give Critical Third Parties additional clarity about what is expected of them, being subject to supervisory oversight will also in some cases require more rigorous governance, risk management and compliance.”
The new oversight frameworks should help make the financial sector’s exposures to some third parties less risky, added Martin, but there are still the same risk management and operational resilience requirements from regulators on financial services firms.
“A really important distinction to draw is that regulators have been clear that this does not reduce the onus on firms to properly manage risk and third-party outsourcing, under the requirements that they have been putting in place over the past few years,” said Martin.
“Regulators don’t want firms to see this as trading off one regulatory regime for another, and they want firms to look at the risks arising from outsourcing, even if this is to a firm that will become overseen in these new frameworks.”
The prospect of a more regulated third-party environment could have added benefits for firms, said Gallo, including better information sharing and gathering.
“Critical Third Parties will need to provide UK regulators with information about the risks and resilience of any material services that they provide to the finance sector. Having to provide this information to regulators could potentially make Critical Third Parties less reluctant or better able than in the past to share it with financial services firms as well. Or, depending on the final rules, the regulators could compel them to do so.” Gallo told ICAEW.
This would make it easier for financial services firms to embed that information into their risk management. It should enrich and possibly make easier the information gathering and help their assessments too.
“Firms should be thinking about where this framework could lead to opportunities for added levels of assurance around their outsourcing, which may help them with the work they have to do around third party risk management, but also around operational resilience,” added Martin.
“With operational resilience, we have seen that in meeting the impact tolerances that firms have set, the third-party challenge is the most difficult that firms are facing. Being able to come up with new kinds of assurance is going to be important over the next three years for firms.”
“Where the oversight mechanism might make things like pooled testing and pooled auditing easier to do, financial services firms should be alert enough to spot these opportunities early and be able to work with their peers to develop those methods.”
“Regulators expect firms to develop these new methods themselves, so those who take the initiative to do so will benefit,” said Martin.
Under the EU legislation, third parties can apply for designation as critical, which could potentially influence third parties to seek regulatory approval for market advantage.
“Certain third parties might see being overseen as the gold standard in the industry. If third parties want to work with large financial services firms that take their third-party risk management seriously, then this could potentially be an attractive option,” said Martin.
Because of that clarity around standards, it could also encourage more competition, whether it’s new entrants to the market or otherwise and is a positive development in that sense.
UK financial regulators will have direct oversight of third parties that provide increasingly critical infrastructure to financial services firms, such as cloud IT services.
In 2020, over 65% of financial services firms used the same four cloud providers for infrastructure, according to the Bank of England, meaning a failure in one of those firms could become systemic to the financial system.
The UK is going to release a discussion paper, while the EU is about to finalise a law called the Digital Operational Resilience Act (DORA) which includes a third-party oversight framework that will come into force in two years’ time.
Scott Martin and Valeria Gallo, Senior Managers in Deloitte’s EMEA Centre for Regulatory Strategy, and co-authors of a blog on the developments (UK to expand FS regulatory perimeter to capture critical third parties, Suchitra Nair, Valeria Gallo, Scott Martin (deloitte.com) told ICAEW that the forthcoming policy would bring clarity about standards to the market.
“This policy is aimed specifically at bringing critical third-party firms into direct oversight of financial services regulators.” said Gallo. “We don’t know yet what the exact criteria to be deemed critical third-party providers in the UK will be. More details will emerge in the coming months. However, it is widely expected that the largest Cloud providers will be in scope. While the new regime will give Critical Third Parties additional clarity about what is expected of them, being subject to supervisory oversight will also in some cases require more rigorous governance, risk management and compliance.”
The new oversight frameworks should help make the financial sector’s exposures to some third parties less risky, added Martin, but there are still the same risk management and operational resilience requirements from regulators on financial services firms.
“A really important distinction to draw is that regulators have been clear that this does not reduce the onus on firms to properly manage risk and third-party outsourcing, under the requirements that they have been putting in place over the past few years,” said Martin.
“Regulators don’t want firms to see this as trading off one regulatory regime for another, and they want firms to look at the risks arising from outsourcing, even if this is to a firm that will become overseen in these new frameworks.”
Added benefits
The prospect of a more regulated third-party environment could have added benefits for firms, said Gallo, including better information sharing and gathering.
“Critical Third Parties will need to provide UK regulators with information about the risks and resilience of any material services that they provide to the finance sector. Having to provide this information to regulators could potentially make Critical Third Parties less reluctant or better able than in the past to share it with financial services firms as well. Or, depending on the final rules, the regulators could compel them to do so.” Gallo told ICAEW.
This would make it easier for financial services firms to embed that information into their risk management. It should enrich and possibly make easier the information gathering and help their assessments too.
“Firms should be thinking about where this framework could lead to opportunities for added levels of assurance around their outsourcing, which may help them with the work they have to do around third party risk management, but also around operational resilience,” added Martin.
“With operational resilience, we have seen that in meeting the impact tolerances that firms have set, the third-party challenge is the most difficult that firms are facing. Being able to come up with new kinds of assurance is going to be important over the next three years for firms.”
“Where the oversight mechanism might make things like pooled testing and pooled auditing easier to do, financial services firms should be alert enough to spot these opportunities early and be able to work with their peers to develop those methods.”
“Regulators expect firms to develop these new methods themselves, so those who take the initiative to do so will benefit,” said Martin.
Strategic advantages
Under the EU legislation, third parties can apply for designation as critical, which could potentially influence third parties to seek regulatory approval for market advantage.
“Certain third parties might see being overseen as the gold standard in the industry. If third parties want to work with large financial services firms that take their third-party risk management seriously, then this could potentially be an attractive option,” said Martin.
Because of that clarity around standards, it could also encourage more competition, whether it’s new entrants to the market or otherwise and is a positive development in that sense.