Wayne Scott of NCC Group explores what the latest financial services and third-party risk guidelines and proposals mean for businesses across the sector
In the midst of rapid digital transformation in the financial services sector, operational resilience is more critical than ever. Increasing reliance on third parties and outsourced IT solutions, combined with the risk of cyber threats and other sources of business interruption, has led to new approaches from regulatory bodies in the UK, Ireland, the EU, and the US.
Although specific regulatory requirements for IT outsourcing in the financial services sector vary by region and regulator, there is a strong correlation between them regarding third-party risk management and operational resilience.
Whether this is a traditional on-premise application or a cloud-hosted services, regulators equally stress the importance of protecting the continuity of service and testing this continuity accordingly. In this article, we explore what the latest guidelines and proposals released by regulators across the globe mean for businesses across the sector.
UK and Ireland
In response to the growing dependency on third-party technology solutions, the Prudential Regulatory Authority (PRA) set out clear guidelines in its Supervisory Statement (SS) on IT Outsourcing and Third-Party Risk Management. Under SS2/21, firms are required to have internal continuity plans in place to rebuild outsourced services following the failure of a third-party arrangement. These internal continuity plans must give regulated firms the ability to: bring the data, function, or service back in-house/on-premises and transfer the data, function, or service to an alternative or backup service provider.
The PRA has been clear that software escrow is a practical solution to support compliance, and it stands to reason that that’s the case with the Central Bank of Ireland too—given their similarities when it comes to managing outsourced risk.
After publishing its final guidance on outsourcing at the end of 2021, the Central Bank of Ireland stipulate that a firm should ensure that legally binding agreements should be in place with third parties. These written agreements should also detail how the critical services will be maintained during a disruption and should provide an exit strategy if/when the service cannot be maintained.
The Digital Operational Resilience Act (DORA) is a draft regulation published by the European Commission. It is part of the commission’s wider Digital Finance Strategy, which aims to support growth in digital finance and manage risk.
The demands around third-party technology risk are quite significant. The regulation introduces key requirements to be included in financial entities’ contracts governing the relationship with third parties. These include provisions on accessibility, availability, integrity, security, as well as guarantees for access, recovery, and return in case of failure of third-party service providers. The regulation also states that exit strategies should be determined and tested.
When it comes to third-party risk, these elements set out in DORA are the right areas to focus on. Software escrow agreements and verification tests with all third-party software suppliers solve this issue and should be managed by an trusted, independent software escrow agent. In addition, exit strategies—which DORA mandates—can easily be tested with your escrow provider.
In recent years, a range of agencies in the US have released guidance on managing the risks associated with third-party relationships. The Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) specifically focus on third-party risk and vendor management.
The proposed guidance offers a framework of risk management principles to assist banking organisations in managing the risks associated with third-party relationships. The guidance also ensures that a banking organisation’s use of third parties does not diminish its responsibility to adhere to existing guidelines and ensures they can use third parties without affecting operational resilience.
Similar to the UK’s PRA rules and the EU’s Digital Operational Resilience Act (DORA) proposals, these US guidelines stipulate that exit strategies should be in place for all contracts. This is recommended in order to minimise the impact on business operations and give firms the ability to transition to alternative vendors (or bring services in-house) to mitigate risk in the event of contract defaults or termination.
The use of third parties and outsourcing arrangements isn’t a new concept, but regulatory scrutiny is increasing. As a result, we have seen a global shift in Third-Party Risk Management (TPRM) regulation.
Although the PRA is arguably taking the lead within Europe, the proposals and guidelines introduced by the Monetary Authority of Singapore (MAS), Financial Stability Board (FSB) and State Bank of Pakistan demonstrate that regulators are finally taking the non-technical risks present by technology seriously.
While different organisations govern different business areas, many of the key principles across these guidelines overlap—and all are aimed at helping banking and financial services organisations to identify, assess and manage third-party IT risks.
To remain compliant, financial institutions should ensure they have pre-developed measures in place to maintain operational resilience in the event of a stressed exit scenario (ie, failure or insolvency of the service provider, service deterioration and concentration risk), as well as plans for data recovery in line with specific regional regulations, helping to ensure that sensitive and customer data is kept safe.
One way to lower risk and maintain compliance is to store business-critical information in escrow. This means that information is stored securely and can easily be retrieved in the event of any issues, ensuring continuity and availability for customers and stakeholders.