The Financial Stability Institute (FSI) of the Bank for International Settlements published a brief paper that examines the macro-prudential concerns of operational resilience with respect to cloud service providers and big tech firms and offers ideas on how to address these concerns. One of these ideas involves appointing a supervisory authority and establishing an international regulatory and supervisory regime for firms offering critical services beyond a minimum threshold.
The paper notes that the interconnected use of technologies within the financial ecosystem can affect operational resilience at the system level. Thus, it is not enough to assess and monitor the operational resilience of individual firms. Authorities need to adopt a macro-prudential perspective when addressing risks of operational disruptions in the provision of financial services. Assessment of operational resilience at the system level could, for example, involve objective metrics such as the number of technology firms providing critical services or number of systemically important financial institutions (SIFIs) or financial market infrastructures (FMIs) relying on the services of a big tech. The macro-prudential approach would be particularly appropriate in two different but related domains: one is the use of critical services, such as cloud computing services, and the other is the provision, by big tech firms, of both technological services (like cloud computing) to regulated entities and a diversity of financial services to the public. From a macro-prudential perspective, all firms—including SIFIs and FMIs—using the same cloud provider leads to systemic risk, which can result in severe consequences to the financial system in case of an operational disruption on the cloud provider. The paper then discusses a range of options to potentially address this issue:
- The first option is to require all financial firms, including SIFIs and FMIs, that acquire technology services, such as cloud computing services, from critical third-party providers to assess the potential implications for their operational resilience. This is the prevalent regulatory approach, whose main drawback is that system-wide operational resilience basically hinges on assessments of individual firms. It is uncertain whether firms would have the right incentives and the means to perform thorough assessments of the risks posed by their interactions with critical third-party providers, not to mention that all firms performing their own audit of the same providers could be vastly inefficient. It remains to be seen whether collaboration across financial firms (as in pooled audits) would address these issues.
- The second option is a variation of the first one but would require financial firms to use a multi-provider strategy. This strategy involves the use of two or more providers for each critical service, such as cloud computing services, and requires planning for business applications to be portable between multiple providers. This option has the same drawback as the first option, as assessment of the operational resilience of the third parties would be left to individual firms. It requires firms to take on additional costs to run the same services, could make the process of cloud configuration more challenging, may magnify the risk of misconfiguration if the providers use proprietary security standards and protocols, potentially leading to security and data breaches.
- The third, and extreme, option is to disallow SIFIS and FMIs from relying on third-party providers. However, this could just distract SIFIs and FMIs from their main functions, which could have implications for their operations. In addition, an operational disruption in an in-house SIFI/FMI ICT infrastructure would still have a systemic impact. While this option may be theoretically possible, it would negate the enhancements in operational resilience that individual firms have achieved with the help of third-party providers.
- The fourth option is to expand the reach of regulation to critical third-party providers in the financial system, such as cloud service providers. This is what DORA proposes and what the UK envisions in its policy statement and discussion paper on critical third parties. In practical terms, technology service providers should only be able to offer their services to any financial firm if they comply with regulatory requirements. A disadvantage of this approach is that having financial authorities put their “stamp of approval” on third-party service providers assumes that they are better than financial firms at making such assessments, though this may not necessarily be the case. This issue could be addressed by having joint assessments by different government bodies (for example, in addition to financial authorities, those in charge of ICT, cyber security, and data protection). More importantly, as seen in the case of DORA and depending on the regulatory regime, the adoption of this approach may require critical providers to establish in each jurisdiction a legal entity that would be responsible for ensuring compliance with the relevant regulation in that jurisdiction. That looks largely inefficient, not only for critical providers, which typically have a global and multi-sectoral scope of activities, but also for internationally active financial firms.
The paper notes the several ways in which authorities may address risks to operational resilience posed by third-party technology providers. It notes that there may be an argument for subjecting these technology providers, particularly the critical ones, to a new oversight framework. For big tech groups that conduct diverse activities and are subject to significant internal interdependencies, there is a rationale for also considering establishing group-wide requirements on operational resilience for those entities. Given that the provision of cloud services is largely concentrated in a few global technology companies, the aforementioned fourth option can be further tweaked to address the inefficiencies arising from having to comply with regulations in individual jurisdictions, which potentially could vary widely. A more effective line of action could be the establishment of an international regulatory and supervisory regime. The former could be achieved by developing specific international standards for firms offering critical services beyond a minimum threshold. The latter might require the appointment of a leading supervisory authority for each critical provider and the creation of multi-country supervisory colleges. Aside from addressing inefficiencies, cross-border oversight is also necessary given the potential global impact of a failure of some of these critical third-party providers.
Keywords: International, Banking, Suptech, Regtech, Cloud Computing, Critical Service Providers, Bigtech, Systemic Risk, FMI, Third-Party Arrangements, Operational Resilience, BIS, FSI
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.
The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.
The Basel Committee on Banking Supervision met, shortly after a gathering of the Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of BCBS.
The International Organization of Securities Commissions (IOSCO) welcomed the work of the international audit and assurance standard setters—the International Auditing and Assurance Standards Board (IAASB)
The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).
The Monetary Authority of Singapore (MAS) set out the Financial Services Industry Transformation Map 2025 and, in collaboration with the SGX Group, launched ESGenome.
The Bank of England (BoE) published a Statistical Notice (2022/18), which informs that due to the Bank Holiday granted for Her Majesty Queen Elizabeth II’s State Funeral on Monday September 19, 2022.
The French Prudential Control and Resolution Authority (ACPR) announced that the European Banking Authority (EBA) has updated its filing rules and the implementation dates for certain modules of the EBA reporting framework 3.2.
The European Central Bank (ECB) published a paper that examines how credit rating agencies accepted by the Eurosystem, as part of the Eurosystem Credit Assessment Framework (ECAF)
The Australian Prudential Regulation Authority (APRA) announced reduction in the aggregate Committed Liquidity Facility (CLF) for authorized deposit-taking entities to ~USD 33 billion on September 01, 2022.