FSI Paper Suggests Global Regime for Critical Service Providers

The paper notes that the interconnected use of technologies within the financial ecosystem can affect operational resilience at the system level. Thus, it is not enough to assess and monitor the operational resilience of individual firms. Authorities need to adopt a macro-prudential perspective when addressing risks of operational disruptions in the provision of financial services. Assessment of operational resilience at the system level could, for example, involve objective metrics such as the number of technology firms providing critical services or number of systemically important financial institutions (SIFIs) or financial market infrastructures (FMIs) relying on the services of a big tech. The macro-prudential approach would be particularly appropriate in two different but related domains: one is the use of critical services, such as cloud computing services, and the other is the provision, by big tech firms, of both technological services (like cloud computing) to regulated entities and a diversity of financial services to the public. From a macro-prudential perspective, all firms—including SIFIs and FMIs—using the same cloud provider leads to systemic risk, which can result in severe consequences to the financial system in case of an operational disruption on the cloud provider. The paper then discusses a range of options to potentially address this issue:

• The first option is to require all financial firms, including SIFIs and FMIs, that acquire technology services, such as cloud computing services, from critical third-party providers to assess the potential implications for their operational resilience. This is the prevalent regulatory approach, whose main  drawback is that system-wide operational resilience basically hinges on assessments of individual firms. It is uncertain whether firms would have the right incentives and the means to perform thorough assessments of the risks posed by their interactions with critical third-party providers, not to mention that all firms performing their own audit of the same providers could be vastly inefficient. It remains to be seen whether collaboration across financial firms (as in pooled audits) would address these issues. 
• The second option is a variation of the first one but would require financial firms to use a multi-provider strategy. This strategy involves the use of two or more providers for each critical service, such as cloud computing services, and requires planning for business applications to be portable between multiple providers. This option has the same drawback as the first option, as assessment of the operational resilience of the third parties would be left to individual firms. It requires firms to take on additional costs to run the same services, could make the process of cloud configuration more challenging, may magnify the risk of misconfiguration if the providers use proprietary security standards and protocols, potentially leading to security and data breaches.
• The third, and extreme, option is to disallow SIFIS and FMIs from relying on third-party providers. However, this could just distract SIFIs and FMIs from their main functions, which could have implications for their operations. In addition, an operational disruption in an in-house SIFI/FMI ICT infrastructure would still have a systemic impact. While this option may be theoretically possible, it would negate the enhancements in operational resilience that individual firms have achieved with the help of third-party providers.
• The fourth option is to expand the reach of regulation to critical third-party providers in the financial system, such as cloud service providers. This is what DORA proposes and what the UK envisions in its policy statement and discussion paper on critical third parties. In practical terms, technology service providers should only be able to offer their services to any financial firm if they comply with regulatory requirements. A disadvantage of this approach is that having financial authorities put their “stamp of approval” on third-party service providers assumes that they are better than financial firms at making such assessments, though this may not necessarily be the case. This issue could be addressed by having joint assessments by different government bodies (for example, in addition to financial authorities, those in charge of ICT, cyber security, and data protection). More importantly, as seen in the case of DORA and depending on the regulatory regime, the adoption of this approach may require critical providers to establish in each jurisdiction a legal entity that would be responsible for ensuring compliance with the relevant regulation in that jurisdiction. That looks largely inefficient, not only for critical providers, which typically have a global and multi-sectoral scope of activities, but also for internationally active financial firms.

The paper notes the several ways in which authorities may address risks to operational resilience posed by third-party technology providers. It notes that there may be an argument for subjecting these technology providers, particularly the critical ones, to a new oversight framework. For big tech groups that conduct diverse activities and are subject to significant internal interdependencies, there is a rationale for also considering establishing group-wide requirements on operational resilience for those entities. Given that the provision of cloud services is largely concentrated in a few global technology companies, the aforementioned fourth option can be further tweaked to address the inefficiencies arising from having to comply with regulations in individual jurisdictions, which potentially could vary widely. A more effective line of action could be the establishment of an international regulatory and supervisory regime. The former could be achieved by developing specific international standards for firms offering critical services beyond a minimum threshold. The latter might require the appointment of a leading supervisory authority for each critical provider and the creation of multi-country supervisory colleges. Aside from addressing inefficiencies, cross-border oversight is also necessary given the potential global impact of a failure of some of these critical third-party providers.

Related Links

• FSI Notification
• FSI Paper (PDF)

Keywords: International, Banking, Suptech, Regtech, Cloud Computing, Critical Service Providers, Bigtech, Systemic Risk, FMI, Third-Party Arrangements, Operational Resilience, BIS, FSI