Featured Product

    FSI Paper Suggests Global Regime for Critical Service Providers

    August 25, 2022

    The Financial Stability Institute (FSI) of the Bank for International Settlements published a brief paper that examines the macro-prudential concerns of operational resilience with respect to cloud service providers and big tech firms and offers ideas on how to address these concerns. One of these ideas involves appointing a supervisory authority and establishing an international regulatory and supervisory regime for firms offering critical services beyond a minimum threshold.

    The paper notes that the interconnected use of technologies within the financial ecosystem can affect operational resilience at the system level. Thus, it is not enough to assess and monitor the operational resilience of individual firms. Authorities need to adopt a macro-prudential perspective when addressing risks of operational disruptions in the provision of financial services. Assessment of operational resilience at the system level could, for example, involve objective metrics such as the number of technology firms providing critical services or number of systemically important financial institutions (SIFIs) or financial market infrastructures (FMIs) relying on the services of a big tech. The macro-prudential approach would be particularly appropriate in two different but related domains: one is the use of critical services, such as cloud computing services, and the other is the provision, by big tech firms, of both technological services (like cloud computing) to regulated entities and a diversity of financial services to the public. From a macro-prudential perspective, all firms—including SIFIs and FMIs—using the same cloud provider leads to systemic risk, which can result in severe consequences to the financial system in case of an operational disruption on the cloud provider. The paper then discusses a range of options to potentially address this issue:

    • The first option is to require all financial firms, including SIFIs and FMIs, that acquire technology services, such as cloud computing services, from critical third-party providers to assess the potential implications for their operational resilience. This is the prevalent regulatory approach, whose main  drawback is that system-wide operational resilience basically hinges on assessments of individual firms. It is uncertain whether firms would have the right incentives and the means to perform thorough assessments of the risks posed by their interactions with critical third-party providers, not to mention that all firms performing their own audit of the same providers could be vastly inefficient. It remains to be seen whether collaboration across financial firms (as in pooled audits) would address these issues. 
    • The second option is a variation of the first one but would require financial firms to use a multi-provider strategy. This strategy involves the use of two or more providers for each critical service, such as cloud computing services, and requires planning for business applications to be portable between multiple providers. This option has the same drawback as the first option, as assessment of the operational resilience of the third parties would be left to individual firms. It requires firms to take on additional costs to run the same services, could make the process of cloud configuration more challenging, may magnify the risk of misconfiguration if the providers use proprietary security standards and protocols, potentially leading to security and data breaches.
    • The third, and extreme, option is to disallow SIFIS and FMIs from relying on third-party providers. However, this could just distract SIFIs and FMIs from their main functions, which could have implications for their operations. In addition, an operational disruption in an in-house SIFI/FMI ICT infrastructure would still have a systemic impact. While this option may be theoretically possible, it would negate the enhancements in operational resilience that individual firms have achieved with the help of third-party providers.
    • The fourth option is to expand the reach of regulation to critical third-party providers in the financial system, such as cloud service providers. This is what DORA proposes and what the UK envisions in its policy statement and discussion paper on critical third parties. In practical terms, technology service providers should only be able to offer their services to any financial firm if they comply with regulatory requirements. A disadvantage of this approach is that having financial authorities put their “stamp of approval” on third-party service providers assumes that they are better than financial firms at making such assessments, though this may not necessarily be the case. This issue could be addressed by having joint assessments by different government bodies (for example, in addition to financial authorities, those in charge of ICT, cyber security, and data protection). More importantly, as seen in the case of DORA and depending on the regulatory regime, the adoption of this approach may require critical providers to establish in each jurisdiction a legal entity that would be responsible for ensuring compliance with the relevant regulation in that jurisdiction. That looks largely inefficient, not only for critical providers, which typically have a global and multi-sectoral scope of activities, but also for internationally active financial firms.

    The paper notes the several ways in which authorities may address risks to operational resilience posed by third-party technology providers. It notes that there may be an argument for subjecting these technology providers, particularly the critical ones, to a new oversight framework. For big tech groups that conduct diverse activities and are subject to significant internal interdependencies, there is a rationale for also considering establishing group-wide requirements on operational resilience for those entities. Given that the provision of cloud services is largely concentrated in a few global technology companies, the aforementioned fourth option can be further tweaked to address the inefficiencies arising from having to comply with regulations in individual jurisdictions, which potentially could vary widely. A more effective line of action could be the establishment of an international regulatory and supervisory regime. The former could be achieved by developing specific international standards for firms offering critical services beyond a minimum threshold. The latter might require the appointment of a leading supervisory authority for each critical provider and the creation of multi-country supervisory colleges. Aside from addressing inefficiencies, cross-border oversight is also necessary given the potential global impact of a failure of some of these critical third-party providers.

     

    Related Links

     

    Keywords: International, Banking, Suptech, Regtech, Cloud Computing, Critical Service Providers, Bigtech, Systemic Risk, FMI, Third-Party Arrangements, Operational Resilience, BIS, FSI

    Featured Experts
    Related Articles
    News

    EBA Proposes Standards for IRRBB Reporting Under Basel Framework

    The European Banking Authority (EBA) proposed implementing technical standards on the interest rate risk in the banking book (IRRBB) reporting requirements, with the comment period ending on May 02, 2023.

    January 31, 2023 WebPage Regulatory News
    News

    FED Issues Further Details on Pilot Climate Scenario Analysis Exercise

    The U.S. Federal Reserve Board (FED) set out details of the pilot climate scenario analysis exercise to be conducted among the six largest U.S. bank holding companies.

    January 17, 2023 WebPage Regulatory News
    News

    US Agencies Issue Several Regulatory and Reporting Updates

    The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.

    January 04, 2023 WebPage Regulatory News
    News

    ECB Issues Multiple Reports and Regulatory Updates for Banks

    The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.

    January 01, 2023 WebPage Regulatory News
    News

    HKMA Keeps List of D-SIBs Unchanged, Makes Other Announcements

    The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.

    December 30, 2022 WebPage Regulatory News
    News

    EU Issues FAQs on Taxonomy Regulation, Rules Under CRD, FICOD and SFDR

    The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.

    December 29, 2022 WebPage Regulatory News
    News

    CBIRC Revises Measures on Corporate Governance Supervision

    The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.

    December 29, 2022 WebPage Regulatory News
    News

    HKMA Publications Address Sustainability Issues in Financial Sector

    The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.

    December 23, 2022 WebPage Regulatory News
    News

    EBA Updates Address Basel and NPL Requirements for Banks

    The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.

    December 22, 2022 WebPage Regulatory News
    News

    ESMA Publishes 2022 ESEF XBRL Taxonomy and Conformance Suite

    The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.

    December 22, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8699