EU Confirms Agreement on Rules on Cybersecurity and Banking Resolution
The European Securities and Markets Authority (ESMA) published a paper that examines the systemic risk posed by increasing use of cloud services, along with the potential policy options to mitigate this risk.
Given the high concentration of cloud service providers, the paper examines the possibility that a single cloud service provider outage could generate simultaneous firm-level outages, posing systemic risk. The analysis uses operational risk data to simulate outages among central counterparty clearing members and show that cloud service providers need to be significantly more resilient than firms to improve the safety of the financial system and to compensate for concentration risk. The results of the analysis provide a framework to analyze the benefits and risks related to third-party outsourcing, which can be used by policymakers and regulators in the context of ongoing policy work on cloud service providers. The study also sheds light on the kind of data needed on outages to estimate risks and costs related to third-party outsourcing. The paper notes that use of cloud service providers typically improves the resilience of financial institutions at individual level, while concentration risk can lead to systemic risk due to a higher probability of simultaneous outages.
In financial settings where only longer (multi-period) outages impose systemic costs, cloud service providers can best address systemic risk by strongly reducing incident resolution time, rather than incident frequency. The analysis also shows that the use of an idealized back-up cloud service provider successfully mitigates systemic risk from cloud service providers. Back-up requirements may need to be imposed by policymakers, however, as the systemic risk is an externality to individual firms. The analysis also shows the need for detailed data on outages by financial institutions and cloud service providers; this will allow a better calibration of the model and improve the assessment of trade-offs between different uses of cloud service providers by firms. Given the ubiquity of cloud service providers and continuing migration to use of their services—a trend accelerated by the COVID-19 pandemic—it is crucial for policymakers and market participants to assess benefits and risks of outsourcing to cloud service providers. An important example in the European Union is the proposed Digital Operational Resilience Act, or DORA, that envisages a mandate for the European Supervisory Authorities, working with other authorities, to oversee third-party providers of critical financial services to address related systemic risks.
Related Link: Paper (PDF)
Keywords: Europe, EU, Banking, Securities, Basel, Lending, Cloud Service Providers, Cloud Computing, Operational Risk, Systemic Risk, Concentration Risk, Operational Resilience, Regtech, Financial Stability, DORA, Third-Party Arrangements, ESMA
Featured Experts
María Cañamero
Skilled market researcher; growth strategist; successful go-to-market campaign developer
Blake Coules
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
Nicolas Degruson
Works with financial institutions, regulatory experts, business analysts, product managers, and software engineers to drive regulatory solutions across the globe.
Related Articles
SEC Finalizes Climate-Related Disclosures Rule
The U.S. Securities and Exchange Commission (SEC) has finalized the long-awaited rule that mandates climate-related disclosures for domestic and foreign publicly listed companies in the U.S.
US Regulators Release Stress Test Scenarios for Banks
The U.S. regulators recently released baseline and severely adverse scenarios, along with other details, for stress testing the banks in 2024. The relevant U.S. banking regulators are the Federal Reserve Bank (FED), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC).
Asian Governments Aim for Interoperability in AI Governance Frameworks
The regulatory landscape for artificial intelligence (AI), including the generative kind, is evolving rapidly, with governments and regulators aiming to address the challenges and opportunities presented by this transformative technology.
EBA Proposes Operational Risk Standards Under Final Basel III Package
The European Union (EU) has been working on the final elements of Basel III standards, with endorsement of the Banking Package and the publication of the European Banking Authority (EBA) roadmap on Basel III implementation in December 2023.
EFRAG Proposes XBRL Taxonomy and Standard for Listed SMEs Under ESRS
The European Financial Reporting Advisory Group (EFRAG), which plays a crucial role in shaping corporate reporting standards in European Union (EU), is seeking comments, until May 21, 2024, on the Exposure Draft ESRS for listed SMEs.
ECB to Expand Climate Change Work in 2024-2025
Banking regulators worldwide are increasingly focusing on addressing, monitoring, and supervising the institutions' exposure to climate and environmental risks.
BIS Bulletin Examines Cognitive Limits of Large Language Models
The use cases of generative AI in the banking sector are evolving fast, with many institutions adopting the technology to enhance customer service and operational efficiency.
ECB is Conducting First Cyber Risk Stress Test for Banks
As part of the increasing regulatory focus on operational resilience, cyber risk stress testing is also becoming a crucial aspect of ensuring bank resilience in the face of cyber threats.
EBA Continues Momentum Toward Strengthening Prudential Rules for Banks
A few years down the road from the last global financial crisis, regulators are still issuing rules and monitoring banks to ensure that they comply with the regulations.
EU and UK Agencies Issue Updates on Final Basel III Rules
The European Commission (EC) recently issued an update informing that the European Council and the Parliament have endorsed the Banking Package implementing the final elements of Basel III standards