オペレーショナルレジリエンス: 重要なサードパーティ規制 (CTP) が実現に近づく
The Bank of England, together with the Prudential Regulation Authority and Financial Conduct Authority, has just released their final requirements and expectations for the regulation of critical third parties (CTPs). This marks an important juncture, as it effectively kicks off the process of bringing key technology providers under a direct regulatory remit - likely creating challenges, but also presenting potential advantages for those affected. From a global perspective, it will worth watching, as it will likely drive precedents for similar regulatory attention occurring worldwide, with DORA in the EU particularly set to create akin requirements, as well as the Financial Stability Board for G20 countries.
What are CTPs?
Critical third parties are (non-bank) entities that provide services to the financial system, for which service disruption or failure could threaten the stability of, or confidence in, the financial system. While these have not been named yet (official designation of CTPs starts in January), a key characteristic of what is ‘critical’ is market concentration – where a few service providers support multiple firms, with service issues potentially leading to wider contagion effects. However, it could also be designated to a single provider which provides multiple distinct services, where these could have a material impact in aggregate. In both cases (or indeed by itself) low substitutability of services - due to lack of alternatives, or lack of ability to migrate quickly/easily - would also be an amplifying factor.
Key examples here are the major cloud service providers where there is relatively high concentration of sector usage with the hyperscalers (think likes of AWS or Azure). However, also worth noting (for the UK at least) that CTPs may not necessarily be just technology or data providers – regulatory focus is on overall business services, so could include non-ICT providers such as cash distribution companies. In contrast, DORA in the EU, which sees a similar attention on CTPs focuses specifically on ICT providers. It also has more quantitative, as well as qualitative, CTP qualification rules - for example, if a provider supports more than 10% of EU financial services firms by number or assets, or if it supports 3 systemically important institutions.
What are the main rules and requirements for CTPs?
The regulation set out six ‘fundamental’ rules for CTP, which are as follows:
- A CTP must conduct its business with integrity.
- A CTP must conduct its business with due skill, care, and diligence.
- A CTP must act in a prudent manner.
- A CTP must have effective risk strategies and risk management systems.
- A CTP must organize and control its affairs responsibly and effectively.
- A CTP must deal with each regulator in an open and cooperative way and must disclose to each regulator appropriately anything relating to the CTP of which it would reasonably expect notice
To some degree these are fairly high level, and you would hope that providers are already operating with integrity, due skill, effectiveness and responsibility with respect to rules 1 to 5. The main change is clearly with rule 6 in terms of working with and disclosing information to the UK regulators, however, the initial rules are important in requiring deliberate and proactive reportable governance steps. For example, ‘acting in a prudent manner’ means that firms need to ensure adequate resources to support provision of systemic third party services to firms in times of business as usual, but also during financial distress or during a CTP operational incident.
From a more specific perspective, there are eight requirements around delivering operational risk and resilience.
- Governance: CTPs must ensure that their governance arrangements promote the resilience of any systemic third party service they provide. This includes appointing a central point of contact for the regulators and establishing clear roles and responsibilities.
- Risk Management: CTPs must effectively manage risks to their ability to deliver systemic third party services. This involves identifying and monitoring relevant risks and updating risk management processes regularly.
- Dependency and Supply Chain Risk Management: CTPs must identify and manage risks to their supply chain that could affect their ability to deliver systemic third party services. They must ensure that key nth party providers and persons connected with a CTP cooperate with them in meeting CTP duties.
- Technology and Cyber Resilience: CTPs must ensure the resilience of any technology that delivers, maintains, or supports systemic third party services. This includes having effective strategies, processes, and systems to manage technology and cyber risks.
- Change Management: CTPs must have a systematic and effective approach to dealing with changes to systemic third party services. This includes implementing policies, procedures, and controls to manage changes effectively
- Mapping: CTPs must identify and document the resources used to deliver, support, and maintain each systemic third party service and any interconnections and interdependencies. This mapping must be delivered within 12 months of CTP designation and be regularly updated.
- Incident Management: CTPs must effectively manage operational incidents, including setting an appropriate maximum tolerable level of disruption and maintaining an incident management playbook (i.e. plans of action in event of an operational incident). For this CTPs need to conduct annual self-assessments, do scenario-testing, and conduct playbook exercises (such as playing out test incidents with a sample of client firms).
- Termination of Services: CTPs must have measures in place to respond to the termination of any systemic third party services, including supporting the orderly and timely termination of services and ensuring access to, recovery, and return of relevant firm assets. This is for any reason, so would include change of control, corporate reorganization, or insolvency.
And then from an information reporting, key areas include:
- Self-assessment reports (interim within 3 months, and then annually)
- Scenario-testing and incident management playbook exercisesresults
- Information provided to other authorities (e.g. for DORA)
- Incident reporting (initial, intermediate, & final reports)
- Changes to circumstances (Anything that could impact ability to deliver services)
- Additional information (anything that could be reasonably required by regulators, e.g. audit report, certifications).
What does this mean for financial institutions and CTPs?
For financial institutions, a key point to note here is that the CTP regime is designed to complement, not replace, existing firm obligations to manage third party risks. The regulation is design to capture situations where there would be an effective limit to how much a single firm could do to identify or mitigate risks through its own actions, however, the regulatory focus on managing third-party risks is intensifying, not abating.
For service providers designated as CTPs, regulatory scrutiny will clearly present challenges, creating higher overheads and another consideration when changing business strategy. However, for many it could be a blessing in disguise. To a large degree, CTPs will already be providing such information and considerations to meet the needs of individual financial institutions in managing their third-party risks. As each institution will have its own governance framework this can often involve relatively customized agreements with each client. Having a direct reporting relationship with regulators may allowed a more standardized approach, given both the institution and CTP will need to report on incidents, and if the CTP is meeting regulatory demands directly, there will likely be a degree of de facto, although likely not official, regulatory approval. In turn, this could also become beneficial from a commercial perspective if CTPs become effectively deemed safer from a risk and compliance overhead perspective.
Conversely, the main challenge may come from implementations of such requirements across different markets. While there does seem to be a deliberate attempt by regulators to coordinate (UK has explicitly tried to align with and be interoperable with both DORA in EU and Bank Service Company Act in US), there will be differences, particularly in terms of which firms are designated as CTPs in each market.