Concentration game: Critical third parties and financial risk

Technology providers to the financial services sector will be subject to additional regulation under new UK government proposals, with organisations in both camps warned the impending changes will have an impact on their relationship.

Regulators have been spooked by the extent to which ‘critical third parties’ to financial services firms, such as cloud providers, are now so integral to the proper running of markets that any outage, either deliberate or otherwise, presents a risk they do not have sight of.

Over the last decade, banks have adopted three main cloud providers: Amazon Web Services (AWS), Microsoft Azure and Google Cloud.

According to research by S&P Global, about 45% of financial services firms have AWS as their primary provider, while Azure has a similar percentage. Organisations with more than one cloud provider also use a second from the same trio. Azure is used in some shape or form by 79% of financial services firms.

The Big Three have the resources to handle the data processing, maintenance and security demands of the global financial system, and their concentration of power has also caused Brussels to step in.

How did we get here?

In their rush to update systems and controls, banks may have exchanged one set of stability risks for another. Legacy, error-prone piecemeal technology has been phased out in place of advanced cloud platforms with data analytics capabilities.

However, such has been the pace of developments and the source from which they came; a handful of US technology providers, there is concern these firms have enormous leverage over large parts of the financial system. Such “concentration risk” as regulators deem it, has the potential to trigger another global financial meltdown if left unchecked.

What are critical third parties?

The Bank of England (BoE) describes critical third parties as companies that perform important activities, either outsourced or via arrangement, to regulated financial services businesses.

This loose description includes the aforementioned large cloud providers like AWS, Azure, Google Cloud, and Oracle, but also loops in other providers of information and communications technology (ICT) services. This could also include certain data analytics and compliance solutions should their importance to the parent firm be significant enough.

The key test is should the third party fail or is disrupted and such an outage threatens the stability of the firm or the market. Scenarios could include a hack by a hostile bad actor, either a group or a state-sponsored, a severe service outage, or the third party effectively holding its client to ransom over fee increases and service charges, which could lead to a bank’s services dropping out should an agreement not be reached.

How are critical third parties designated?

Initial proposals focus on the “designation” of critical third parties. Early policy statements note that financial regulators have been pushing regulated firms to put in place operational resilience frameworks that include strong systems and controls to assess, document and monitor outsourcing arrangements.

What the existing rules cannot address is the systemic risk posed by the failure of an entity that provides services to multiple firms, and it is hoped new proposals will plug that gap.

“Although it is not yet clear what would constitute ‘critical’, earlier commentary from the UK regulators suggest that designation will focus on third parties that ‘may be a source of systemic risk to the financial stability of the UK’,” said Hinal Patel, technology partner at Simmons & Simmons law firm.

There are three key points to be aware of regarding the designation process, Patel said:

• HM Treasury could designate parties as ‘critical’ in consultation with the UK financial regulators and other bodies. The regulators may even step in and recommend certain parties be designated.
• Designation would take place under secondary legislation, covering criteria like the number and type of services a third party provides, and the materiality of those services; and
• HM Treasury would have to take into account any representations made by potential critical third parties.

HM Treasury will have the final say on whether a firm will be designated critical or not, and it will consider aspects such as the materiality of the services provided. Of interest is the delivery of so-called ‘essential activities, services or operations’ that are essential to the UK’s economy or financial stability. The government will also measure the number and type of authorised persons, relevant service providers or financial market institutions to which the entity provides services, aka the “concentration”.

As the BoE states, there is no way a single firm “can adequately monitor or manage the systemic risks that certain third parties pose to the supervisory authorities’ objectives, including UK financial stability, market integrity and consumer protection”.

Such systemic risks arise when firms rely upon a small number of third parties to provide services which, if disrupted, could significantly affect the authorities’ objectives.

The EU has also drawn up regulations to address the matter, putting forth proposals to strengthen “digital operational resilience” in the financial sector.

In May, the European Council announced that a provisional agreement had been reached on the Digital Operational Resilience Act (DORA), following negotiations that began in September 2020.

Brussels aims to create a “harmonised regulatory framework” for digital operational resilience across the bloc and bring critical ICT third-party providers, including cloud service providers, within the regulatory perimeter.

“It will require in-scope entities to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats,” said KMPG capital markets expert Kate Dawson. “The UK appears to be moving towards a similar approach to DORA in respect of critical third parties — although potential regulation is still in the consultation phase.

Most financial services firms will likely welcome the introduction of these oversight frameworks, Dawson said, “as they provide greater clarity and certainty” around their obligations and those which lie with their third parties.

“All stakeholders should continue to watch the developments in this space as the final regimes are decided,” Dawson added.

CUBE comment

CUBE’s regulatory technology (RegTech) can be leveraged to assess, document, and monitor outsourcing arrangements with critical third parties and to ensure that the firm’s data is fully compliant with regulations.

With CUBE’s solution, firms can create reports on their compliance status in real time, allowing them to quickly identify and address risks as well as provide regulators with the necessary information to demonstrate compliance.

To fully comply with DORA, RegTech solutions can provide the essential tools required to identify and monitor operational risks as well as adequate reporting on the resiliency of a firm’s systems.

Want to hear more? Contact us below.

Keep ahead of emerging regulations by speaking to CUBE.