The UK regulators plan to team up next year to propose new standards on some IT companies providing services to financial services firms.
According to the Financial Policy Committee, the Bank of England, Prudential Regulation Authority and Financial Conduct Authority intend to publish a joint discussion paper in 2022. This paper will weigh up whether there should be a framework for designating certain third-party service providers as “critical”. IT providers deemed to be critical, which may include cloud service providers, would then likely be subject to new resilience standards and testing requirements.
This would fill a policy gap that has emerged between the UK and the EU in this area. Until now, the UK’s approach to operational resilience has been to focus on regulated firms. New rules designed to build UK financial firms’ resilience to disruption start to apply from March 2022. The EU’s equivalent – a digital operational resilience act, known as DORA – is still only in draft form but does include a second part which is intended to give more powers to EU authorities to oversee businesses which provide critical IT services to the financial sector.
This is part of a wider trend as regulators seek to tackle the fears of “concentration risk” – especially when it comes to accessing the cloud – where many regulated financial firms rely on a relatively small pool of technology providers.
The increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.