OPERATIONAL RESILIENCE: PROPOSED CTP REGIMES – UK
/ EU COMPARISON
|
UK (FSM Bill +
DP3/22)
|
EU
(DORA)
|
1. Scope of Regime
|
- Applies to CTPs only. Firms remain
subject to existing rules (and regulator expectations) on
operational resilience, outsourcing and third party risk
management.
- Wide category of CTP
services: CTPs are not limited to
digital / data service providers.
- Cloud Services Providers (CSPs) are likely to
be considered for designation. But DP3/22 contemplates non-ICT
services (e.g. claims management services to insurers or cash
distribution) possibly being designated.
- Criteria for being a CTP: FSM Bill
proposes two criteria for CTPs:
- materiality – the materiality of
the services to the delivery by UK firms and FMIs
(only) of activities, services or operations that are
essential to the economy or financial stability of the UK; and
- concentration –
number and type of UK firms and FMIs to which the third party
provides its services.
- The CTP regime may, in the future, extend
to artificial
intelligence, quantum
computing, machine
learning etc.
|
a. Firms: 20 categories (listed in
Article 2(1) of DORA) of in-scope EU "financial
entities", including:
-
-
- Banking sector: Credit
institutions, payment institutions, electronic money institutions,
investment firms and cryptoasset service providers;
- Markets infrastructure: Central
securities depositories, central counterparties
(CCPs), trading venues, trade repositories and
data reporting service providers;
- Funds sector: Alternative
investment fund managers (AIFMs) and Undertakings
for Collective Investment in Transferable Securities
(UCITS) management companies;
- Insurance sector: Insurance and
reinsurance undertakings, and insurance, reinsurance and ancillary
insurance intermediaries; and
- Other financial entities: Credit
rating agencies, administrators of critical benchmarks,
crowdfunding service providers and securitisation
repositories.
The term "financial entities" does not include
insurance intermediaries or other exempt entities.
b. ICT third-party service
providers: Digital / data service
providers only.
|
2. Designation of CTPs
|
- Under FSM Bill, designation is by
HMT via secondary
legislation, following consultation with
supervisory authorities.
- Designation is evidence-based. It is expected that only
a very small
percentage of the total number of
third parties providing services to firms will be designated as
CTPs.
- Supervisory authorities may recommend
designation of a particular third party to HMT. In
doing so, supervisory authorities would look at:
- materiality – economic functions,
critical services / functions, certain important business
services;
- concentration – number / type of
firms / FMIs that use the third party, (in)direct dependencies,
market share in material services; and
- potential impact – aggregation
risk, substitutability, survivability.
|
- Designation is by the European Supervisory Authorities
(the ESAs – the
European Banking Authority (EBA), the European
Securities and Markets Authority (ESMA) and the
European Insurance and Occupational Pensions Authority
(EIOPA)).
- The ESAs will designate through a Joint
Committee and upon recommendation
from an Oversight Forum.
- EBA, ESMA or EIOPA will be appointed as Lead
Overseer for each ICT CTP,
depending on the total value of assets of financial entities making
use of the services of that provider.
- The ESAs will, through the Joint
Committee, establish,
publish and update yearly
the list of the ICT CTPs at the EU
level.
- ICT third-party service providers who are not designated as ICT
CTPs may request to be designated and included in this list.
- Criteria for designating ICT third-party service
provider as ICT CTPs: Article 31(2) of DORA outlines
the following criteria for ICT CTPs:
- systemic impact on the stability,
continuity or quality of the provision of financial services in the
event of the ICT CTP facing a large scale operational failure to
provide its services;
- systemic character or
importance of the financial entities that rely on the relevant ICT
CTP;
- reliance of financial entities on the
services of the ICT CTP in relation to critical or important
functions of the financial entities; and
- degree of substitutability of the ICT CTP
(including lack of real alternatives and difficulties to partially
/ fully migrate across to an alternative third-party
provider).
|
3. Type of regulation / oversight
|
- Regulators:
- BoE;
- FCA; and
- Prudential Regulation Authority (PRA).
- Nature of regulation:
- Services (not entity) based oversight.
Supervisory authorities would focus on the services that CTPs
provide to UK firms and FMIs, where the failure or disruption of
those services could have a systemic impact on the supervisory
authorities' objectives (material
services).
- Regulators would not oversee, regulate or supervise CTP
entities in their entirety, nor the services they provide
to other sectors of the economy.
- Supervisory authorities may consult with public
bodies and other regulators on designation, including
National Cyber Security Centre, Centre for the Protection of
National Infrastructure, Digital Regulation Cooperative Forum
(includes the Competition and Markets Authority
(CMA) and the Information Commissioner's
Office (ICO)), UK Regulators Network and / or the
Department of Digital, Culture, Media and Sport.
|
- Regulators:
- Financial entities:
Financial entities will be subject directly to extra
requirements under DORA (and through amendments to
existing EU legislation made under the DORA Amending
Directive).
- ICT CTPs: For each ICT
CTP, the regulator will either be EBA, ESMA or EIOPA (whichever is
Lead Overseer).
- Nature of regulation:
The Lead Overseer:
- Conducts the oversight of the assigned ICT CTP and is, for all
matters related to oversight, the primary point of contacts for
those ICT CTPs.
- Assesses whether each ICT CTP has comprehensive,
sound and effective rules, procedures,
mechanisms
and arrangements to manage the ICT risk
which it may pose to financial entities.
- Has powers to:
- request information;
-
conduct investigations and inspections;
-
make recommendations;
and
- request reports and
require recommendations to be
addressed.
- Oversight Forum
- An ESA Joint Committee will establish a sub-committee
(the Oversight Forum), which shall discuss
relevant developments and annually undertake a collective
assessment of the results and findings of the oversight activities
conducted for all ICT CTPs and promote coordination measures.
- The ESAs, through the Joint Committee and based on the work of
the Oversight Forum, will present
yearly to the European Parliament, Council and
Commission a report on designation and
supervision.
|
4. Obligations on Firms
|
- No specific extra
obligations proposed.
- UK regulated firms and FMIs will retain primary responsibility
(and accountability to their regulators) for managing risks to
their resilience (including operational resilience) arising from
arrangements with third parties, including those designated as
CTPs.
|
- Financial entities:
- In summary, financial entities must comply with
the 'general principles', put in
place key contractual provisions and
undertake assessments of ICT concentration
risks for all ICT
third-party service providers including those designated as ICT
CTPs.
- Note: 'General principles'
include:
- contractual arrangements;
- proportional management
based on the scale, complexity and importance of ICT-related
dependencies and risks arising from contractual arrangements on the
use of ICT services;
- putting in place a strategy on ICT
third party risk;
- maintaining at an entity level and at sub-consolidated and
consolidated levels, a register of
information in relation to all contractual
arrangements on the use of ICT services provided by ICT third-party
service providers;
- reporting to competent authorities;
-
exercising access, inspection and
audit rights over ICT third-party service
providers;
- putting in
place exit strategies;
and
- identifying alternative solutions and develop transition plans
to enable them
to remove or transfer the
ICT services.
- Must review concentration
risk before entering into a contractual arrangement
for the use of ICT services (Article 28(4)(c) and Article 29).
- Must put in place key contractual
provisions with any ICT third-party service provider
(e.g. on locations, accessibility, notice periods, SLAs, right to
monitor, etc.) (Article 30). Standard
contractual clauses are to be considered but not as
yet mandated (Article 30(4)).
- May only enter into contractual arrangements with ICT
third-party service providers that comply
with appropriate security
standards (Article 28(5)).
- Must take into account or
sufficiently address all specific risks identified in a Lead
Overseer's recommendations (addressed
to the ICT CTP – see below) (Article 42(3)).
- May only use the services of an ICT third-party provider
established in a third (non-EU)
country and which has been
designated as critical by the ESAs if that third country ICT CTP
has established a subsidiary in the EU within 12 months of its
designation (Article 31(12)).
|
5. Obligations of CTPs
|
- CTPs would have to comply with proposed minimum
resilience standards to be set by the regulators
(which could be tailored to CTPs but built on CPMI-IOSCO
Principles for FMIs).
- The minimum resilience standards (DP3/22, chapter 5) would
apply to material services; build
on existing operational resilience
framework for firms / FMIs; avoid
duplication of existing standards;
impose common / minimum obligations on
CTPs; and
be outcomes-focused and principles-based.
- Elements of potential minimum resilience standards:
- identification of relevant services;
- mapping resources required to deliver
those services, including nth parties;
- risk identification
and management;
-
resilience testing including
participating in sector-wide testing;
- engagement with supervisory
authorities including providing reasonable notice of
information on incidents or threats;
- developing a financial sector continuity
playbook i.e. measures to test failure or severe but
plausible disruption to material services;
- post-incident communication, including
communication plans (e.g. bank runs); and
- learning and evolving from actual
disruption and testing.
- Compliance with existing
government and industry-recognised
certifications and standards may
give partial assurance about compliance with minimum resilience
standards.
- No one-size fits all approach to CTP resilience. But
expectation is that resilience testing may be
performed jointly for CTPs.
- Testing would
include scenario testing (perhaps in
collaboration with the Cross Market Operational Resilience
Group), sector-wide exercises (such as
in conjunction with SIMEX) and cyber-resilience
testing (such as testing by CBEST).
|
- The obligations of designated ICT CTPs are largely based
on compliance with the exercise of
the authority of their Lead
Overseer on security, risks,
reporting, testing, access etc.
- DORA otherwise does not impose specific obligations on ICT
CTPs.
- Generally, the proposed UK regime will put more obligations on
CTPs; whereas DORA puts more obligations on financial entities than
CTPs.
|
6. Regulators' Powers
|
- The FSM Bill proposes to grant supervisory authorities with
powers to:
- make compulsory information
requests of CTPs;
- commission skilled persons
reviews of CTPs (akin to section
166 of the Financial Services and Markets Act 2000
(FSMA)). CTPs would be under a statutory
obligation to give skilled persons all such assistance as they may
reasonably require;
- issue a direction requiring CTPs to do
(or refrain from doing) anything specified. This could involve
implementing the recommendations of a skilled persons review,
remediating issues or suspending or imposing conditions on the
CTP's ability to provide services to UK firms and FMIs;
and
- if a CTP breaches an applicable requirement:
(a) publish a statement (censure);
(b) impose conditions or limitations on
the ability of the CTP to provide services to UK firms and FMIs;
and (c) issue a disqualification
notice prohibiting it from entering into future
agreements with UK firms and FMIs, prohibiting it from providing
(some of its) services or imposing conditions / limitations on its
ability to provide services.
- Supervisory authorities would only be able to use certain
powers where it undertakes
an investigation that concludes the CTP
breached a requirement.
- No financial penalties listed in DP3/22.
- After the FSM Bill receives Royal Assent, the supervisory
authorities would publish a Statement of
Policy setting out how they would exercise their
statutory powers over CTPs.
|
- Lead Overseer is to assess whether
ICT CTPs have in place sound rules, procedures,
mechanisms
and arrangements to
manage ICT risks which it may pose to financial entities (Article
33). This assessment will include:
- physical security;
- risk of management processes;
- governance arrangements;
- ICT-related incidents;
- mechanisms for data portability and interoperability;
- testing;
- ICT audits; and
- use of relevant national and international standards.
- Based on this assessment, the Lead Overseer will adopt
an Oversight Plan for each ICT CTP which
will be communicated to the provider each year.
- Lead Overseer has a range of
powers over ICT CTPs (Article 35), including to:
- request all relevant information
and documentation;
- conduct general
investigations
and inspections;
- request
reports specifying remedies
to be taken;
- issue recommendations (for example on ICT
security or refraining from subcontracting);
- impose financial penalties.
- Before exercising its powers, the Lead Overseer
must consult
the Oversight Forum.
- General investigations
(Article 38): includes examining records, summoning representatives
for oral / written explanations, interviews etc. An investigation
may only be exercised in accordance with a written
authorisation specifying the
subject matter and purpose of the investigation.
- On-site inspections
(Article 39): inspections to cover the full range of ICT
systems, networks, devices, information and data used for or
contributing to the provision of services to financial
entities. Reasonable notice must be
given to the ICT CTPs unless such notice is not
possible due to an emergency or crisis situation or
if it would lead to a situation in which the inspection would no
longer be effective.
- Post-investigation / inspection
recommendations (Article
40(3)): within 3 months after the
completion of an investigation or inspection, the Lead Overseer
must, after consulting the Oversight Forum, adopt
recommendations to be addressed to the ICT
CTP and those recommendations
should be immediately communicated to the ICT
CTP and competent authorities of
the financial entities to which it provides services.
- Periodic penalties (Article
35(6)): to compel the ICT CTP to comply with its obligation to
respond to information requests, comply with an investigation or
provide requested reports. Payable daily until compliance is
achieved, for maximum 6 months. Up to 1% of the
average daily worldwide turnover of the ICT CTP in the preceding
business year.
- ESAs will publish a range of joint Implementing Technical
Standards (ITS), Regulatory Technical Standards
(RTS) and Guidelines under DORA.
|
7. International Coordination &
Harmonisation
|
- DP3/22 highlights that a global
methodology to identifying CTPs would
be challenging (but
notes that there is such a methodology for identifying
systematically significant financial institutions).
- Global resilience standards for CTPs
could be developed based on Annex F of the CPMI-IOSCO
Principles for FMIs and the
High Level Expectations for the Oversight of
SWIFT.
- Sector-wide
testing and cross-border resilience
testing may be employed.
- DP3/22 asks respondents about UK supervisory
authorities taking into
account resilience tests, sector-wide exercises and
other oversight activities undertaken by or on behalf
of non-UK financial supervisory authorities on
CTPs. "Taking into account" is not defined; this
could fall short of recognition / validation for the purposes of
the UK regime.
|
- Article 44 provides that the
ESAs may conclude administrative
arrangements with third country regulatory
and supervisory authorities to foster international
cooperation on ICT third-party risk across different financial
sectors.
- The ESAs
must report every 5
years in a confidential
report to the European Parliament, Council and
Commission summarising relevant discussions with such third country
authorities.
|