New European fintech regulations affecting ICT providers | Morrison & Foerster LLP
Both the EU and the UK are taking steps to improve rules in the financial sector to add a new layer of direct regulation for key technology suppliers to banks and other regulated financial institutions – especially in relation to operational resilience.
The financial services (FS) sector relies heavily on information and communication technology (ICT), including hardware, software, cloud hosting, digital operations, AI, chatbots, blockchain and outsourcing. This reliance has been further accelerated in response to the COVID-19 pandemic and remote working, and continues to grow as banks and other FS institutions continue to be willing adopters of new technology platforms.
Regulators of FS businesses have recognized for years that ICT risk poses a challenge to the operational resilience and stability of financial systems, particularly as many service and technology sectors face increasing concentration risks. For example, the UK Treasury (HMT) noted in its 2022 policy statement that as of 2020, over 65% of UK financial services firms used the same four cloud service providers (CSPs) for cloud infrastructure services. The increasing reliance on, and concentration towards, a few third parties for the provision of these services means that a ‘critical’ third party failure can result in overlapping negative consequences across the functioning of the entire FS sector.
The regulatory framework affecting the provision of services to regulated FS institutions (e.gbanks, insurance companies) (“Companies”) of ICT service providers (ICT SPs) have applied indirectly for many years. However, the current EU and UK regulatory proposals would impose direct regulatory oversight on (and possible intervention and enforcement against) certain ICT SPs.
Existing indirect regime
In the UK, the Financial Conduct Authority (FCA) has previously provided guidance to UK regulated firms on the use of third party outsourcing solutions and since 2016 on the use of cloud computing solutions to implement technology services or operations. However, all previous guidance was aimed at regulated firms, and not at ICT SPs or CSPs themselves (although of course ICT SPs or CSPs in practice had to be aware of the regulatory requirements that their FS clients had to comply, especially in terms of downstream flows to the contracts between an FS client and an ICT SP).
The FCA, the Prudential Regulatory Authority and the Bank of England can also impose indirect obligations on third parties and require firms to incorporate resilience requirements into ICT and outsourcing contracts. However, it is difficult to enforce indirect contractual obligations in practice, and given that a small number of ICT suppliers monopolize the market, it is also difficult to negotiate terms or find alternative suppliers.
Similarly in the EU, the European Banking Authority issued guidelines for outsourcing arrangements, which set out specific requirements that external agreements for critical or important functions must meet (the “EBA Guidelines”), including that an ICT SP must grant the firm and its competent regulators full access and information rights and unlimited audit rights to enable the firm to monitor the outsourcing/ICT arrangement and ensure compliance with all applicable regulatory and contractual requirements.
The changes – EU
In order to harmonize digital operational resilience rules for FS organizations in the EU (and replace a currently fragmented regulatory landscape), the European Commission proposed a regulation on digital operational resilience for the FS sector (DORA) in September 2020. Digital operational resilience refers to the ability to withstand all types of ICT-related disruptions and threats, including cyber-attacks. DORA is designed to consolidate and upgrade ICT risk requirements across the EU FS sector to ensure that FS system participants are subject to a common set of rules to reduce the ICT risk of their operations. DORA proposes a simple set of overarching mandatory rules to set a high common standard across the EU’s FS system.
DORA will be enforced alongside the existing EBA guidelines. It is currently understood that the EBA guidelines will not be repealed, but will be revised to reflect the requirements under DORA.
DORA will impose several obligations on businesses, including, among other things, maintaining internal governance and control frameworks to effectively manage ICT risks and establishing and implementing an ICT-related incident management process. DORA will also require that contracts with ICT SPs include at least certain listed minimum requirements (the so-called “Article 27 list”).
Importantly, DORA will bring critical ICT SPs directly within the scope of supervision by the European Supervisory Authorities (ESA). The ESAs will be tasked with designating certain ICT SPs as critical, taking into account the systemic impact of the services, the systemic importance of the recipients of the services, critical or important functions, substitutability and the number of EU Member States involved.
Under the oversight framework, the ESAs will appoint a lead supervisor who will conduct annual, tailored assessments of each critical ICT SP assigned to them. A critical ICT SP will be required to:
- Establish comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks that they may pose to financial entities; and
- Pay fees to the main supervisor that cover the regulator’s costs and are commensurate with the supplier’s turnover.
Lead inspectors will have broad powers to issue information requests and access documents, conduct on-site inspections, issue recommendations and instructions and require remedial action. Lead supervisors can impose GDPR-style penalties (a daily penalty of 1% of the average daily global turnover in the previous business year can apply for up to six months) on critical ICT SPs for non-compliance.
A positive change that will come from DORA across the EU will be that it can replace EU member state national regulatory initiatives (e.gon digital operational resistance testing) and supervisory approaches (e.gaddressing ICT third-party dependencies) and provide a single harmonized regulatory approach across the EU.
The changes – Great Britain
The UK has introduced provisions in the Financial Services and Markets Bill (the “Bill”) which aim to reform UK financial services regulation and include, for example, measures that mirror DORA in establishing a regime for the designation of critical third-party service providers (CTPs) in the UK FS sector.
The Bill will give the UK FS regulators direct oversight of CTPs and allow the regulators to intervene to raise the standards of digital operational resilience for the services provided to the FS sector and reduce the risk of systemic disruption, while recognizing the benefits of ICT , outsourcing , and other technology platforms.
Like DORA, HMT will designate certain third party service providers as critical, based on the materiality of the services offered and concentration (by number and type) of firms to which the third party provides services. In practice, designation will typically follow a recommendation from the supervisory authorities.
The Bill will give the FS regulators powers to: (a) establish rules that apply to CTPs, including minimum resilience and stress testing standards in respect of all material services that they provide to UK-regulated firms; (b) provide directions to CTPs, including the power to direct CTPs to take or refrain from taking specific actions; (c) gather information from CTPs, including the appointment of a “skilled person” to investigate potential violations of requirements; and D) take enforcement action.
The FS regulators have published a discussion paper (“the paper”) which describes how they will exercise their powers in practice, and how they will make recommendations to HMT about potential CTPs. The potential measures include three main building blocks: (1) a framework for regulators to identify and recommend potential CTPs for formal designation; (2) minimum resilience standards for designated CTPs in respect of material services they provide to UK-regulated firms; and (3) a range of tools to test the resilience of substantive services that CTPs provide to UK-regulated firms.
Of course, CTPs will not be required to comply with DORA in relation to their UK operations. But in practice, many (if not most) UK-regulated firms and ICT providers will want to operate in both the UK and the EU, and will therefore have to satisfy both regulatory regimes.
The risk to service providers in the UK may be less than under DORA, given the UK’s desire to encourage UK Big Tech investment and the UK Government’s signals of a lighter regulatory approach to the FS sector (e.g., the UK government’s announcement of plans to move away from the EU-derived limit on bankers’ bonuses).
Indeed, the paper notes that CTPs are likely to make up a very small percentage of the total number of third parties providing services to UK firms. However, the paper identifies that certain service providers (such as the large CSPs) may be particularly likely to be considered for designation. In the future, the paper adds, certain third parties providing data and artificial intelligence or machine learning models may emerge as future potential CTPs, as a result of the increasing use of these data and models in trading systems.
Next step to consider
For service providers, it will be important to review the requirements set by regulators’ guidance and to assess the risk of being considered a CTP in relation to market segments of the FS sector (and thus being exposed to direct regulation for the first time). Service providers should also consider incremental regulatory risk arising from acquisitions that may lead to future designation as a CTP. If either regime is applicable, service providers must be aware of current and future regulatory oversight risks and consider contractual arrangements with firms that must include safeguards related to minimum resilience standards.
For the companies, the proposed regimes are complementary to existing risk management and resilience obligations. By requiring service providers to also meet resilience standards, firms can gain some assurance that they are meeting their own resilience obligations in relation to agreements with third parties. In addition, the regulators’ powers to impose service providers’ services can help to strengthen the bargaining power of companies in contract negotiations.
Harry Anderson, a trainee solicitor in our London office, contributed to the preparation of this client alert.
[View source.]