BoE/FCA/PRA Discussion Paper “Operational resilience: Critical third parties to the UK financial sector” (DP3/22) Innovate Finance Response
About Innovate Finance
Innovate Finance is the independent industry body that represents and advances the global FinTech community in the UK. Innovate Finance’s mission is to accelerate the UK's leading role in the financial services sector by directly supporting the next generation of technology-led innovators.
The UK FinTech sector covers businesses from seed-stage start-ups to global financial institutions who embrace digital solutions, playing a critical role in technological change across the financial services industry. FinTech has grown strongly since the Global Financial Crisis of 2007/8, which led to mistrust in traditional banks and coincided with an explosion in the use of smartphones, widespread adoption of the use of apps, the advent of blockchain technology, and significant investment in FinTech start-ups.
FinTech is synonymous with delivering transparency, innovation and inclusivity to financial services. As well as creating new businesses and new jobs, it has fundamentally improved the ways in which consumers and businesses, especially small and medium sized enterprises (SMEs), access financial services.
1.1 Innovate Finance welcomes the opportunity to respond to the Bank of England (BoE), Financial Conduct Authority (FCA), and Prudential Regulation Authority’s (PRA) joint Discussion Paper (DP3/22) entitled Operational resilience: Critical third parties to the UK financial sector. In preparing this submission, we have engaged with a cross-section of our membership, including scale-up banks, other payment service providers and regulatory technology firms. Our response was prepared with support from Hogan Lovells.
1.2 Innovate Finance supports the introduction of a proportionate regime to bolster the resilience of third parties who provide critical services to the financial services industry and whose role has become increasingly important.
1.3 This is particularly the case for start-ups and new market entrants who usually find relying on third parties (often in combination) a more cost effective way to launch and scale their services than initially developing expertise and services in-house. These firms have a clear interest in the way the proposed regime may affect third parties and its consequences for them.
1.4 We also fully support the initiative of applying financial services resilience requirements to “Big Tech” providers to regulated firms. This is necessary to address gaps concerning the significant potential operational risk that unregulated firms with widespread systemic
scope of operations present to the UK financial system. This initiative will be critical to strengthening regulated firms’ ability to meet their UK outsourcing and Senior Management and Certification Regime (SMCR), and Systems and Controls (SYSC) obligations.
1.5 Our response highlights some potential unintended consequences for competition, innovation and the international competitiveness of the UK as a place to start and scale a FinTech business.
1.6 We also convey the broad message from our members that regulated firms engaged in digital transformation (e.g. transitioning to the use of cloud in storing data) need the authorities' extension of the regime to CTPs to provide clearer guidance on:
- a) ownership of systemic concentration risk;
- b) changes in the expectations for firms when conducting due diligence on CTPs; c) firms' contribution to resilience testing of CTPs; and
- d) availability of information to firms from the resilience testing of CTPs.
1.7 Any expansion of the regime should be additive for firms using third parties. A regime that merely duplicates requirements for financial services firms and CTPs without any incremental benefits would duplicate costs and create a cottage of industry compliance.
1.8 Firms need to be able to assess for themselves whether they are comfortable with the CTPs they use, and own the risks they assume. The new regime should not force firms to take an approved vendor 'tick box' approach. Importantly, our members would welcome specific guidance that a multi-vendor strategy in using third parties is an option but is not compulsory.
1.9 We would be pleased to discuss our response in more detail with the regulators and/or facilitate discussions with our members and the wider FinTech ecosystem.
1.10 We present our comments under the following six thematic headings with signposts to questions in the DP:
- a) Relationship to existing third party risk measures;
- b) Criteria for identification;
- c) Consistency with other initiatives;
- d) Concentration risk;
- e) Engagement with supervisory authorities; and
- f) Unintended consequences.
1.11 We appreciate that this is an initial Discussion Paper and look forward to participating in further consultations as details of the regime are developed.
- Relationship to existing third party measures (Qs 1, 2 ,4, 8, 15)
2.1 While outsourcing and operational resilience regimes have strengthened firms’ resilience and their management of third party risk, firm-level application of regulatory requirements has limitations. In particular, our members recognise that regulated firms are not well-placed to assess systemic risks of Critical Third Parties (CTPs) which are relied on by multiple firms or of Financial Market Infrastructure firms (FMIs) outside their groups.
2.2 To inform a proportionate approach to assessing the systemic risk of CTPs, we urge regulators to develop the benefits outlined in the DP to describe more fully the wide range of risk reductions that well-managed outsourcing (including outsourcing to CTPs) delivers to regulated firms, such as:
- a) Access to specialist expertise in strength and depth (hard to replicate in-house);
- b) Resilient computer networks providing reliable service delivery to customers such as cloud services;
- c) Shared operating and development costs (supporting firm profitability); and
- d) Access to innovative, consistent and efficient technology that reduces dependence on legacy processes and systems, and improves resilience.
2.3 Firms are already subject to comprehensive regulatory obligations relating to operational resilience, recovery planning and outsourcing requirements. We note there is no suggestion in the current proposals that firms would be under increased obligations related to CTPs. However, we would encourage policymakers to keep this in mind and avoid duplicative obligations which are especially burdensome to new market entrants, start-up firms and scale-up firms.
2.4 To avoid duplicative obligations, sector-wide and cross-sector coordination is crucial in developing the regime for CTPs. For instance, the regulation of cloud service provision, where the use of third parties by firms is widespread, involves the Information Commissioner’s Office (ICO), National Cyber Security Centre (NCSC), Digital Regulation Cooperation Forum (DRCF), and Ofcom. This may lead to overlapping or duplicative regulatory remits which are unnecessarily costly to CTPs and, by implication, their financial services customers, but with little benefit to firms or financial stability.
2.5 Wherever possible, we recommend that supervisory authorities rely on existing regulatory reports and information submissions from firms, rather than create additional obligations on firms.
2.6 It will be important to ensure the proposed CTP regime complements the obligations that regulated firms are already required to meet regarding operational resilience and outsourcing risk. We therefore believe that the outcome of a CTP’s resilience testing, assessment of whether resilience standards are met, and relevant engagement with the supervisory bodies, should be accessible to the regulated firms that rely on that CTP.
2.7 We encourage the authorities to consider whether CTPs should be required to provide such information to their customers and how this should be communicated. This could be done in a standardised way to limit disclosure of sensitive information, while providing information that would assist firms in monitoring their arrangements with a CTP and assessing the risk that continued reliance on a CTP poses to their own operations.
2.8 One additional area to consider is whether the supervisory authorities should gather information on firms’ assessments of the quality of their outsourcing arrangement with a CTP. This would give insight to the ‘riskiness’ of the CTP. Factors to consider include openness, responsiveness, risk awareness, reliance on third parties, etc.
2.9 Innovate Finance welcomes the regulators’ consideration of minimum resilience standards to guide firms. Consideration of the following factors can deliver an effective regime that would encourage innovation and competition:
- a) a risk-based approach based on firms’ own risk assessments;
- b) alignment to industry and non-financial services standards to ensure consistent adoption;
- c) agnosticism to the technology and providers used; and
- d) operationally feasibility of the regime for both CTPs and firms.
2.10 Lastly, we encourage the authorities to make sure that the final rules contain provisions that CTPs are solely responsible and accountable for complying with their own regulatory obligations. That is, CTPs should not be allowed to delegate any of these responsibilities to financial services firms. For example, the rules should be clear that financial services firms are not responsible for validating the identification of systemically material services by CTPs.
- Criteria for identification (QS 5, 6, 9)
3.1 The DP's proposed criteria for designation of a third party as ‘critical’ is for HM Treasury (HMT) to be satisfied (following consultation with the supervisory authorities, or on their recommendation) that a failure in, or disruption to, the provision of the services that a CTP provides to firms and FMIs (either for individual services or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system. HMT and the authorities will also consider the systemic risks that CTPs pose to market integrity and consumer protection.
3.2 We agree with the categories (materiality, concentration and potential impact) proposed in the paper to recommend a third party for designation as a CTP. However, given the breadth of the criteria for designation, we strongly recommend that the regulators clarify the definitions of the factors chosen for each category.
3.3 At the same time, when designating certain third parties as CTPs, we expect the designation criteria to:
- a) focus primarily on institutions that are absolutely critical to the day-to-day provision of services by regulated financial services firms (e.g. major cloud service providers); and
- b) exclude service providers that only assist with the initial and/or ancillary parts of a firm's customer journey (e.g. the onboarding / 'know your customer' process), because discontinuance of such services at a later stage of the customer journey would be unlikely to create systemic risk.
3.4 We believe that the European Banking Authority (EBA) Guidelines on Outsourcing Arrangements is an appropriate guide in determining the criticality or importance of a service provided by a third party. It sets out the principal factors that firms should consider, namely:
- a) the ability of a firm to transfer the proposed service to another service provider; b) the ability of a firm to reintegrate the service into the firm; and
- c) whether the service is directly connected to the provision of the banking/payment activities for which the firm is authorised etc.
3.5 We would recommend that HMT and the financial services regulators consider these factors when designating certain third parties as CTPs, particularly as they provide consistency with other existing regulatory frameworks.
3.6 It will be important that any quantitative criteria do not lead to ‘cliff-edge’ thresholds for a CTP. In addition, illustrative examples and explicit guidance will be important aids to understanding what might amount to a CTP — for both CTPs and their regulated customers.
3.7 We also recommend that the proposals should flag relevant supervisory concerns regarding CTPs that financial services firms should address in the design of their business models and in their applications for authorisation.
- Consistency with other initiatives (QS 3, 20)
4.1 The need for globally consistent standards is well recognised given the international nature of much business activity and the financial services that support it. This is the case for both financial services and cloud adoption. The DP highlighted the importance of international workstreams and standards (see also the results of the Financial Stability Board's public consultation on outsourcing and third party relationships from June 2021).
4.2 We welcome the references to similar initiatives around the world in the DP, and in particular, to the Digital Operational Resilience Act (DORA), which creates consistent requirements for all states that are part of the European Economic Area (EEA).
4.3 We think it is important that designation and the obligations that are imposed on CTPs in the UK should be implemented on an outcomes basis that follow a similar approach to that in the EEA (and beyond to the extent possible). This will support consistent approaches, and encourage service providers to continue to see the UK as a place to develop services that support the FinTech market, such as cloud and other digital technologies.
4.4 These considerations also matter for regulated firms in the UK who may wish to export software-as-a-service type products and services based on their UK success. Therefore, we urge supervisory authorities to collaborate with each other to ensure a harmonised approach.
4.5 We suggest the supervisory authorities also consider the extent to which mutual recognition of requirements in other jurisdictions may assist in keeping costs down and improving productivity for both third-party providers and the FinTechs to where these costs are passed.
4.6 Furthermore, as mentioned above, as third parties do not usually deal exclusively with the financial services sector, any new regulatory obligations placed on CTPs should be aligned with relevant non-financial services standards. This will also help facilitate consistent adoption across the board.
4.7 One area for further consideration is improving or enhancing systemic CTP (especially Big Tech) accountability and responsiveness to regulated-firm customers. Rules and standards could include obligations for CTPs to respond to these customers in a timely fashion, particularly in instances where cooperation or response to an urgent regulated customer request relates to a payment scheme Service Level Agreement or a strict regulatory timing obligation (e.g. resumption of a service within two hours).
- Concentration risk (Q6)
5.1 We agree with the definitions of concentration risk in CTPs and common service providers to CTPs. These include concentration risk from:
- a) the number, type and significance of the firms and FMIs that rely directly on a given third party for material services;
- b) indirect dependencies; and
- c) aggregation risk.
However, we believe that there are additional indicators that could be considered, which we describe below.
5.2 We also agree that firms and FMIs that rely on the services of a third party are best placed to assess the potential impact of a CTP’s failure or a disruption to its services to the firm. The supervisory authorities’ judgement of the potential impact of third parties’ failure or disruption should therefore be heavily informed by firms’ and FMIs’ assessments, including the results of their testing of:
- a) business continuity and exit plans for material outsourcing and third party arrangements; and
- b) severe but plausible scenarios (extreme but plausible scenarios in the case of FMIs) under the supervisory authorities’ operational resilience framework for firms and FMIs.
5.3 We consider that a useful challenge to the proposed framework would be to assess to what extent it encourages diversity of outsourced service provision to regulated financial services firms, and to what extent it does not:
- a) inadvertently create new barriers to entry that reward established players; 6
- b) encourage CTPs to exit service provision to regulated firms; and
- c) stimulate internalisation of activities in firms which could be disproportionately expensive, especially for new and small, growing firms.
5.4 We think it important that final proposals for assessing concentration risk and potential impact distinguish between gross and residual risk to firms and to the system. Risk management by a firm reduces the potential impacts of CTP concentration risk on a firm. Although firms are not in a position to assess systemic CTP concentration risk, they control and mitigate their own risks from outsourcing, for example, offshoring risk, cyber security, and risks to sensitive personal data.
5.5 Although supervisors do not require firms to pursue multi-vendor strategies, viable substitutability for CTP services can often be an important firm-level mitigant. Clearly, even if a regulated firm finds that substitution is unviable, its supervisors may still recommend remedial action.
5.6 Where a supervisor has concerns over a firm’s outsourcing risk management, the supervisory assessment of residual risk of using a CTP should increase and feed into the overall assessment of systemic risk for the CTP. This should create incentives for the CTP to support its regulated customers in managing their CTP risk.
5.7 We believe that the list of indicators for concentration risk as outlined in the DP could be extended. Other indicators to consider include:
- a) limited number of suppliers that are able to provide specific outsourced services;
- b) the duration of relationships between a CTP and firms. Experience from other sectors shows that long-term relationships between suppliers and customers can lead to relaxation of risk controls and weaker independent challenge in risk assessments;
- c) from an industry perspective, exceptional levels of profitability in CTPs from their regulated financial services customers could indicate systemic risks and/or lack of competitiveness in service provision. The Competition and Markets Authority (CMA) could provide guidance on relevant indicators; and
- d) complexity and breadth of the services provided (as this can reduce the ability of a firm to switch providers).
- Engagement with supervisory authorities (Q 21)
6.1 We note the proposals to require CTPs to engage with regulators both proactively and after incidents have occurred. Whilst we support this, we are mindful that authorised FinTech firms are subject to their own notification and engagement obligations. We would encourage the supervisory authorities to consider the unintended consequences that such CTP obligations may have on a regulated firm’s relationship with its supervisors. We recommend the supervisory authorities consider how the existing notification frameworks that operate in a multi-firm environment may be leveraged to address such concerns.
6.2 The proposal for statutory powers over CTPs may require specified remediation actions, for example, possible restrictions on the provision of services, and public censure. We appreciate that these powers will be necessary for the regime to have teeth. However, such actions are likely to have knock-on consequences for CTP customers which could harm the ability of regulated firms to continue operations.
6.3 We recommend the supervisory authorities carefully evaluate how unintended consequences from remediation actions could be avoided by considering how potentially affected firms would be notified and involved in the process.
6.4 Supervisory practices will need to evolve in line with changes and advances in digital practices for the supervisory frameworks to remain effective and efficient, and to maintain high levels of security for service providers and financial services firms. Therefore, we recommend that, when supervisors are gathering and handling evidence, both within the financial services sector and beyond, such as the IT sector which provides cloud computing services to a diverse group of clients, they consider harnessing new or evolving solutions without creating new security risks for both CTPs and their customers.
- Unintended consequences (Q8)
7.1 We welcome the idea of designating certain CTPs as systemically important. But whilst the paper acknowledges that the designation of CTPs will complement the approach taken to firms' outsourcing/operational resilience requirements, we wish to highlight the risk of unintended consequences from designation.
7.2 CTPs provide benefits and advantages to regulated firms, customers, and the financial services sector as a whole. Reduced use of a CTP and increased in-house provision would have corresponding disadvantages, such as additional costs or slower time to market, that could have a particularly serious impact on early-stage firms and innovation. This would create a barrier to entry for small firms because only large established firms would have the resources to bring CTP activities in-house.
7.3 Whilst increasing use of non-CTP service providers may support diversity of service providers and reduce concentration risk, it may also result in firms relying on third parties who are less able to manage or afford the controls that help mitigate risk in their particular service sector (e.g. cyber security). Systemic risk could increase if designation served to:
- a) incentivise de-risking — i.e. encourage certain providers to stop or limit their services to the financial services industry (or a part of the sector) if designation is applied too freely, or comes with too heavy a regulatory burden; or
- b) increase costs for CTPs which are ultimately passed on to their clients but which are not balanced with corresponding benefits — which may make it harder for new market entrants and existing start-up and scale-up firms in the UK to rely on them.
7.4 We recommend that the cost-benefit analysis in the consultation paper includes qualitative and quantitative assessments of the potential impacts on new market entrants, start-up and scale-up firms who use the services of third party providers that may soon be designated as CTPs. This assessment methodology should gauge the impacts on competition, innovation and the international competitiveness of the UK as a place to grow and scale a FinTech business.
7.5 Further, the regulators’ existing and soon-to-be-extended secondary objectives place a focus on promoting innovation, competition and international competitiveness for the benefit of consumers and wider market integrity and stability. Often in the early stages a new firm relies on outsourced services such as cloud services and application development to complement its in-house capabilities. We recommend the supervisory authorities adopt a proportionate approach in terms of the additional obligations they may have to comply with in relation to CTPs and provide appropriate exemptions and lighter touch requirements for small firms using CTPs, while avoiding cliff-edge transition points.