As banks increasingly rely on cloud-based technology, there are mounting concerns among lawmakers about what might happen to the financial system if one of those cloud providers was to fail.
“There’s a paranoia in government at the highest levels about the concentration among cloud providers,” says Alex Viall, director of regulatory intelligence at Global Relay. “There’s a fear about what could happen if one of those providers – Google, Microsoft Azure or AWS – gets taken out or sold to China or whatever. If a big financial market infrastructure provider has everything with one of those cloud companies and there is a failure, there are potentially many parts of the financial system that could fall apart.”
The concern has prompted the UK government to propose plans to regulate critical third parties (CTPs) that are systemically important to the functioning of the financial system and where those services are not already regulated by any of the UK’s financial watchdogs. To get the ball rolling, the Financial Conduct Authority (FCA), the Bank of England and the Prudential Regulation Authority (PRA) published a joint discussion paper in July outlining how they could oversee resilience of CTPs as part of the Financial Services and Markets Bill that is currently going through parliament, which would give the UK Treasury (HMT) final say over who and what counts as a CTP.
“Even pre-Covid the Bank of England, the FCA and the PRA had said they needed to find a way of increasing resilience in the financial sector,” points out Ben Arram, practice lead at financial services regulatory consultancy Bovill. “HMT would ultimately have the authority to designate a company as a critical third party, but they are going to be doing that on the basis of recommendations from the supervisory authorities, whether that’s the FCA, PRA or Bank of England.”
As part of that determination, the regulators are looking at three main categories: materiality, concentration and potential impact. Materiality, says Arram, looks at the dependency of firms on these third parties for the delivery of important financial services. Concentration looks at how many firms or sectors are using a particular third party. And then potential impact tries to gauge what the failure of one of these third parties would look like for the financial system as a whole and looks at whether there are things companies can do to mitigate that risk, such as how easy it would be to substitute one provider for another, says Arram.
While many expect the regulation to be targetted at cloud services providers, the discussion paper said it would be looking at non-technology providers as well. “That could include services such as cash distribution or claims management for insurers,” says Luke Scanlon, head of fintech propositions at Pinsent Masons.
“It’s a land grab in terms of who they want access to and be able to engage in a more open way. The immediate priority will be the larger tech firms.”Vidhi Mahajan, senior associate, Ashurst’s
Other types of financial services providers may also eventually fall within the scope, even if they escape the initial round of designations.
“It is a land grab in terms of who they want access to and be able to engage with in a more open way,” says Vidhi Mahajan, a senior associate in Ashurst’s London financial regulation practice. “The immediate priority will probably be the larger tech providers, but there is a market of financial services businesses such as trade reconciliation software providers that operationally underpin a lot of our financial markets, and there is a body of those that aren’t regulated already who could be next in the firing line.”
While there won’t be any financial penalties for CTPs that fail to comply with the regulations, they could potentially face other sanctions, such as being blacklisted from the market.
“It will be lighter touch regulation than would apply to fully authorized firms, but they can be subject to specific rules as to what they can or can’t do, information requirements, investigations and testing of resilience standards,” says Tony Watts, a financial services partner at Keystone Law. “There doesn’t seem to be any proposal for the regulators to be able to fine CTPs, but it will be possible to censure these companies and prevent them from providing their services in the future.”
Concerns about CTPs are not limited to the UK. The EU is introducing its Digital Operational Resilience Act (DORA), designed to ensure firms and CTPs providing digital services to those institutions can withstand IT-related disruptions. In October, the US Securities and Exchange Commission proposed new rules for investment advisers outsourcing certain services to third parties.
“This is definitely on the agenda globally, but cross-border poses so many challenges,” says Mahajan. “Most of these major providers are headquartered in the US, so to what extent UK regulators can monitor what is going on over there is going to be a challenge. The EU has put a pretty firm line in the sand in that firms using third parties will have to use ones that have a base in the EU, so the question is if the UK will expect providers to also have a base in the UK.”
One potential unintended consequence of the regulation is that it could deter innovative US or other non-UK fintech companies from entering the UK market just in case they find themselves caught up by the rules in the future.
“I don’t think it will ever stop your big tech companies from doing what they’re doing – they will find ways to live with this and work around it,” suggests Mahajan. “But for some smaller US-based software providers that were looking at UK expansion, they might just look at this now and say the barrier to entry is too high because they could be next in the firing line.”
“There will undoubtedly be an additional compliance cost imposed on the third-party service providers. It’s not clear who will bear that cost.”Michael Lewis, partner, Osborne Clarke
The regulation may also exacerbate concentration risk by making it harder for smaller third-party service providers to grow. “There is a concern that there are perhaps too few large providers and by imposing additional costs on medium-size providers you make it harder to get more sizeable providers,” says Michael Lewis, a partner at Osborne Clarke.
Another potential issue is around cost, with financial services providers’ customers ultimately likely to be expected to indirectly pick up the tab.
“There will undoubtedly be an additional compliance cost that will be imposed on the third-party service providers, and who will bear that cost?” asks Lewis. “It’s unlikely to be the third-party service providers, they are likely to pass it on to the firms, which in turn will pass it on to their own clients.”
The regulation might not have any direct impact on financial institutions, but it could have potentially beneficial knock-on effects, such as helping tech providers better understand the regulatory issues facing banks.“There’s some debate about how much difference it will make,” says Scanlon. “It doesn’t change the accountability of financial institutions at all, but there is hope it will lead towards more standardization and that providers will understand why financial institutions are asking outsourcing providers for audit rights and to participate in their business continuity tests.”
There is also an argument that it could help make contracts between banks and big tech companies fairer.
“In theory it would give regulated firms more leverage over CTPs when it comes to them agreeing on terms and conditions,” explains Viall.
While it may be some time before a decision is made on which firms will be designated as CTPs (comments for the discussion paper were due by December 23, with a consultation paper expected after that) market participants should start thinking how changes might impact them, says Arram.
“These are things that firms don’t want to be looking at further down the line, now’s probably the time to start thinking about it and planning,” he says.