Over this series of three short blogs (all posted today), I've begun to explore different aspects - Governance, Risk Tolerance and Outsourcing - of the regulators’ recent consultation papers on operational resilience and their potential impact on firms and the industry as a whole.
Firms' increasing reliance on third party providers is obviously relevant to both governance and risk tolerances, the subjects of the first two blogs in this series, but is important enough to warrant its own. The main reason is that outsourcing most clearly exposes the UK regulators’ direction of travel, and best illustrates why operational resilience may be a defining regulatory theme of the coming decade.
Below are four areas where the proposals for outsourcing offer important signposts for the future shape of UK regulation:
1. Global approach: The proposals are explicit in both their alignment with equivalent EU standards and with the G7’s “Fundamental Principles” document published in October 2018. This is as well as commitments to work with Basel and the IAIS, as the global standard setters for banking and insurance respectively.
2. Broader perimeter: The main difference between these proposals and the draft EU guidelines is the extension of the UK proposals to all outsourcing arrangements, not solely the Cloud; this is a major extension of scope. The headline reasons given are clarity and consistency, but within the text there are hints of some of the deeper rationale. These include references to intra-group outsourcing and “sub-outsourcing” - where outsource providers then outsource again. The text also mentions, for example, the sharing of data with third parties (e.g. via APIs) and the purchase of third-party artificial intelligence/machine learning (AI/ML) models. All in all, this feels like an attempt at an unusually comprehensive approach, one with no obvious exclusions.
3. Deeper granularity: The eye-catching proposals here are about firms maintaining their own Outsourcing Registers, which they would keep updated via an online portal. Just as important, however, are the references to the importance of consistency of the qualitative information firms provide in the Register, and to the desire to improve the consistency of firms’ materiality assessments during the pre-outsourcing phase. This gradual push towards more precise definitions and greater granularity is in line with three longer term trends - i.e. the regulators’ ultimate goal of common industry standards; the creation of an ever more level playing field between firms; and the aim of making UK Rulebook more machine readable.
4. Greater information rights: At a future point, I hope to write in more depth about what these proposals might mean for UK regulators’ approach to the Cloud and, in particular, their focus on the systemic concentration risk created by the heavy reliance on a small number of Cloud providers. This was also one of the key areas tackled by the recent TSC report, to which the UK regulators have promised a full response. For now, however, it’s worth noting the expectation that firms, in their contracts with outsourcers, will include rights for the UK regulators to have access to relevant information. As a future regulation, this would have a Trojan Horse feel about it.
The shape of UK regulation post-Brexit remains unclear of course – the debate, as to whether the UK becomes a low regulation “off-shore” competitor to the EU, or doubles down in its traditional role of helping to raise and to level international standards, is largely still to be had. But it is clear from these proposals that UK regulators see operational resilience as one of those areas, like climate change, where the latter model is a better fit.
If you would like a longer discussion about any of these areas, please get in touch at firstname.lastname@example.org.
The Bank of England, PRA and FCA have today published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.