The approach in the CPs reflects the Regulators’ concern that firms’ dependencies on outsourced service providers is increasing and that poor governance of those arrangements may lead to, or amplify, insufficient operational resilience in firms.
The Regulators’ expectations here are clear: firms should effectively manage their use of third parties to ensure that they can meet the required standard of operational resilience and firms should be able to remain within impact tolerance for important business services, irrespective of whether or not they use third parties in the delivery of these services.
Regulatory supervision
The FCA is proposing that it will provide “individual guidance” as to whether a firm’s compliance with the new rules is adequate and, if necessary, require a firm to take the necessary actions or steps to address any failure to meet the requirements.
FCA-regulated firms already have experience of this method of supervision with regards to compliance with capital requirements and are therefore likely to be familiar with the associated risk that the FCA can issue individual guidance that is not wholly appropriate for the particular firm.
While there is some scope for firms to discuss individual guidance with the FCA before any action is taken, ultimately if the FCA and the firm still do not agree, the FCA may use other tools available to it to require the firm to take specific steps in line with the FCA’s view.
The PRA plans to continue to use a wide range of existing tools and powers to support its supervision of operational resilience, including for example the senior managers’ regime, and its powers under section 166 of the Financial Services and Markets Act to require skilled persons’ reports.
Challenges ahead
- Firms need to consider whether they have the human capital to navigate the challenges ahead. Given the complexity, proper assessment and supervision of third-party dependencies requires highly skilled personnel at firms. Yet, as the Financial Stability Board has observed, it may be challenging to hire and retain such talent and particularly burdensome for small and medium-sized firms.
- Industry trends show that firms are increasing their use of third parties to deliver services and that new and more complex interdependencies may be emerging. There is an inherent tension within the CPs; on the one hand firms are encouraged to invest in new solutions to fix out-dated infrastructure but then, on the other hand, they are challenged on their ability to oversee third party suppliers.
- Moreover, there is a risk that as technology advances, knowledge asymmetries develop between firms (which may struggle to keep up with the pace of technological development and consequently the investment required in the technical side of outsourcing oversight and mitigating measures) and third-party providers.
- Even assuming firms overcome this hurdle, as they will have to do if they are to comply with the Regulators’ expectations, increased reliance on third-party providers’ services will present additional challenges to firms’ compliance with the operational resilience requirements. For example, the requirements require firms to test their ability to deliver important business services within impact tolerances in severe but plausible disruption scenarios. For firms that use third parties to deliver important business services, either wholly or in part, it may be difficult to test how effectively such third parties will respond to incidents.
- The PRA has said that firms should, at a minimum, monitor not only outsourced service providers but also sub-outsourced service providers involved in the provision of important business services. This suggests a greater level of oversight by firms over sub-outsourced service providers than generally currently exists and raises several questions over how control and responsibility for sub-outsourced service providers will be shared between firms and service providers.
- At an EU level, there has been a raft of recent and pending regulation on recovery and resolution, outsourcing and cloud, governance, and cyber risk that covers much of the same ground. It will be a challenge for firms to simply piece together the regulatory landscape as it develops in the year ahead and to implement this “operational regulation” in an efficient way.
What’s next?
The consultation closes on 3 April 2020 and all regulated firms should to take time to review and understand the Regulators’ proposals and what they will mean for their business and respond where appropriate before the Regulators decide upon the final policy.
It is notable that there are significant cost implications associated with these proposals.
The FCA estimates a total cost of £492.3m for firms to implement the proposals and that FCA-regulated firms will also incur ongoing annual costs of £231.3m.
Large PRA-regulated firms each stand to incur between £850k to £1.9m in implementing the proposals and annual ongoing costs of between £400k to £800k. Small PRA-regulated firms’ likely costs are £100k to £500k to implement, and £50k to £200k annual costs to maintain compliance.
While the final policy has yet to be determined, it is evident that clearly outlined contractual and operational responsibilities will be critical to protecting operational resilience and demonstrating compliance with the regulatory requirements.
