- Firms need to consider whether they have the human capital to navigate the challenges ahead. Given the complexity, proper assessment and supervision of third-party dependencies requires highly skilled personnel at firms. Yet, as the Financial Stability Board has observed, it may be challenging to hire and retain such talent and particularly burdensome for small and medium-sized firms.
- Industry trends show that firms are increasing their use of third parties to deliver services and that new and more complex interdependencies may be emerging. There is an inherent tension within the CPs; on the one hand firms are encouraged to invest in new solutions to fix out-dated infrastructure but then, on the other hand, they are challenged on their ability to oversee third party suppliers.
- Moreover, there is a risk that as technology advances, knowledge asymmetries develop between firms (which may struggle to keep up with the pace of technological development and consequently the investment required in the technical side of outsourcing oversight and mitigating measures) and third-party providers.
- Even assuming firms overcome this hurdle, as they will have to do if they are to comply with the Regulators’ expectations, increased reliance on third-party providers’ services will present additional challenges to firms’ compliance with the operational resilience requirements. For example, the requirements require firms to test their ability to deliver important business services within impact tolerances in severe but plausible disruption scenarios. For firms that use third parties to deliver important business services, either wholly or in part, it may be difficult to test how effectively such third parties will respond to incidents.
- The PRA has said that firms should, at a minimum, monitor not only outsourced service providers but also sub-outsourced service providers involved in the provision of important business services. This suggests a greater level of oversight by firms over sub-outsourced service providers than generally currently exists and raises several questions over how control and responsibility for sub-outsourced service providers will be shared between firms and service providers.
- At an EU level, there has been a raft of recent and pending regulation on recovery and resolution, outsourcing and cloud, governance, and cyber risk that covers much of the same ground. It will be a challenge for firms to simply piece together the regulatory landscape as it develops in the year ahead and to implement this “operational regulation” in an efficient way.
What’s next?
The consultation closes on 3 April 2020 and all regulated firms should to take time to review and understand the Regulators’ proposals and what they will mean for their business and respond where appropriate before the Regulators decide upon the final policy.
It is notable that there are significant cost implications associated with these proposals.
