Are you operationally resilient? And can you demonstrate it?
Ensuring institutions have sufficient operational resilience to safeguard the stability of the financial system has become a key concern for regulators in Europe. Outsourcing and vendor management is a particular focus.
For the continent’s fund administrators and IT service providers, the increased regulatory scrutiny will have both compliance and commercial ramifications – offering a competitive edge to the strongest vendors.
Cross-Industry Guidance on Outsourcing
The Central Bank of Ireland published its final Cross-Industry Guidance on Outsourcing (following Consultation Paper 138 on the topic) on 17 December 2021. In it, the Bank set out its expectations for how regulated financial service providers (RFSPs) should manage outsourcing risk.
“The Central Bank is strongly focused on outsourcing due to its increasing prevalence across the financial services sector and its potential, if not effectively managed, to threaten the operational resilience of financial service providers regulated by the Central Bank (‘regulated firms’) and the Irish financial system,” the Guidance stated. “Robust and effective outsourcing risk management within regulated firms supports the financial and operational resilience of these firms and consequently facilitates financial stability aims.”
The Guidance requires that regulated firms have effective governance, risk management and business continuity processes in place around their outsourcing arrangements (which includes information and communications technology (ICT) providers) to “mitigate potential risks of financial instability and consumer detriment.”
Firms’ outsourcing strategies must be documented and aligned to their business strategy, business model, risk appetite and risk management framework. Boards and senior management are ultimately responsible and accountable for “effective oversight and management of outsourcing risk within their business.”
Operational Resilience Guidance
In the same month, the Irish Central Bank also released its Cross-Industry Guidance on Operational Resilience (its follow-up to CP140). The aim is to mitigate risks that could cause prudential or consumer harm, or impact overall financial stability, to ensure the financial system can “better withstand future shocks and crises and to limit the impact of such events.” Potential events can range from technology failures and cyberattacks to natural disasters and pandemics.
Flexibility is key. “Resilience is not about what happens to a firm, but rather, how a firm is able to withstand and respond to an incident when it does occur,” the Central Bank noted.
The Guidance focuses on how to prepare for, respond to, recover and learn from an operational disruption, with the Bank’s operational resilience expectations built around three pillars:
- Identify and Prepare – tasks include identifying critical/important business services; how the services are delivered and any third-party dependencies associated with them; developing impact tolerance metrics; and testing resilience strategies to ensure each firm can remain within those impact tolerances.
- Respond and Adapt – ensuring business continuity management, incident management and internal/external crisis communication plans are fully integrated into a firm’s overarching Operational Resilience Framework.
- Recover and Learn – firms should learn from past experiences and strive for continuous improvement by conducting a lessons-learned exercise after a disruption to improve their ability to adapt and respond to future events.
The Bank expects regulated firms to be actively addressing operational resilience vulnerabilities and be able to evidence their actions/plans within two years of the guidance being issued (i.e. by December 2023) at the latest.
Digital Operational Resilience Act (DORA)
Strict operational resilience stipulations are also being introduced at European Union level.
The cross-sector Digital Operational Resilience Act (DORA), which will come into effect on 17 January 2025, affects all regulated financial firms, including banks, traditional and alternative investment firms, insurers, crypto-asset service providers, cloud service providers and ICT third-party vendors. And because it’s a regulation, it is directly applicable in all EU member states.
DORA aims to combat technology and cyber risk by demanding all firms can withstand, respond to and recover from operational disruptions and threats caused by cyber security and ICT issues.
The requirements centre on five areas: ICT risk management to protect ICT assets and prevent incidents; reporting on ICT-related incidents; digital operational resilience testing (with the introduction of threat-led penetration testing for larger firms); oversight of Critical Third-Party Providers (CTPPs) and management of third-party risk when outsourcing; and information and intelligence sharing.
Since DORA applies to firms operating in the EU, entities in the UK and beyond that engage in activities within EU jurisdictions will find themselves in scope. A UK version of DORA – aimed at supporting resilient outsourcing to technology providers by the financial services sector – is also in the offing.
Partnering With Regulatory-Ready Providers
While the compliance responsibility for these rules ultimately falls on the regulated firms, outsourcing providers that can demonstrate they are ready to meet the regulators’ requirements – by being SOC 1 ready, for example – will be in a much stronger competitive position to win and retain that business. Demonstrable resilience, and a partnership approach to alleviate client concerns, will be fundamental selection criteria in this new world order.
ABOUT DEEP POOL
Deep Pool is the #1 investor servicing and compliance solutions supplier, providing cutting-edge software and consulting services to the world’s leading fund administrators and asset managers. Our flexible solution suite, developed by an experienced team of accountants, business analysts and software engineers, supports offshore and onshore hedge funds, partnerships, private equity vehicles, retail funds and regulated financial firms. Deep Pool is a global organisation with offices in Dublin, Ireland, the United States, the Cayman Islands and Slovakia. For more information, visit: www.deep-pool.com.