Plans for new powers aim to mitigate risks stemming from overreliance on a small number of cloud operators
HM Treasury has published a guidance document entitled “Critical third parties to the finance sector: policy statement” (June 8, 2022), which responds to the concerns of UK financial regulators about the so-called “cloud concentration” risk.
The Financial Conduct Authority (FCA) has had specific advice in place regarding the use of cloud providers since 2016 and, in a demonstration of the continued review of this issue, the Bank of England’s Financial Policy Committee stated in July 2021 that “growing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide“.
Regulators in the UK are increasingly concerned that, with so many financial institutions relying on such a small group of key service providers, the collapse of a single service provider could trigger the next meltdown in financial markets, in where others cannot pick up the slack quickly.
The Treasury policy statement proposes the introduction of a new regulatory regime for designated cloud providers, placing the material services they provide to the financial sector under the direct supervision of the Prudential Regulatory Authority (PRA) and the FCA .
Why is the UK government introducing this new regulatory framework?
Market commentators such as S&P Global have recorded a trend over the past several years for companies to move increasing amounts of data and applications to servers operated by technology companies, according to a competition and markets authority. report as of April 2022, only three cloud providers”represent more than 50%of global market share. The pandemic has accelerated the shift to cloud-based services by fueling demand for online services more generally.
This move to the cloud is attractive to financial services firms because it eliminates the cost and security concerns of maintaining internal data servers and helps make digital services more widely available to customers and staff.
Another advantage of using cloud service providers is that companies can outsource cybersecurity to a third party with specific IT security expertise, rather than having to constantly update their own systems in the face of change. threats. The growing risk of cyber threats to supply chain operations is well documented and has been highlighted in the UK’s National Cyber Security Center (NCSC). Annual review 2021. Over the past several months, the NCSC has noted that this risk is continues to rise due to geopolitical issues.
While outsourcing cybersecurity to IT companies may be a wise move for financial services companies, if there are only a few such companies underpinning the financial system, a successful attack on the one of them could be catastrophic. The stage would be set for potential widespread disruption of critical financial services in the event of an effective cyberattack or other outage affecting one or more cloud providers.
Regulated financial services firms must take responsibility for complying with their regulatory obligations, including their own operational resilience. When outsourcing a material service or operation (as would be the case with the use of cloud services), there are specific requirements and expectations regarding access, cooperation, record keeping, termination, supervision, data security and contingency planning – these terms are part of the new operational resilience rules which came into force on 31 March 2022. However, the UK Treasury is very clear in its advice that, while these regulatory requirements for businesses are important, they are not, on their own, sufficient to address the systemic problem. risk that could crystallize in the event of a disruption at a third party providing cloud services to several companies.
HM Treasury is therefore proposing a new framework for the direct regulation of these critical third-party providers, intended to complement the regulation of financial services companies.
How will the new regime work?
A “designation framework” will first be defined in the primary legislation. Given that critical third parties (CTPs) are primarily in the technology sector, the legislation is likely to stand on its own and not be included in a statutory regime applicable to financial services firms, such as the 2000 Act in financial services and markets. a bespoke regime should be established such that the FCA Enterprise Principles or the FCA Handbook of Rules and Guidance more generally should not apply to CTPs. However, this is not confirmed in the policy statement.
The primary legislation will require HM Treasury, in consultation with the PRA and FCA, to “designate” third parties as “critical”, and those CTPs will be nabbed by the regime. Cloud providers with a smaller share of the financial services market will not be affected by the regime if they are not “designated”.
The PRA and FCA:
- Will be given regulatory powers to set minimum resilience standards for CTPs in relation to material services provided to the UK financial sector.
- Will be able to require CTPs to participate in a series of targeted stress tests, to assess whether these standards are being met.
- Will have information gathering (investigation) and law enforcement powers.
When will it come into force?
HM Treasury’s policy statement only says that the government intends to legislate for this new scheme”when parliamentary time permits”. Given the focus on the current heightened geopolitical risks, it is reasonable to expect that this new legislation will be given priority in the current parliament, meaning it could come into force within the next 24 months.
The PRA and FCA will publish a joint discussion paper shortly after the new legislation is introduced, outlining how they could use their new powers and seeking input from industry. Once the primary legislation receives royal assent, the regulators will publish a consultation paper on the rules they propose under their new statutory powers.
Commentary by Osborne Clarke
In the long term, the decision to regulate CTPs should help protect the stability of financial markets, as cloud services become increasingly important to the business of financial institutions. In the meantime, companies should continue to ensure that they comply with the operational resilience requirementsand are working to put measures in place to stay within their impact tolerances during the current three-year transition period.