What all banks and financial institutions dread in the ‘always on’ world of digital is the dreaded “we’re sorry, we’re having problems right now” being displayed to all customers. It is something the regulators are concerned about too.
The end of March saw the Supervisory Statement (SS2/21) published by the Bank of England Prudential Regulation Authority (PRA) following a consultation paper at the end of 2019. It is linked to a second statement on Operational Resilience: Impact Tolerances for Important Business (SS1/21). Effective from 31st March 2022, this second statement requires firms to plan for compliance to identify all “severe but plausible” risks concerning the critical business services exposures. Then “impact tolerances” must be set in relation to each other, followed by measures to ensure they will not be breached. This is a sizable exercise that requires early project planning to be in place before the effective date. Then you need to bring recovery times back to the identified impact tolerances by, at the latest, 31st March 2025.
Four years might seem a long way off, the planning is substantial, and it is THE focus of regulators
SS2/21 includes outsourcing arrangements into the SS1/21 risk mapping exercise. This complements the requirements on operational resilience as set out in the PRA Rulebook and the statement on operational resilience. It also details the route to implementation of the European Banking Authority (EBA) Outsourcing Guidelines (alongside information and communication technology & security risk management) into the PRA expectations. Given, in a post-Brexit world, the ESMA and EIOPA guidelines fall away, SS1/21 and SS2/21 deliver a set of requirements that are viewed as “at least equivalent” to these other European provisions with roughly, broadly similar timetables. It is interesting to note, especially here at Eurobase, that these Supervisory Statements apply equally to insurers and reinsurers as well as banks.
The European Union arrangements were released in December 2020 when ESMA published the final Cloud Outsourcing Guidelines (COGS).
“The purpose of the COGs is to provide supervisory expectations to identify, mitigate and manage cloud outsourcing as well as “software as a service” (SaaS) specific risks generally but specifically for “critical and important functions” and to support a convergent approach to the supervision of cloud outsourcing arrangements by EU and national competent authorities.”
Dentons - ESMA publishes final cloud outsourcing .... https://www.dentons.com/en/insights/alerts/2021/january/25/esma-publishes-final-cloud-outsourcing-guidelines-what-do-firms-need-to-do-to-prepare
The COGs were intended to enter into force at the beginning of January 2021, but the final version will enter into force on 31st July 2021, and apply to all cloud outsourcing arrangements that firms enter into, renew or amend on or from 31st July 2021 onwards.
The PRA doesn’t care whether the arrangement meets the definition of outsourcing.
In the UK, any outsourcing arrangements entered into after March 2021 should meet the expectations in SS2/21 by 31st March 2022. As for legacy outsourcing arrangements (those entered into before March 2021), you need to take action ahead of the next contractual renewal or revision to update them to SS2/21 as soon as possible and ideally before March 2022. Some who are not yet well advanced in their EBA remediation programmes may be relieved that forbearance might be available on the March 2022 date for legacy contracts. The PRA has stated that it expects an assessment of every third-party arrangement's materiality and risks regardless of whether they fit the usual definition of “outsourcing”. Balancing that with another piece of good news is that SS2/21 does not have additional requirements beyond those in the EBA guidelines, so it is just the expanded scope of services covered to all third-party arrangements that need to be contended with.
Also, overseas branches in London will need to be aware of the “intra-group” clauses when outsourcing or entering into third-party arrangements with group entities. Such arrangements should be treated the same as those with external service providers and should not be thought of as inherently less risky. Also, SS2/21 gives responsibility under SMCR to boards, and Senior Managers, particularly those performing duties that are Senior Management Functions (especially SMF24’s), and these SMF responsibilities cannot be outsourced.
“Sitting on your hands and only doing what has to be done is increasingly perilous. Those that believe their in-house spreadsheets and manual processes are immune are in just as much danger as those who don’t have resilient solutions in place surrounded by good governance. Instead, treasury departments need a strategic solution to address these problems efficiently”. Dhavarajh (Dav) Frank – General Manager Banking at Eurobase
Rising above the details in the weeds of SS2/21, one can see it has its DNA in the “Future of Finance” report and the Bank of England’s response to it. At this point, the cloud is encroaching on the blue skies and becoming a more prominent discussion. SS2/21 sets out its expectations to facilitate greater resilience and adoption of the cloud and other new technologies. As stated in the response –
“Speed and agility is crucial to compete in today’s often global and instant marketplace. Cloud service providers offer ready-made solutions that can accelerate time to market. With the benefit of their scale, they also offer leading-edge analytics, enabling businesses to learn and adjust their business models almost in real time. And they can offer greater resilience. And as customer expectations rise, businesses are increasingly choosing to harness artificial intelligence and the cloud to improve the user experience continuously.”
Hopefully, this should inform the debate about the appropriateness and security of moving to the cloud. Given recent events, we should see a significant acceleration in driving a substantial number of key arrangements to the cloud. Using cloud technology has always been seen in terms of risk and reward. The rewards are known and understood, but the risks somewhat unknown. Recent events have seen much more data and analysis become available, and now a sensible balance can be struck, which will propel further adoption. Applications suitable for cloud deployment, such as Treasury Management, can be viewed as an ‘off the shelf’ services tailored to meet specific needs so that they provide value that is difficult to match.
If you wish to discuss this new approach, we would be happy to share our experience and expertise with you, and in the meantime, some useful links to the relevant resources are below.
Further Reading –
- PS7/21 ‘Outsourcing and third-party risk management.
- Supervisory Statement 2/21 – March 2021 (PDF)OPENS IN A NEW WINDOW
- Future of Finance: Review on the outlook for the UK financial system (bankofengland.co.uk)
- The Future of Finance - our response | Bank of England